[keycloak-user] Require admins to specific email addresses for new users

Ian Duffy ian at ianduffy.ie
Fri Feb 8 03:45:47 EST 2019

Hi All,

I'm wanting to use keycloak in a multi-tenant environment where each tenant
is a new realm. The tenant administrators should have access to manage the
realm in order to add users, groups, configure identity providers and so on.

For my multi-tenant setup, I'm copying something similar to slack.com and
their multiple workspaces.

 - There should be a tenant onboarding system that will allow users to sign
up to the system. Before creating a new tenant they must be authenticated
against a client-id for the tenant manager. This authentication is just
email verification using the magic link extension
https://github.com/stianst/keycloak-experimental . Tenant creation is done
by using the credentials of the master realm, the tenant manager will take
in a tenant name and password, it will then go off and create a realm
matching this name, a new user in that realm matching the verified email
address used to create the realm and the supplied password, and a client
for the tenanted application which will be served via a vanity URL e.g.

 - Allow discovery of which tenants my email address exists within. I've
configured keycloak using
to emit events to JMS. My tenant manager picks up these events and
maintains a database of realm/tenant <-> email mappings. As such, the
tenant manager is able to provide a verified email address with a list of
tenants it's associated.

 - Allow passwordless login to an associated tenant or a created tenant.
Before a user can create a tenant or list a tenant they are associated with
they must verify their email address. As the user is verified, it makes
little sense to have them login to newly created tenants or to associated
tenants discovered via the tenant manager. The tenant manager uses
impersonation to generate a cookie and places it into the user's browser to
allow for a seamless transition from tenant manager to the tenant. Users
accessing the tenant directly via the vanity URL will always be prompted
for their tenant-specific username/password.

The system I've described above assumes that each user uses their email
address as their username or that they have a valid email address
configured for their account. As mentioned above, I would like to hand off
user creation to the tenant administrators. Is there any way to enforce
that users created by the tenant administrators in the keycloak console
must have email addresses and the email addresses must be verified on first

My only thoughts for achieving this so far is to listen to user created
events and for each one, always turn on "Update profile" and "Verify email"
as this will force the user to do those things on first login. However, it
would be neat to be able to modify keycloak to have these as defaults for
every user created within the realm.


More information about the keycloak-user mailing list