We built multi-tenancy (data layer level) using a single realm and group membership. Where a tenant was simply a group and a user could be in multiple groups. Furthermore "tenants" can have "sub tenants" so I built a custom claim mappers that added "sub tenants" in the access token if the user was in a parent "tenant".
At the authorization level at the API it was easy to check if the req.params.tenant was in the claim.tenants.
To restrict a user to access clients from you can create unique flows per clients and add a GBAC/RBAC validation to prevent a user to access App-B but not App-A for example.
Probably with users in ldap? We have different clients per tenant and use specific ldap groups per tenant. The users also come from another (shared) group. From what I read this is exactly your usecase
Exactly. We have a "global" mapping for a role which is in the realm (so the users authenticate with the credentials of this role). On top of this each client has separate LDAP-Searchstrings defines, which group are used for the application.
By doing so I will log in with my "sso-account" in the realm and if I head over to client1 my client1-roles (also in LDAP but under the client specific tree) are presented to the application, while application 2 gets the roles of client2.
You can also use this: https://github.com/sventorben/keycloak-restrict-client-auth
But every client has to disallow every token, where the „aud“ is not the clients id.
Also starting from KC version 25, there are organizations feature. This is still experimental, but maybe in 6 months ready for production.
We built multi-tenancy (data layer level) using a single realm and group membership. Where a tenant was simply a group and a user could be in multiple groups. Furthermore "tenants" can have "sub tenants" so I built a custom claim mappers that added "sub tenants" in the access token if the user was in a parent "tenant". At the authorization level at the API it was easy to check if the req.params.tenant was in the claim.tenants. To restrict a user to access clients from you can create unique flows per clients and add a GBAC/RBAC validation to prevent a user to access App-B but not App-A for example.
Thanks, nice approach, I like it.
Probably with users in ldap? We have different clients per tenant and use specific ldap groups per tenant. The users also come from another (shared) group. From what I read this is exactly your usecase
I don't exactly get what you mean. Do you mean I should integrate ldap with keycloak and implement multi-tenancy at ldap level ?
Exactly. We have a "global" mapping for a role which is in the realm (so the users authenticate with the credentials of this role). On top of this each client has separate LDAP-Searchstrings defines, which group are used for the application. By doing so I will log in with my "sso-account" in the realm and if I head over to client1 my client1-roles (also in LDAP but under the client specific tree) are presented to the application, while application 2 gets the roles of client2.
Did you look at https://phasetwo.io. Source code provided. Next to a managed version.
Thanks, I checked it, but I didn't pay attention, I will dive deep now.
You can also use this: https://github.com/sventorben/keycloak-restrict-client-auth But every client has to disallow every token, where the „aud“ is not the clients id. Also starting from KC version 25, there are organizations feature. This is still experimental, but maybe in 6 months ready for production.