Organizations for Keycloak
First-class multi-tenancy for Keycloak. Per-organization SSO, invitations, roles, and APIs — the foundation for shipping B2B identity without bending Keycloak realms.
The problem
Keycloak realms weren't designed for B2B tenancy
Teams shipping SaaS on Keycloak hit the same wall: every customer needs their own SSO, roles, and admin — but the realm model wasn't built for that.
No first-class tenant
Keycloak has realms, groups, and attributes — none of which represent "this user belongs to this customer" in a way the rest of the system understands.
A realm per customer doesn't scale
Spinning up a realm per customer multiplies operational cost and breaks shared concerns like product roles, branding, and admin tooling.
Shared realms have no tenancy
A single shared realm has no concept of "this customer signs in through this SAML provider" — so per-customer SSO becomes a custom mapper hack.
Why we built it
We wanted multi-tenancy to be a first-class primitive
Every B2B team running Keycloak was solving the same problem in slightly different — and usually broken — ways. We took the opposite approach.
Organizations are a real object
Their own table, their own APIs, their own admin endpoints — not a convention on top of groups or attributes.
Identity providers attach to orgs
Each organization can own one or more SAML/OIDC providers. Home IdP discovery routes users to the right login based on email domain.
Roles and tokens are org-aware
Token mappers surface org membership and role claims so your application authorizes on (user, org, role) without extra lookups.
Battle-tested in production
It's the multi-tenancy layer under every Phase Two managed deployment and used by the open source SaaS-on-Keycloak community.
What teams use it for
B2B SaaS customer SSO
Each customer gets their own organization with their own SAML or OIDC identity provider. Users authenticate through their employer's IdP and land in the right tenant automatically.
Customer-managed teams
Org admins invite their own users, assign their own roles, and manage their own membership through the Admin Portal — without ever touching the Keycloak console.
Per-tenant authorization
Roles and permissions defined per-organization, with the org as a first-class entity in every token claim. Your app authorizes on (user, org, role) instead of guessing from groups.
Programmatic provisioning
Full REST API to create orgs, attach IdPs, send invitations, and manage members — drop it behind your signup flow or sync from your CRM.
Key capabilities
Per-organization identity providers
Attach one or more SAML/OIDC providers to each organization. Home IdP discovery routes users to the right login flow based on email domain.
Invitations and membership
Email-based invitations, accept/decline flows, and member management built in. Customers onboard their own teams.
Roles, permissions, and token mappers
Organization-scoped roles with token mappers that surface org membership and role claims in every access token — so your app can authorize without extra lookups.
Get started
Install from GitHub
Drop the JAR into your Keycloak providers directory, or build from source.
p2-inc/keycloak-orgsRead the docs
Configuration, identity providers, roles, token mappers, and the full REST API reference.
Organizations docsSkip the install
Phase Two managed Keycloak ships with Organizations and the Admin Portal pre-configured.
Try the hosted version