Subdomain per organization

[lsmith77]

In our SaaS application each organization runs on its own subdomain. For SSO, we would therefore also want to run everything on its own subdomain, which is of course doable with Keycloak.

However commonly this is done by binding realms to subdomains (see f.e. https://medium.com/@tdebodt/give-your-application-a-professional-touch-with-wildcard-subdomain-and-secure-it-with-oidc-and-5a6b70e23259).

With P2, we would use a single realm, while still customizing the UI (custom logo, color scheme) and showing the IdP options for that specific organization and whatever login mechanism is used, it should set the active organization automatically in the token.

Since I didn't find anything in the documentation, I wanted to check what the best practices are here and add this to the documentation.

Topics I have identified here: 1) Keycloak configuration

• Redirect UI with wildcards? (though this might cause issues with react apps)
• Any specific considerations for logout?
  • To allow the user to logout, Keycloak does not accept wildcard on domain names for the redirect URI. see here

2) Themeing

• Handle subdomain specific logos/colors via CSS/Javascript?
• How to show/hide the organization specific IdPs

My understanding is that organization specific IdPs basically work by first receiving the email domain to then determine the IdP based on the verified domain concept. But this requires the user to supply their email, rather than having a single button experience to f.e. log in via Google or Microsoft.

I guess what we need to do is build some Javascript code that can fetch the list of IdP's for the specific organization and then use idpHint on each of the login options to force login into the specific IdP.

3) Parallel logins to multiple organizations

• When using subdomains, the cookie will be by subdomain by default and therefore login to each organization will be separate, correct?

4) Anything else that should be considered/configured in such a setup?

[pnzrr]

@lsmith77

1. Looking into this. Not sure yet.
2. Theming should still be doable on a per-Organization basis using the Organization plugin. https://phasetwo.io/blog/customizing-login-pages
3. I believe so but would need to verify it.

@xgp any other thoughts?

[lsmith77]

@pnzrr thank you for your response. what I am missing in https://phasetwo.io/blog/customizing-login-pages is to do these customizations on a per organization basis, ie. we want the organization to be able to set their colors and logos so I am pondering what the best strategy is for this.

right now my plan is to use the subdomain to identify the organization and then remotely fetch organization specific css/logo and list of IdPs to display.

[xgp]

@lsmith77 We don't have customization on a per organization basis, and don't really support any customization based on the subdomain.