[keycloak-user] Saas muti-tenant architecture with multi-step authentication process

Olivier Rivat orivat at janua.fr
Tue Jul 24 12:46:39 EDT 2018 

Hi,


*1) introduction*

I have a multi-tenant architecture deployed with keycloak.
At first, to investigate multi-tenant architecture, I have followed what 
is available within keycloak:

documentation

  * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy



examples:

  * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant


The same application is deployed in both tenants with

  *   http://localhost:8080/multitenant/tenant1 and login as
    user-tenant1, password user-tenant1
  * http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
    password user-tenant2


When you specify http://localhost:8080/multitenant/tenant1, you are 
redirected to tenant1, and you need to authenticate.


*2) description of the problem*

The issue I am facing, is that I have a customer client application, 
which can redirected to several diffrent realms.

The realm selction is based on the email address.

  * user1 at foo.com ---> should redirect to realm foo
  * user2 at bar.com ---> shou0dl redirect to realm bar


In fact, the email analsys shoudl redirect to the correct realm (foo or 
bar , or more).

Once I have the login screen of the corresponding realm1, it is the as 
in /introduction/, where user authenticates normally in his specific 
tenant.


*3) Authentication workflow requirement*

In fact the authentication workflow process should be as follows:

*step1*

  * General welcome panel
  * the user enter his email address
  * based on the analysis of his welcome address, the users is
    redirected to a specific authentication realm (foo or bar or more)


*step 2*

  * The user enter is login/password in realm login authentication screen



After analysis, it sounds like that the keycloak authentication process 
needs to be updated/modified with

    1. adding an extra additional step (which is a general form asking
    for email)

    2. based on teh email analysis, the corresponding tenant login
    screen is presented to the tenant
    3. the user authenticates to the tenant with his login/password. 



*4) How to move forward*


For information, Azure and atlassian already implements such a 
redirection mechanism in SAAS multi tenant architecture.
Keycloak documentation does not seem to mention about such a possibility 
to tailor "out of the box" the authentication workflow to our needs.

Could the mechanism described above being achieved by customizing the 
authentication workflow by developing a specific authentication SPI 
plugin which could handles the both steps mentioned above ?

Does this approach sounds correct to you, or is it something to rule out ?

Or woudl you advise another approach ?

Tkx for your help.


Regards,

Olivier




-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>

More information about the keycloak-user mailing list