I work for a multi company group. Each company has its own Network its own IT Admins and therfore its own Active-Directory. There is no possibility to connect the different Networks via VPN for e.g. The users of the companies can be identified from their email domain for e.g. [email protected] and [email protected]
My goal is to develop a global application for the whole company group.
I want to use Keycloak as Identity and Access Management.
The problem is that every user, which is member of defined groups, from all companies must have access / login / authorized to the centralized frontend and the decentralized backend (self programmed API proxy/gateway).
Here is a drawing of the current situation:
Draw.io Feel free to edit
Suggestion:
Thanks in advance for your help :)
The way it works is that when a user logs in, Keycloak will look into its own internal user store to find the user. If it can't find it there it will iterate over every User Storage provider you have configured for the realm until it finds a match.
I would recommend dedicated "local" Keycloak in each company (with configured user federation to Active Directory). And one "global" Keycloak instance, which will have configured Identity Brokering
to all "local" Keycloak instances. "local" admins will have still full power to manage their users and customize login theme. Users will have to select identity provider from the "global" Keycloak login page or apps may use client-suggested identity provider with kc_idp_hint
query parameter.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With