Best Keycloak architecture for managing B2C customers, B2B clients, and internal employees?

Getting advice
1

Hello everyone,

I am planning to deploy Keycloak to manage authentication and authorization for:

  • B2C customers (end users of our application)
  • B2B clients (business customers with multiple users)
  • Internal employees distributed across different departments

I’m trying to determine the best architecture to organize these users:

  • Should I create multiple realms (one per user type)?
  • Or should I use a single realm with Organizations to isolate B2B clients and employees, and Groups to segment users?
  • How should I handle standard B2C customers who don’t belong to any organization?
  • What are your experiences or best practices for multi-tenant setups in Keycloak for mixed scenarios like this?

Thanks in advance for your advice!

2

Hello @okaydada,

Indeed, in Keycloak there are many levels of hierarchies (Keycloak instances - realms - organizations - groups - subgroups etc.) The answer depends on your particular requirements, policies, how you plan to implement SSO, protocols you’re planning to use (OIDC/SAML), your application’s cryptographic capabilities and even the expected number of tenants. Depending on that, any combinations could be possible.

3

[quote=“dteleguin, post:2, topic:30158, full:true”]
Hello @okaydada, We are currently designing a secure identity and access management system with Keycloak to handle multiple user types and applications. Our key requirements are:

:locked_with_key: Authentication

  • We want to use OpenID Connect (OIDC) as the main authentication protocol.
  • Users can authenticate using:
    • Username + password, or
    • External Identity Providers (Google, Facebook) via OIDC.
  • MFA (Multi-Factor Authentication) is mandatory for all users.
    • We already have users using Google Authenticator (TOTP) for OTP.
    • We plan to migrate those existing TOTP secrets into Keycloak’s credential storage.

:repeat_button: SSO

  • We want SSO enabled across multiple applications, especially:
    • Internal apps (for employees),
    • B2B portals (for enterprise clients),
    • B2C apps (at least three), where a user account in one app must grant access to the others.

:busts_in_silhouette: User segmentation

We manage three main user types:

  1. Internal employees
  • Access an internal app.
  • Organized by department (HR, support, dev, etc.).
  1. B2B clients
  • Represented by organizations or top-level groups.
  • May include multiple users and subgroups per company.
  1. B2C users
  • End customers using our consumer-facing apps.
  • Simpler structure, no subgroups needed, but SSO across apps is required.
4

my 2cts:

if you are using active directory, go for kerberos. No password is more secure than MFA.

if you and they can, delegate IAM to them. Eases all lifes in case someone leaves the organization. Maybe they use kerberos as well..

This is likely the only situation where you have to manage new users.

5

It looks like the three categories of users (internal, B2B, B2C) are pretty much isolated, and there is no requirement for SSO across the categories. I’d recommend starting with three realms and using groups and/or organizations to model the business hierarchy.

One of the benefits of the above approach is that if any of the realms starts producing significant load (which could affect other user categories), you’ll be able to easily migrate it to a different Keycloak server/cluster.