Organizations Docs

The Organizations feature represents an significant enhancement to standard Keycloak that allows business-to-business (B2B) customers to better manage their partners and customers, and to customize the ways that end-users access their applications. Phase Two customers can use Organizations to:

• Represent their business customers and partners in Phase Two and manage their membership.
• Represent attributes and roles, unique to business customers and partners.
• Provide streamlined invitations to Organizations.
• Allow the self-management of business customers' Identity Providers and Users using our hosted portal and setup wizards.
• Build administration capabilities into their products, using Organizations APIs, so that those businesses can manage their own organizations.

Multi-Tenant Keycloak

Keycloak’s native architecture was not designed for high-scale multi-tenancy, as each realm is fully isolated. Creating and managing hundreds of realms quickly becomes a performance bottleneck and a maintenance burden.

Phase Two’s Organizations feature addresses this by enabling true multi-tenancy within a single realm. This allows businesses to support many tenants without compromising performance or operational simplicity. Instead of duplicating configuration across realms, you can manage users, roles, and access control per organization in a unified structure.

We’ve explored this topic in more detail on our blog.

Creating and managing organizations

Organizations can be managed in the Admin UI in the Organizations section. It is possible here to create Organizations, and manage their attributes, membership, invitations, roles, and associated identity providers.

Feature guides

📄️ Attributes

Attributes functionality provides key-value storage of Organization attributes that can be used in your application to customize experience. The ability to manage attributes is available in the Organizations tab of the Admin UI.

📄️ Membership

Users who are associated with an organization are considered members. The relationship of users to organizations can be managed in the Organizations tab of the Admin UI. Invitations also provide a way to allow organization administrators to invite new members to the organization. If you are associating an identity provider with an organization, all users who authenticate through an associated identity provider will automatically be added as members to the organization.

📄️ Invitations

Invitations provide a way to allow Keycloak and organization administrators to invite new members to the organization.

📄️ Roles

Members of an organization can have role assignments that are specific to that organization. These are separate from Keycloak realm and client roles, and do not inherit from them. There are a set of default roles that control access to functionality within Phase Two, and additional roles can be added for your application purposes. Role creation, management and assigment can be done in the Organizations tab of the Admin UI.

📄️ Identity Providers

Identity providers (IdPs) can be associated with an organization for the purpose of directing users to authenticate with the IdP via a verified email domain, and for automatically granting membership to users who authenticate with that IdP.