The Organizations feature represents an significant enhancement to standard Keycloak that allows business-to-business (B2B) customers to better manage their partners and customers, and to customize the ways that end-users access their applications. Phase Two customers can use Organizations to:
- Represent their business customers and partners in Phase Two and manage their membership.
- Represent attributes and roles, unique to business customers and partners.
- Provide streamlined invitations to Organizations.
- Allow the self-management of business customers' Identity Providers and Users using our hosted portal and setup wizards.
- Build administration capabilities into their products, using Organizations APIs, so that those businesses can manage their own organizations.
Creating and managing organizations
Organizations can be managed in the Admin UI in the Organizations section. It is possible here to create Organizations, and manage their attributes, membership, invitations, roles, and associated identity providers.
Attributes functionality provides key-value storage of Organization attributes that can be used in your application to customize experience. The ability to manage attributes is available in the Organizations tab of the Admin UI.
Users who are associated with an organization are considered members. The relationship of users to organizations can be managed in the Organizations tab of the Admin UI. Invitations also provide a way to allow organization administrators to invite new members to the organization. If you are associating an identity provider with an organization, all users who authenticate through an associated identity provider will automatically be added as members to the organization.
Invitations provide a way to allow Keycloak and organization administrators to invite new members to the organization.
Members of an organization can have role assignments that are specific to that organization. These are separate from Keycloak realm and client roles, and do not inherit from them. There are a set of default roles that control access to functionality within Phase Two, and additional roles can be added for your application purposes. Role creation, management and assigment can be done in the Organizations tab of the Admin UI.
📄️ Identity providers
Identity providers (IdPs) can be associated with an organization for the purpose of directing users to authenticate with the IdP via a verified email domain, and for automatically granting membership to users who authenticate with that IdP.