How to authenticate users from different realms against a single application?

Question

I have the following situation:

My application consists in a frontend and a backend micro service, which both authenticate themselves via the same realm on one keycloak server. This set-up has been used for development, but now I need to extend it to support multi tenancy, because in the future each customer (tenant) should get its own realm with individual user accounts. However, since the user’s realm must already be known before logging in, I am wondering if this is even possible with Keycloak. An alternative would be to work with one single realm for all tenants and to do the mapping (users - tenant) via groups/roles. However, this is no suitable solution for me, as the tenants should not be able to see each other’s user accounts in keycloak. I need to have them in different realms. So my question would be if there is any solution to authenticate users from different realms against a single application?

Your help will be much appreciated.

Answer 1

That is an interesting (and quite classical) question, that we also tackled a few years ago.

Here are some valuable (?) thoughts that may help you to decide.

1. An important element is the number of tenants. If you expect a large number of tenants, there might be a serious performance issue when choosing the solution "one realm per tenant". See especially this ticket: https://issues.redhat.com/browse/KEYCLOAK-4593 (there seems to have been some improvements in recent releases).

the realm limitation at the moment is probably far less than 100 realms

...where every call takes more than 30s with Keycloak on MySQL on SSD drive

my fundamental issue now is keycloak node start up.. With 350 odd tenants/realms, i see the start up of keycloak times out

2. Another element is the wanted degree of isolation between users. Will your customers agree to have their users mixed in the same "database" (ie realm) as others customers ? Will they accept that a realm admin is able to browse (via the web console) the names, emails, etc... of all users (for all tenants) of a single realm ? If not, a separate realm for each tenant is the "only" solution

3. According to me, the key question is : what is the exact semantics of a realm. The above ticket says:

Realms make sense if you need to configure things like Identity Providers, Themes, Token Lifetimes, Key Rotation and so on differently for every of your sub tenants.

This should be the main decision criteria.

Regarding your particular question (eg "my question would be if there is any solution to authenticate users from different realms against a single application?") ? Why would it be not possible ? Technically speaking, the only difference is that the root url of the web services is no more a constant (with the unique realm) but dynamic (tenant dependant). But then, of course, the basic assumption is that the system is able to know in advance (BEFORE login-in) the corresponding realm (that could be derived from the selected tenant when login).

Answer 2

I have a similar issue where the solution consists of adding a realm/tenant selection before redirecting the user to the login page. It is not as elegant as for example having a login form with Username, Tenant, Password, but it is an acceptable solution where there is still a realm/tenant isolation.