25

First, I'm well aware of the multi-realm approach to multi-tenancy in Keycloak. I've taken over a legacy project where nobody thought of multi-tenancy. Now, two years later, suddenly, the customer needs this feature. Actually, the microservices are prepared for this scenario out-of-the-box.

The customer develops a mobile app that authenticates users via API on our keycloak instance with an account number (as username) and a password. Now, he'd like to add an tenant id to the login information.

The customer wants to avoid using several endpoints as a multi-realm solution would demand.

One first idea was to just concatenate tenant-id and account-id on registration. But that's a smelly approach.

So, my thought was that there may be a way to configure Keycloak in a way that I add a custom tenantid field together with username that acts just like a composite primary key in the database world.

Is such a configuration possible? Is there another way to achieve multi-tenancy behaviour using a single realm?

git-flo
  • 1,044
  • 13
  • 23
dajood
  • 3,758
  • 9
  • 46
  • 68
  • 2
    Each one implemented multi-tenancy with keycloak differently depending on their use case, some use roles , some use groups https://stackoverflow.com/questions/55641667/emulating-tenants-using-roles. You can also use user attributes to store tenantid – ravthiru Jun 28 '19 at 07:26
  • 1
    If the usernames are not unique across all tenants, you will somehow need to specify the tenant id during login. How do you want to provide it? Do you use the authentication flow of Keycloak, or do you really use a custom built API? If so, what's the result of the API call? Just a *yes* (username/password are correct) or *no* (username/password are incorrect)? – Codo Jul 02 '19 at 08:51
  • 1
    "The customer wants to avoid using several endpoints as a multi-realm solution would demand." You just need multi realms, the URL only differs in one point (NAME of the realm). Should be no problem to make the keycloak requests that flexible. – Julian Egner Dec 19 '19 at 12:57

3 Answers3

4

I can't say for sure, but after some research, I found this:

Data Organization

This website lists all of this together with more information:

https://lists.jboss.org/pipermail/keycloak-user/2017-June/010854.html

Check it out, it may help with your data organization in key-cloak.

Gaurav Mall
  • 2,372
  • 1
  • 17
  • 33
  • 4
    This setup is mainly relevant for delegated administration, i.e. there are several groups of users and each group can have its own administrator. It's not really working yet: the preview feature [Fine grain admin permission](https://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_permissions) is a big step forward but it's not yet possible to have a local administrator create a new user becasue it's not possible to enforce that the new user belongs to the local group. – Codo Jul 02 '19 at 08:27
  • 1
    Yeah, right. Should have put that in the answer. Welp, the link is there. It may just help @dajood learn something and solve this problem. Ain't sure though. – Gaurav Mall Jul 02 '19 at 08:28
  • 3
    It might still be an interesting approach. But it requires usernames that are unique among all tenants. So that part of the problem is not solved. – Codo Jul 02 '19 at 08:30
  • 2
    Agreed. Need more research to solve the other part of the problem. – Gaurav Mall Jul 02 '19 at 08:30
  • any solution to this problem? I am facing a similar issue – simonC Jan 05 '22 at 15:14
2

Late to the party. But maybe for others who are interested. You could try the keycloak extension keycloak-orgs. I am currently building a test stack with it and I am pleased.

A tenant in keycloak-orgs is an organization. You can map organizations and their roles to token claims with a built-in mapper.

  "organizations": {
    "5aeb9aeb-97a3-4deb-af9f-516615b59a2d" : {
      "name": "foo",
      "roles": [ "admin", "viewer" ]
    }
  }

The extension comes w/ an admin interface. From there you can create organizations and assign users to it. There is also a well-documented REST API on the Phase Two homepage (the company who open-sourced the project).

The maintainers provide a keycloak docker image that has the relevant keycloak extensions installed.

tom
  • 307
  • 1
  • 8
  • Yup, that keycloak extension looks promising for multi-tenancy support, haven't tested it yet myself but will probably be doing so soon enough.. For reference, here's the extension author's announcement about it, which gives some more info: https://keycloak.discourse.group/t/keycloak-multi-tenancy-extensions-for-saas-applications/15426 – franky duke Jan 18 '23 at 18:12
  • @tom, how are you mapping these roles to keycloak policies? – Mbuotidem Isaac Apr 14 '23 at 22:06
  • @MbuotidemIsaac, unfortunately i don't know how to map it. the devs are very responsive and helpful. – tom Apr 17 '23 at 09:34
1

If you want a single realm and singe client that serves many tenants, you can just use custom user attribute and e.g. add key(s) "tenant=MyTenant" and then add a client scope and a mapper to include user attributes that has key=tenant

Then the token will carry the user's tenant(s) and you can use that to filter data, add to newly created data etc.

It's only like 4 steps in Keycloak:

  1. Add User attributes using a key-convention.
  2. Add a Client scope that will represent tenants.
  3. Add a mapper to extract the User attributes.
  4. Add Client scope to the Client in use.

Wrote about it here: https://danielwertheim.se/keycloak-and-multi-tenancy-using-single-realm/

Daniel
  • 8,133
  • 5
  • 36
  • 51