Tenant-Specific Organization Selection During Login

Enable users to select their organizational context—such as company, department, or role—at login. This extension embeds the selected context into the session, powering scoped authorization, auditing, and token enrichment.

Personalized Org Selection During Login with Session Context Awareness

Why It Matters

In multi-tenant environments, users often belong to multiple organizational structures—like:

Consultants logging into multiple client organizations
Public-sector officers switching between departments
Support users acting on behalf of different units

Traditional IAM flows assume a static identity. But in real life, context matters. With Keymate's Organization Selector Extension, you:

✅ Present a dynamic list of organizations per user and tenant
✅ Store the selected organization in Keycloak session notes
✅ Use that context for token enrichment, policy evaluation, and auditing

Dynamic Org Context Selection—Embedded from the Start

Organization Selection Flow

Use cases include: Organization-scoped token generation, Department-level access restrictions, Scoped impersonation or delegation, and Multi-org audit logging.

Example: A user selects their organizational context at login, which is then written to session notes for use in token enrichment and policy enforcement.

Key Components:

User initiates login

After credentials are validated, a per-tenant organization tree is shown

User selects their unit/department/org role

Selection is written to session notes

Token mappers or SPIs use this context to enrich tokens and enforce policies

Extension Highlights — What Makes It Unique

Per-Tenant Organization Awareness

Displays relevant orgs based on user's tenant during login

Session Notes Integration

Stores selected org context directly into Keycloak session notes

Token Enrichment Ready

Enables token enrichment via mappers or enrichers

Policy Context Hook

Authorization policies (e.g., OpenFGA, DSL) can evaluate selected org

Multi-Role & Delegation Support

Compatible with "hat"-based role switching or delegated roles

Audit Traceability

Full trace of selected org context for each login session

Frequently Asked Questions

No. Keycloak does not natively support org selection or multi-tenant login flows. This is a custom extension.

Via the Keymate Organization Service, dynamically scoped to the authenticated user and tenant.

The UI prompts them to choose the appropriate one for their session. Policies then enforce based on that choice.

Yes. Selected context (e.g., "acting as approver for Org X") is fully compatible with delegation-aware tokens and policies.

How to Use This Extension

Implementation Steps

Install the authenticator SPI into Keycloak

Configure the login flow to include the organization selector step

Connect to Keymate's Organization API to retrieve org structures

Ensure token enrichment and policy hooks reference session notes

Test the login flow and evaluate policies using enriched org context

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.