[keycloak-user] Keycloack Multi -Tenancy question

Thu Oct 10 07:16:13 EDT 2019

Hello Litom, sorry for late response, hope it's still relevant,

As an alternative, you could try what is sometimes called "soft-tenancy", which is basically a single-realm based solution with a number of tricks to emulate multi-tenancy.

Here are the key points:
- use single realm for all tenants;
- model your tenants as groups, use group membership to assign users to tenants. This has advantage over multi-realm approach since it allows many-to-many user-tenant relationship (the same for client-tenant BTW);
- establish client-tenant relationship using client attributes, or group attributes, or naming convention;
- use custom authenticator to enforce tenant-client restrictions;
- if you need to "scope" your session to a particular tenant, e.g. for login screen branding, use custom OpenID scope parameter like this: "scope=openid email profile tenant:XXX"
- use custom authenticator to parse tenant ID and attach it to user session;
- if needed, use custom protocol mapper to put tenant ID back into tokens;
- if needed, use custom login forms provider + custom theme to brand login screen, see [1] (the same for account and email themes).

Don't hesitate to ask any further questions.

[1] https://github.com/dteleguin/keycloak-dynamic-branding

Good luck,
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Mon, 2019-09-23 at 10:14 +0300, Litom Segal wrote:
> We are considering using Keycloack in a multi-tenant fashion.
> Each of our customer's account has its own users, and applications
> installed, and we also provide services API's consumed by various clients.
> We will have a large number of tenants.
> I found an open issue from 2017 that mentions that Keycloak may have some
> scalability issues with a large number of realms.
> https://issues.jboss.org/browse/KEYCLOAK-4593
> 
> And also this thread  from 2016,
> https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html,
> that states that "Keycloak was not designed to support multi-tenancy
> directly."..."In that regards we have never tested with high amounts of
> realms as we expect there to be few realms (up to 10 most likely)."
> 
> I was wonder if there was any progress on the multi-tenancy use case, and
> are there any best practices on how to setup Keycloack to support it.
> 
> On the other hand, is there any other approach to handle our use-case?
> Thanks,
> Litom
> 
> -- 
> 
> Litom Segal
> Software Engineer
> T: +972-74-700-4097
> <https://www.linkedin.com/company/164748> <https://twitter.com/liveperson>
> <https://www.facebook.com/liveperson/?ref=bookmarks>
> Our mission is to make life easier by transforming how people communicate
> with brands. <https://liveperson.docsend.com/view/drieh2u>
> 