Hi everyone,
We run a B2B platform and rely on Keycloak as our centralized identity and access management solution for all our clients.
Currently, we simulate multi-tenancy in a single realm using one group per tenant, but we’re planning to migrate to a cleaner architecture using Keycloak 26. We are debating between a Multi-Realm approach (one realm per tenant) or adopting the new Organizations feature within a single shared realm.
A key requirement for the near future is tenant autonomy: we want to provide a custom frontend where each tenant’s administrator can manage their own users and roles securely, without compromising the isolation of other tenants.
Intuitively, the multi-realm approach fits this isolation requirement perfectly. However, it introduces other major pain points, like the duplication of clients, client scopes, mappers, and overall configuration across ALL realms.
After reading about Organizations, it seems to solve these duplication issues. However, the segregation of tenants is once again “logical”. Since they are not physically isolated, it feels dangerous to let customers “touch” the Keycloak API directly to manage their users.
Has anyone faced a similar architectural dilemma? Do you have any advice or best practices to share regarding this trade-off?
Thanks in advance!