Keycloak Organizations

[pedroigor]

Description

This top-level epic is about the planned work to deliver the first release of the Keycloak Organization feature.

Keycloak Organization is a feature that leverages and builds on top of the Identity and Access Management (IAM) capabilities of Keycloak to address Customer Identity and Access Management (CIAM) with a focus on Business-to-Business (B2B) use cases.

                                    +-----------+                  
                                    |           |                  
                        +-----------+  Customer +-----------+      
                        |           |           |           |      
+----------+      +-----+----+      |           |      +----+-----+
|          |      |          |      +-----------+      |          |
| End-User +------+  Realm   |                         | End-User |
|          |      |          |                         |          |
|          |      |          |                         |          |
+----------+      +-----+----+                         +----+-----+
                        |           +-----------+           |      
                        |           |           |           |      
                        +-----------+  Partner  +-----------+      
                                    |           |                  
                                    |           |                  
                                    +-----------+                       

In summary, this feature will allow a realm to integrate with third-party entities like customers and business partners so that their identities and how they access protected resources at the realm level are segregated and managed within the scope of the organization they belong to.

As a result, a realm will be able to provide a different experience when onboarding customer identities or identities from a business partner and mechanisms to secure and manage how they interact with a realm and how they access protected resources from the clients available from a realm. Although not the main focus, it should also be possible to leverage this feature if you just want a better segregation between users, clients, and how they are managed and authenticate to a realm—some level of multi-tenancy.

The main set of capabilities provided by Keycloak Organizations are:

• • Manage Organizations
• • Manage Organization Members
• • • Organization Member Self-Registration based on Identity Brokering
• • • Organization Member Registration based on Invitation Links
• • • Manage Invitations
• • • Joining Multiple Organizations
• • Manage Federated Organization Members
• • • Managing members from LDAP
• • • Managing members for custom user storage providers
• • Mapping organization metadata in tokens
• • Customizing templates based on organizations
• • Manage Organization Roles
• • Manage Organization Groups
• • Manage Groups of Organizations
• • Manage Authentication within the Scope of an Organization
• • • Authentication based on the Organization Authentication Policies
• • Manage Clients and Service Accounts
• • Administrative Authorization
• • • RBAC
• • • Fine-Grained
• • Organization-specific Admin and User Events
• • Support for synchronizing identities from organizations using SCIM
• • Organization Self-Service

The planned release dates for Keycloak Organization are:

Release	Scope	State
25.0.0	#28609	Preview
26.0.0	#30229	Supported

For more details about the release dates, see https://github.com/keycloak/keycloak/milestones.

Discussion

#23948

Issues

• First Release of Keycloak Organizations
• Keycloak Organizations fully supported

Motivation

Keycloak is a well-known open-source IAM solution and we want to leverage now its capabilities to enable CIAM with a focus on B2B use cases.

[brecht-vermeersch]

Thanks for all the work! Is joining multiple organisations a confirmed feature that will be added?

[pedroigor]

@brecht-vermeersch Yes. I've proposed it here #30229 (comment).

Although not originally planned, I think it will add more value to this first iteration as it seems to be a common request from people interested in this feature ...

[osajdapawel]

Great work guys, thank you.

I got question about Organization Roles. Do you plan to add the feature in any of upcoming versions?

I got also a suggestion about linking Identity Providers to organization.
Lets go with example:
We got Microsoft multitenant IdProvider and now it cannot be linked to more than one provider. Edit (to more than one organisation)
It would be interesting to have possibility to link it to more than one organization and filter user by email domain and add users to organization that matches that email address (I don't know all the staff behind so maybe it is missed suggestion)

[pedroigor]

Great work guys, thank you.

I got question about Organization Roles. Do you plan to add the feature in any of upcoming versions?

Yes, but not for Keycloak 26. See #30229.

I got also a suggestion about linking Identity Providers to organization. Lets go with example: We got Microsoft multitenant IdProvider and now it cannot be linked to more than one provider. It would be interesting to have possibility to link it to more than one organization and filter user by email domain and add users to organization that matches that email address (I don't know all the staff behind so maybe it is missed suggestion)

Is it related to @osajdapawel Is it about #30088?

[osajdapawel]

Thank you for quick answer.

I meant that one Identity Provider linked to many organizations.
For example one global multitenant Microsoft Identity Provider (that can interact with many different domains) could be linked to many already predefined organizations that would filter users based on domain name.

[pedroigor]

@osajdapawel Today you need to create individual MS IdPs, with the same configuration, and link them to each organization.

There is a constraint that a broker can only be linked to a single organization. But we can review this. Do you want to create an issue and see if we get some votes to support this use case?

[y-tabata]

@pedroigor
Is there a use case where not only themes but also SPI providers are implemented (customized) for each organization?
When considering this use case, the following constraints of the Quarkus distribution concern me. This is because I think it would be difficult to manage rules such as package names across organizations.

With the new distribution there is no longer a separate classpath for custom providers, so you may need to be more careful with what additional dependencies you include.

[UXabre]

This is awesome! This seems like the path we definitely want to migrate to. Perhaps, is there a way to skip the identification phase if we know the organization up front? Because, if I understand correctly, in the future we'll be able to link identity providers to different organizations. Will this work all the same for federations as well, in which an organization admin will be able to add an LDAP link specific for their organization?
Thank you and everyone involved for the great work!

[RyanRad-BSG]

Good evening - this is awesome. I've been searching all day trying to find out the best way to configure our realm to have internal & external groups with different client accesses. After an exhaustive search I found this new preview feature. Seems like with some time, specific client allocation to Organizations will be added? I'd like external users to have limited access to clients while granting access to all clients for internal users. I activated the preview features, doesn't look like that can be accomplished with the first release, but should come available down the line. Is my understanding correct?

[aljaznuncic]

I am happy for a good feature. However, it would be very welcome if the domain was not required when creating the organization. In our application, we have companies that use @gmail.com or the internet provider's domain for their email, or others that have a domain at the level of the entire corporation and would like to have their own organization within our application (they do not have a subdomain). For the last example, a checkbox would be welcome whether you really want users to be automatically added to the organization based on the given domain or not.

I hope that in the future there will also be an "admin" console for administrators of individual organizations.