B2B & Multi-tenant

First-class multi-tenant organizations for Keycloak.

Per-customer organizations with their own SSO, members, roles, invitations, and APIs — the foundation for B2B identity on Keycloak.

Per-Org SSOInvitationsRoles & PermissionsREST API + SDKsWebhooks

Organizations · architecture

The problem

Multi-tenant B2B identity isn't a built-in Keycloak feature — until now.

Pain 1

Multi-tenancy is glued together, badly

Most B2B apps end up with tenant tables wired into auth — no consistent way to invite users, manage roles per org, or hand off SSO setup.

Pain 2

Customers expect their IdP, not yours

Every enterprise wants to bring their own Okta, Azure, or SAML setup. Building per-tenant SSO from scratch is months of engineering work.

Pain 3

Admin work eats your support team

Inviting users, managing roles, configuring SSO — without self-serve tools, your support team becomes the customer's identity admin.

Our approach

Organizations as a first-class entity

Not a column on the user table. A real entity with its own identity, membership, roles, IdP, and audit trail.

Self-serve by default

Invitations and SSO config happen in your app, not your Keycloak console. Customer admins manage their own users.

APIs that match how you ship

REST endpoints, JS/Java/Go SDKs, webhooks for every org event. Treat orgs like any other resource.

Open standards underneath

OIDC, SAML, SCIM. No bespoke protocols. If you can speak SSO, you can plug into Organizations.

Audit-ready from day one

Every org has a scoped event stream — who joined, who invited them, what role they have, when SSO was changed.

What teams use it for

What teams ship with Organizations

B2B SaaS teams use Organizations to model the customer hierarchy their billing, permissions, and onboarding flows already assume.

B2B SaaS multi-tenancy

Per-customer scopes for data, billing, and roles.

Enterprise customer onboarding

Hand off SSO + invitations to the customer's admin.

Partner / supplier networks

External orgs with limited, time-scoped access.

Per-customer compliance

SOC 2 / HIPAA scopes that don't bleed across tenants.

Key capabilities

Everything multi-tenant identity needs

Per-Org SSO

Each organization can point at its own Okta, Azure, Google, or SAML IdP.

Invitations

Send and accept invites with the role and org pre-assigned. Token-signed, expiring URLs.

Per-Org roles

Define roles that only exist within an org. Permissions stay scoped.

Member management API

Add, remove, transfer, suspend — all via REST. SDKs for JS, Java, and Go.

Domain auto-assignment

New signups land in the right org automatically based on their email domain.

Audit log per org

Every membership, role, and SSO change emitted as a Keycloak event.

SCIM 2.0 provisioning

Sync users and groups from the customer's IdP without writing glue.

Webhooks

Every org event posts to your URL — invitations, role changes, SSO updates.

Open source

Run it yourself, fork it, or contribute upstream. Same code as our hosted product.

Get started

Three ways to ship Organizations

Self-host

Run it yourself

Pull the JAR or pre-built container into your Keycloak deployment.

Docs

Read the guides

Install steps, configuration, API reference, and migration notes.

Hosted

Let us run it

Try the hosted Phase Two — all extensions installed and configured.

Instant MCP authorization using Keycloak.

Experimental SCIM 2.0 for Organizations.

Migrating from WorkOS to Keycloak.

Redis/Valkey instead of Infinispan.

A new Keycloak theme experience.

Run the Keycloak Admin UI locally.

What you'd pay vs Auth0.