Hi,
I have a KeyCloak deployment where KeyCloak Realms are used as a way to
differentiate users among different tenants. The components that currently
interact with KeyCloak does so through intermediate router that selects the
IdP configuration based on a request path segment (request credentials from
the realm using a pre-decided segment in the received path as the realm
name). This story works fine with OIDC clients created in each Realm.
There is a 3rd party service access that needs to be done through KeyCloak
as well. However this 3rd party service doesn't support any kind of realm
discovery method (path, header etc). It only works with a single IdP
configuration at a time. This doesn't match with the per-realm client
configuration model that is there at the moment, because multiple client
configurations cannot be dynamically mapped to different host names or path
segments.
As a workaround, I'm in the process of trying the following approach.
I've created a "federator" realm that has the clients in other realms as
Identity Providers. The client in the federator realm will act as an
identity broker on behalf of the other realms. However, the approach shows
all the organizations available at the login screen. This is something
sub-optimal for my use case since the list of organizations is made public
to any user redirected to the login page. At the moment I'm looking into
the customization of the login page, however that also would make upgrades
harder.
Is there a way to workaround this limitation that the 3rd party service
has? Are there any known patterns that you may have employed in similar
situations? (The other mail threads that I could find deal in situations
where the client code is also changeable, like the use of the
KeyCloakConfigResolver extension point [1]. This is not usable in my case,
as the 3rd party code is out of my control)
Furthermore, is there a way to authenticate users across Realms using only
one client configuration? Appreciate your help in this.
[1] -
https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
Thanks!
Regards,
Chamila
Blog:
medium.com/@chamilad