13

I'm trying to understand how Keycloak can be used in a large scale multi-tenanted scenario.

The standard approach seems to be to use a realm for each tenant. This isolates each tenant's users and settings and makes a lot of sense.

In the Keycloak example for multi-tenanting it says it "demonstrates the simplest possible scenario for Keycloak Multi Tenancy support" (emphasis mine). I might be reading too much into this, but to me that implies there are other standard approaches. I haven't been able to find much discussion about these options though.

I've also read that there are potentially performance issues with more than 100 realms. It might be that these performance issues have been fixed, but this also suggests to me that Keycloak wouldn't handle a large scale multi-tenanting scenario with 1,000+ tenants.

So my questions are:

  • Are there any other recommended approaches for multi-tenanting, other than "one realm per tenant"?
  • Are there any large scale multi-tenanting deployments of Keycloak in the wild that demonstrate its ability to cope with lots of realms?
  • Are there any recommendations for sources of information that I should be looking at?
Peter Coulton
  • 54,789
  • 12
  • 54
  • 72
  • 2
    Have you managed to get a reply on this? Have you made any progress? – George Nikolaides Nov 10 '20 at 07:56
  • @GeorgeNikolaides Hi there, Have you checked this one -> https://stackoverflow.com/questions/56684168/can-multi-tenancy-in-keycloak-be-done-within-a-single-realm . I have not tried it . I dont think there is a solution yet. But it gives something to carry on further research. – Sandy B Nov 23 '20 at 11:10
  • Hello @Peter, actually we saw that post but it does not seem to be the right way. In any case we also decided to go with creating one Realm for each tenant. Mainly because this is how keycloak was designed :) – George Nikolaides Nov 23 '20 at 15:05
  • @GeorgeNikolaides Hi, this is off topic, since we have been talking about multitenancy with keycloak. I went through this link -> https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy and noticed one has to create an implementation of org.keycloak.adapters.KeycloakConfigResolver . I didnt actually get the hang of it completely. Please let me know if you have any proper docs to explain a little more about the workflow – Sandy B Nov 26 '20 at 08:09

1 Answers1

0

To date (Keycloak 18 being released) the performance issues with 100+ realms still exists. But in the real world this is not an issue at all.

Just split your Tenants to multiple Keycloak clusters. I case you need to integrate your realms, this can be done independent from the specific cluster/instance through Federation across the clusters, so there's no need to run everything on a single cluster.

From an operations point of view - having such a large amount of tenants / realms on a single cluster would also be suboptimal - as you'd have a hard time to organize maintenances and downtimes. So splitting things up a bit is not the worst thing to consider.

pagid
  • 13,559
  • 11
  • 78
  • 104
  • do you happen to have any pointers to a more detailed description how to achieve this? So far my search engine kung-fu doesn't seem to be good enough to find articles / documentation on how to do this. Thank you! – RobertB Jun 13 '23 at 13:25
  • There's not really any official documentation I could forward. Maybe you need some professional support - feel free to get in contact here or through https://www.bare.id/#kontakt – pagid Jun 14 '23 at 11:49