0

I have few products (as sofware company) for b2b clients. Currently I have SSO and authorization separately implemented in each product. I want to start use Keycloak as my main identity access management system for all my products. Also I want to have one realm for all my clients, because of simple way to grant access to my products if they want to (client bought one product, then decided to buy another one, so I don't want integrate them again). Also I need different SSO/login methods per my client (organization). So here probably I need custom extension to provide different methods by organization (email domain probably) needs. For example one client wants auth through Azure SSO, another only Google, third LDAP and so on. Also I want to map their AD groups to our product roles at some cases. What's is correct way to achieve that in Keycloak structure? Do you have similar setup or advices? So my goal is to onboard and integrate business client once and then manage access to products in Keycloak seamlessly. Looking any advices here. Thanks!

I tried to find solution in documentation, but no success.

Update: I found an extension which solves IDP configuration per email domain: https://github.com/sventorben/keycloak-home-idp-discovery

Ignas Bagdonas
  • 25
  • 5
  • Hi, you can achieve all of that in Keycloak. The only exception is I'm pretty sure you will need separate realms if you want to diversify the login methods per customer/client (social integrations, LDAP, AD...). And by the way there is no need for custom extensions for the requirements you layed out. That being said, I don't see a very specific question here, so you might need to reformulate. – bsaverino Mar 18 '23 at 18:42
  • Is it right way to create separate realms per customer? I've read that 400+ realms is kind of limit in keycloak from performance side, isn't? Thanks for your answer. – Ignas Bagdonas Mar 20 '23 at 06:09
  • No, the number of realms must remain extremely limited. You won't have SSO if you multiply realms and you shoud only have different realms when securing completely different set of applications (i.e. production vs dev; or shared/mutualized deployments vs on-prem/dedicated...). You can integrate various databases of users/groups or User Federations into a single realm but they will generally share the same authentication policies. Have a read here maybe: https://stackoverflow.com/questions/8468075/what-is-the-exact-uses-of-realm-term-in-security. – bsaverino Mar 21 '23 at 21:01

0 Answers0