Hi all,
I’m evaluating Keycloak as the central IdP for our organization and looking for guidance on how to architect user and access separation across different application types.
User types
Our organization has three distinct user populations:
-
Staff: employees hired by the organization
-
Volunteers: non-employees who assist staff (a middle ground, they need access to some internal tooling but are not on payroll)
-
End Users: external users of applications built by our digital team
Application types
We have applications that serve different subsets of these users:
-
Internal only: management tools (e.g. Jira, Asana) where only Staff should have access
-
Mixed: applications that need to allow Staff + Volunteers, or in some cases all three types (e.g. a live support chat)
-
External only: participant-facing applications dedicated to End Users, with self-registration
What I’ve considered so far
-
Multiple realms (one per user type): I’m concerned about the operational overhead of managing three realms and the complexity of the “Mixed” applications that need to accept users from more than one realm
-
Single realm: all users in one realm, using groups (e.g.
staff,volunteer,end-user) and client-level roles to control which applications each user type can access. This means implementing access control at IdP level, which is against the OpenID recommendation that clients should enforce authorization.
Questions
-
Which approach would you recommend, and why?
-
If using a single realm, is there a clean way to enforce different authentication flows per user type (e.g. MFA required for Staff, optional for End Users)?
-
For those running multi-realm setups: how do you handle applications that need to accept users from more than one realm? Is identity brokering the standard path, or are there simpler patterns?
-
Any pitfalls or gotchas you’ve encountered with any of these approaches at scale?
Keycloak version: 26.4 Deployment: Self-hosted on AWS ECS.
Thanks in advance!