Can multi-tenancy in Keycloak be done within a single realm?

Asked 20/6, 2019 at 10:36 Answered 20/2, 2023 at 21:26

First, I'm well aware of the multi-realm approach to multi-tenancy in Keycloak. I've taken over a legacy project where nobody thought of multi-tenancy. Now, two years later, suddenly, the customer needs this feature. Actually, the microservices are prepared for this scenario out-of-the-box.

The customer develops a mobile app that authenticates users via API on our keycloak instance with an account number (as username) and a password. Now, he'd like to add an tenant id to the login information.

The customer wants to avoid using several endpoints as a multi-realm solution would demand.

One first idea was to just concatenate tenant-id and account-id on registration. But that's a smelly approach.

So, my thought was that there may be a way to configure Keycloak in a way that I add a custom tenantid field together with username that acts just like a composite primary key in the database world.

Is such a configuration possible? Is there another way to achieve multi-tenancy behaviour using a single realm?

Shriner answered 20/6, 2019 at 10:36 Comment(3)

Each one implemented multi-tenancy with keycloak differently depending on their use case, some use roles , some use groups #55642167. You can also use user attributes to store tenantid – Mulcahy 28/6, 2019 at 7:26

If the usernames are not unique across all tenants, you will somehow need to specify the tenant id during login. How do you want to provide it? Do you use the authentication flow of Keycloak, or do you really use a custom built API? If so, what's the result of the API call? Just a yes (username/password are correct) or no (username/password are incorrect)? – Liturgist 2/7, 2019 at 8:51

"The customer wants to avoid using several endpoints as a multi-realm solution would demand." You just need multi realms, the URL only differs in one point (NAME of the realm). Should be no problem to make the keycloak requests that flexible. – Zielsdorf 19/12, 2019 at 12:57

I can't say for sure, but after some research, I found this:

This website lists all of this together with more information:

https://lists.jboss.org/pipermail/keycloak-user/2017-June/010854.html

Check it out, it may help with your data organization in key-cloak.

Circumvallate answered 2/7, 2019 at 8:19 Comment(5)

This setup is mainly relevant for delegated administration, i.e. there are several groups of users and each group can have its own administrator. It's not really working yet: the preview feature Fine grain admin permission is a big step forward but it's not yet possible to have a local administrator create a new user becasue it's not possible to enforce that the new user belongs to the local group. – Liturgist 2/7, 2019 at 8:27

Yeah, right. Should have put that in the answer. Welp, the link is there. It may just help @Shriner learn something and solve this problem. Ain't sure though. – Circumvallate 2/7, 2019 at 8:28

It might still be an interesting approach. But it requires usernames that are unique among all tenants. So that part of the problem is not solved. – Liturgist 2/7, 2019 at 8:30

Agreed. Need more research to solve the other part of the problem. – Circumvallate 2/7, 2019 at 8:30

any solution to this problem? I am facing a similar issue – Giroux 5/1, 2022 at 15:14

Late to the party. But maybe for others who are interested. You could try the keycloak extension keycloak-orgs. I am currently building a test stack with it and I am pleased.

A tenant in keycloak-orgs is an organization. You can map organizations and their roles to token claims with a built-in mapper.

  "organizations": {
    "5aeb9aeb-97a3-4deb-af9f-516615b59a2d" : {
      "name": "foo",
      "roles": [ "admin", "viewer" ]
    }
  }

The extension comes w/ an admin interface. From there you can create organizations and assign users to it. There is also a well-documented REST API on the Phase Two homepage (the company who open-sourced the project).

The maintainers provide a keycloak docker image that has the relevant keycloak extensions installed.

Spouse answered 14/12, 2022 at 15:41 Comment(4)

Yup, that keycloak extension looks promising for multi-tenancy support, haven't tested it yet myself but will probably be doing so soon enough.. For reference, here's the extension author's announcement about it, which gives some more info: keycloak.discourse.group/t/… – Randolphrandom 18/1, 2023 at 18:12

@tom, how are you mapping these roles to keycloak policies? – Protecting 14/4, 2023 at 22:6

@MbuotidemIsaac, unfortunately i don't know how to map it. the devs are very responsive and helpful. – Spouse 17/4, 2023 at 9:34

This extension also requires unique username across all tenants as I know. – Cacia 29/1 at 10:18

If you want a single realm and singe client that serves many tenants, you can just use custom user attribute and e.g. add key(s) "tenant=MyTenant" and then add a client scope and a mapper to include user attributes that has key=tenant

Then the token will carry the user's tenant(s) and you can use that to filter data, add to newly created data etc.

It's only like 4 steps in Keycloak:

Add User attributes using a key-convention.
Add a Client scope that will represent tenants.
Add a mapper to extract the User attributes.
Add Client scope to the Client in use.

Wrote about it here: https://danielwertheim.se/keycloak-and-multi-tenancy-using-single-realm/

Recuperative answered 20/2, 2023 at 21:26 Comment(1)

Then what about a user signup for 2 diff tenant's applications and want to setup diff password for each app ? – Marla 3/4, 2023 at 4:32

Recommended topics

Hot tags