Login That Knows Where You Belong

Let users select their organization or tenant during login—and securely embed that context into the session. With Keymate's Org-Aware Login Extension, every session starts with clarity, scope, and control.

Tenant & Org Selection Built into the Login Flow

Why It Matters

In multi-tenant IAM systems, users may belong to multiple organizations or wear different "hats." But Keycloak's default login flow doesn't account for this complexity. This leads to:

Ambiguous session context
Hard-to-enforce authorization policies
Poor auditability

Keymate solves this with an interactive, secure organization selection screen shown during login. The selected org is written into session notes, available for:

Token enrichment
Fine-grained access control
Delegation scopes
Audit and observability

Scoped from the Start—Org Context at Login

The extension modifies the login flow as follows:

Organization-Aware Login Flow

The selected organization is fully traceable and scoped for the session only—supporting B2B, B2B2C, and G2C scenarios with minimal friction.

Example: Users select their organization context after authentication, which is then embedded into the session.

Key Components:

After successful identity validation (e.g., username/password, IDP login), users see an organization selection screen

Options are filtered based on realm, identity, or backend org mapping

Once selected, the org ID, name, and any delegated roles are written into Keycloak session notes

This data is automatically injected into the token (via our Token Enricher extension)

Authorization decisions can now evaluate token.org, token.user.department, etc.

Extension Highlights — What Makes It Unique

Interactive Org Selection

Choose tenant, organization, or sub-unit during login

Scoped Session Notes

Org info stored securely for use in token and policies

Supports Delegated Roles

Display and store temporary "hats" per organization

Tenant-Aware Filtering

Only show orgs tied to the current realm or identity

Policy-Ready Output

Compatible with Keymate DSL and OpenFGA

Customizable UI

Themeable selection screens per tenant or brand

Frequently Asked Questions

Because groups/attributes don't support session-specific, user-selected context. This extension ensures explicit selection per session.

Yes. The screen is only shown if multiple orgs or roles exist.

The selection UI can present available "hats," and store the chosen one per session.

No. The org selection screen is fast, themeable, and only appears when necessary.

Yes. All values are verified server-side and stored in secure session notes—never exposed to tampering.

How to Use This Extension

Implementation Steps

Deploy the extension JAR into your Keycloak instance

Add the authenticator step into your login flow

Configure organization mapping backend and filtering rules

Customize the UI for branding or delegated role options

Ensure your Token Enricher and Authorization DSL consume session.org values

Monitor session logs for selected organization traces

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.