The Ultimate Best Guide on Keycloak Multi-Tenancy (Part 1)

In the diverse world of software security and identity management, the topic of multi-tenancy in Keycloak is much like a religious debate, split between two main schools of thought: Monorealmism and Polyrealmism.

This distinction can be paralleled to theological perspectives – just as in religion where beliefs and practices can vary vastly, in Keycloak, the approach to handling multiple tenants can differ significantly, leading to a variety of “faiths” or strategies.

Monorealmism

In the Monorealmistic view, there is a single, all-encompassing realm that governs the authentication and authorization processes across all applications and services. This singular realm approach simplifies the management by having a centralized set of users, roles, clients, and settings. Configuration under Monorealmism typically involves setting up one realm to cover all necessary aspects of authentication and authorization, utilizing fine-grained permissions and roles to separate different user groups and services.

Polyrealmism

Conversely, Polyrealmism advocates for the use of multiple realms within Keycloak. Each realm acts as an independent entity with its own set of users, roles, clients, and configurations. This approach aligns with a more compartmentalized view, where each tenant or project has its own realm, allowing for tailored authentication flows, user management, and isolation between different parts of the business or various external clients.

Which one is Best for Multi-Tenancy?

Choosing between Monorealmism and Polyrealmism can be challenging. To assist in this decision, here is a comparative table outlining the pros and cons of each approach:

AspectMonorealmismPolyrealmism
ConfigurationSingle configuration; easier to maintainMultiple configurations; more complex
IsolationLess isolation between tenantsStrong isolation between tenants
ScalabilityLimited scalability for different tenant needsHigh scalability; each tenant can be individually scaled
ManagementEasier user management in a single realmMore complex management due to multiple realms
CustomizationLimited to what one realm can offerHighly customizable per tenant

When to Choose One Over the Other

  • Monorealmism is best suited for scenarios where all users are part of the same organizational unit and where there is no strict requirement for tenant isolation. It’s ideal for smaller organizations or in-house applications where simplicity and ease of management are prioritized.
  • Polyrealmism, on the other hand, shines in environments requiring high levels of tenant isolation, such as in multi-tenant SaaS applications, or where different departments or groups require distinctly different authentication workflows and settings. It’s suited for larger, more complex organizations or service providers.

Overcoming the Cons of Monorealmism

Monorealmism, while providing simplicity and consolidated management, often faces criticism for its lack of tenant isolation and scalability challenges when adapting to varied tenant needs. However, these limitations can be significantly mitigated through strategic approaches and technological solutions.

One effective method to enhance the Monorealmistic approach is by utilizing extensions such as keycloak-multi-tenancy. This tool allows for a single realm to host multiple tenants while enabling a level of isolation and customization that is typically only seen in Polyrealmism.

Support for Monorealmism in Keycloak 25

With Keycloak 25 released in early June 2024, it is now possible to handle multi-tenancy using Organizations. The feature is currently in preview (at time of writing on Monday June 24 2024) mode, but is definitely a great positioning for countless users looking to do B2B and manage their organization within a realm. We will see clear improvements in the future and probably a general availability soon.

Overcoming the Cons of Polyrealmism

While Polyrealmism presents challenges, notably in terms of configuration complexity and management overhead, these can be mitigated. Tools and strategies, such as centralized management software, can streamline the handling of multiple realms. Automating setup and synchronization across realms can also reduce the administrative burden.

In conclusion, the choice between Monorealmism and Polyrealmism in Keycloak multi-tenancy resembles choosing a path based on beliefs and requirements. With the right tools and strategies, the drawbacks of each approach can be managed, leading to a secure and efficient identity and access management system.

On another post, we will take a deeper look at the common issues (i.e. when crossing hundreds of realms) one might find using either option.