p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
417 stars 72 forks source link

Auto-mapping to an Organization based on email domain #190

Closed alexanderhofstaetter closed 8 months ago

alexanderhofstaetter commented 8 months ago

we have the understanding, that when a user logs in, and uses a org-verified domain, that the user is auto-added to the correct org.

Is there such an auto logic? Or do we have to map each user separately?

xgp commented 8 months ago

That feature does not exist. Automatic mapping of Users to an Organization currently happens in two cases:

The feature you are suggesting could be:

For both ideas above, it would be necessary to make sure the user has a verified email. It would also be good to allow an admin to specify whether or not the Organization Domain must be verified in order to allow auto-mapping.

Feel free to PR this, as I think it would be a good addition.

alexanderhofstaetter commented 8 months ago

Thanks!

We have the following use case why we are evaluating the use of keycloak-orgs at the moment.

We have a multi-tenant SaaS, where every customer logs in with their Azure AD (Microsoft) tenant as trusted SSO.

Currently in every SaaS environment we add a custom Azure IdP OAuth application in the customer tenant to use federated login.

We want to move to a cloud-based SaaS approach, where we have one keycloak as our Cloud IdP, with an single Microsoft OAuth Application (allows multi tenant), so every organization logs in via their own Microsoft account, but in our tenant.

So every user (of all orgs) use the same Social IdP. We now want to allow login with the same IdP but automap the user based on their email domain to the correct org.

We trust the email domain, as there is no manual way to register, only with the SSO approach.

I am trying on getting some infos of this can be done with a custom JS authenticator - but I currently lack the knowledge on where to add such logic.

Thanks!

xgp commented 8 months ago

I would suggest doing it as a Required Action. There's some good documentation here https://www.keycloak.org/docs/latest/server_development/index.html#required-action-walkthrough

alexanderhofstaetter commented 8 months ago

Thanks for the tip! we implemented it as custom authenticator that matches users to orgs based on email (via IdP SSO) which we use in every auth via a custom post login flow the the IdP.

If somebody is interested in more details or the plugin I am happy to share!

xgp commented 8 months ago

Thanks for the update @alexanderhofstaetter

We do a similar thing in the OrgAddUserAuthenticatorFactory: https://github.com/p2-inc/keycloak-orgs/blob/main/src/main/java/io/phasetwo/service/auth/OrgAddUserAuthenticatorFactory.java

Feel free to PR your addition if you think others would be helped by it.