p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps
https://phasetwo.io
Other
417 stars 72 forks source link

KeyCloak Multitenancy Question #255

Closed ankit-akteena closed 4 months ago

ankit-akteena commented 4 months ago

We are exploring multitenancy for our use case, where we want to manage multiple tenants within a single realm. We came across the keycloak-orgs extension through some blog posts and wanted to investigate it further. One specific concern we have is about user isolation: ensuring that users from TenantA cannot see or manage users from TenantB. Does the keycloak-orgs extension support this capability, or is this isolation managed by Keycloak itself? We couldn't find detailed documentation on this, so any insights would be helpful.

xgp commented 4 months ago

ensuring that users from TenantA cannot see or manage users from TenantB

Users are normal Keycloak users. "see"ing other users is up to roles in Keycloak or in keycloak-orgs. For example, if a user has the view-users (Client realm-management) role, they will be able to "see" other users. If a user has view-members organization role, they will be able to "see" other users in their organization/tenant.

So, what you want is possible, but is enforced by the way you use Client, Realm and Organization Roles. I'd suggest you read up on how this works in Keycloak and keycloak-orgs: