Login/Register
Large scale multi-tenanting scenarios with Keycloak
Asked Answered
keycloakmulti-tenant
I

2

13

I'm trying to understand how Keycloak can be used in a large scale multi-tenanted scenario.

The standard approach seems to be to use a realm for each tenant. This isolates each tenant's users and settings and makes a lot of sense.

In the Keycloak example for multi-tenanting it says it "demonstrates the simplest possible scenario for Keycloak Multi Tenancy support" (emphasis mine). I might be reading too much into this, but to me that implies there are other standard approaches. I haven't been able to find much discussion about these options though.

I've also read that there are potentially performance issues with more than 100 realms. It might be that these performance issues have been fixed, but this also suggests to me that Keycloak wouldn't handle a large scale multi-tenanting scenario with 1,000+ tenants.

So my questions are:

  • Are there any other recommended approaches for multi-tenanting, other than "one realm per tenant"?
  • Are there any large scale multi-tenanting deployments of Keycloak in the wild that demonstrate its ability to cope with lots of realms?
  • Are there any recommendations for sources of information that I should be looking at?
Isiahisiahi answered 21/3, 2020 at 16:31 Comment(4)
Have you managed to get a reply on this? Have you made any progress?Proponent
@GeorgeNikolaides Hi there, Have you checked this one -> #56684668 . I have not tried it . I dont think there is a solution yet. But it gives something to carry on further research.Voluptuary
Hello @Peter, actually we saw that post but it does not seem to be the right way. In any case we also decided to go with creating one Realm for each tenant. Mainly because this is how keycloak was designed :)Proponent
@GeorgeNikolaides Hi, this is off topic, since we have been talking about multitenancy with keycloak. I went through this link -> keycloak.org/docs/latest/securing_apps/… and noticed one has to create an implementation of org.keycloak.adapters.KeycloakConfigResolver . I didnt actually get the hang of it completely. Please let me know if you have any proper docs to explain a little more about the workflowVoluptuary
M
0

To date (Keycloak 18 being released) the performance issues with 100+ realms still exists. But in the real world this is not an issue at all.

Just split your Tenants to multiple Keycloak clusters. I case you need to integrate your realms, this can be done independent from the specific cluster/instance through Federation across the clusters, so there's no need to run everything on a single cluster.

From an operations point of view - having such a large amount of tenants / realms on a single cluster would also be suboptimal - as you'd have a hard time to organize maintenances and downtimes. So splitting things up a bit is not the worst thing to consider.

Montez answered 9/7, 2022 at 19:36 Comment(2)
do you happen to have any pointers to a more detailed description how to achieve this? So far my search engine kung-fu doesn't seem to be good enough to find articles / documentation on how to do this. Thank you!Horrocks
There's not really any official documentation I could forward. Maybe you need some professional support - feel free to get in contact here or through bare.id/#kontaktMontez
S
0

Keycloak 25 (released in 2024.06) introduces Organizations, which can be used to handle common multi-tenancy cases.

By leveraging the existing capabilities available from a realm, the first release of this feature provides the very core capabilities to allow a realm to integrate with business partners and customers:

  • Manage Organizations
  • Manage Organization Members
  • Onboard members using different strategies such as invitation links and brokering
  • Decorate tokens with additional metadata about the organization that the subject belongs to

See: Support for Customer Identity and Access Management (CIAM) and Multi-tenancy

Summit answered 21/7, 2024 at 14:23 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.