One Platform, Infinite Looks

Deliver tailored login and account experiences for each tenant without duplicating realms or hacking Keycloak themes. Keymate's Dynamic Branding Extension enables secure, per-tenant branding control—logos, color palettes, text, and even MFA steps.

Per-Tenant Theming with Logo, Color, and Flow Customization

Per-Tenant Identity, Seamlessly Applied

Organizations want their users to feel at home—even when hosted on shared IAM infrastructure. This extension enables:

Dynamic Branding Flow

All without modifying Keycloak's fragile theme templates or creating a realm per tenant.

Example: A decoupled architecture for secure and flexible per-tenant branding.

Key Components:

Logo, color palette, font, and language customization per tenant

Custom login hints, legal disclaimers, and footer content

Fine-grained control over the MFA flow (e.g., step-up enforcement, email first, password first, etc.)

Dynamic selection of branding profile during login, based on realm, subdomain, or session context

Full fallback logic if no branding profile is matched

Secure isolation and centralized admin control over branding options

Extension Highlights

Per-Tenant Theme Profiles

Define branding sets for each tenant, including logos, colors, layout, and more

Dynamic Resolution

Branding is resolved at runtime by realm, subdomain, or login session attributes

MFA Flow Variation

Branding profiles can influence MFA flow: e.g., enforce MFA on login for some tenants

No Theme Overwrites

Avoid brittle template overrides—uses dynamic template injection with strict isolation

Secure by Design

Tenant branding is enforced on the backend, avoiding spoofing or branding confusion

Admin Console Integration

Branding profiles can be created, tested, and updated visually via Keymate Admin Console

Frequently Asked Questions

No. This extension allows branding variation within a single realm, drastically simplifying multi-tenant setups.

Yes. You can configure different login flows (e.g., MFA required immediately, or step-up on action) per branding profile.

Yes—but it avoids directly modifying theme templates. Instead, branding is applied dynamically via secure backend logic.

Admins can manage branding via Keymate Admin Console. Self-service for tenants is possible via RBAC configuration.

How to Use This Extension

Make every login reflect your customers' identity. Enable dynamic, secure, and maintainable branding per tenant with Keymate's Dynamic Branding Extension.

Implementation Steps

Deploy the extension to your Keycloak server

Define branding profiles per tenant in the Admin Console or via API

Customize logo, color, layout, footer text, and MFA flow

Configure dynamic resolution logic (subdomain, session attribute, realm, etc.)

Test profiles in preview mode

Go live—branding will be dynamically applied based on session context

ELEVATE YOUR IAM STRATEGY

Ready to Transform Your Keycloak Experience?

Implement fine-grained authorization, multi-tenant infrastructure, and comprehensive security policies with Keymate — built on the Keycloak foundation you already trust.