Description
Hello Keycloak team,
We would like to submit Z-Cloud Workspace, developed by Z-SOFT, as a potential case study for the Keycloak website.
Keycloak plays a central role in the identity architecture of our platform, providing authentication and authorization for a multi-tenant collaboration ecosystem.
Below is a summary of how Keycloak is used within our system.
Organization
Z-SOFT
Product
Z-Cloud Workspace
Website
https://workspace.z-cloud.com.vn/
Introduction
Z-Cloud Workspace is a digital workspace platform developed by Z-SOFT that integrates communication, collaboration, and productivity tools into a unified environment.
The platform includes multiple integrated services such as:
- messaging
- email
- file management
- document collaboration
- online meetings
- administrative and portal services
Z-Cloud Workspace is designed as a multi-tenant SaaS platform, allowing multiple organizations to operate independently while sharing a common infrastructure.
To provide secure and seamless authentication across the entire ecosystem, Z-SOFT adopted Keycloak as the centralized Identity and Access Management (IAM) solution.
Keycloak serves as the identity backbone for the platform, enabling Single Sign-On (SSO) across all services while maintaining strict tenant isolation.
Challenge
As the Z-Cloud platform expanded into a multi-service ecosystem, identity management became a critical architectural component.
The platform required a solution capable of:
- providing Single Sign-On across multiple applications
- enforcing tenant isolation in a shared SaaS infrastructure
- managing users, roles, and permissions centrally
- supporting secure token-based authentication for APIs
- integrating easily with custom microservices and gateway layers
Managing authentication independently in each service would have created operational complexity and security risks.
A centralized identity system was required to ensure consistent authentication, authorization, and governance across the platform.
Solution
Z-SOFT implemented Keycloak as the central identity provider for Z-Cloud Workspace.
Keycloak is responsible for:
- authenticating users
- issuing OpenID Connect tokens
- managing user identities and permissions
- enabling Single Sign-On across all Z-Cloud services
All applications within the ecosystem rely on OAuth2 and OpenID Connect tokens issued by Keycloak to authenticate API requests and enforce access policies.
Keycloak integrates with the Z-Cloud architecture through a gateway and middleware layer responsible for validating tokens and propagating identity context across services.
Multi-Tenant Identity Model
Z-Cloud Workspace uses Keycloak Groups to implement multi-tenant identity management.
Each tenant is represented by a group hierarchy within Keycloak, allowing administrators to manage users and permissions within an organizational context.
Example structure:
/z-cloud
/tenant-zsoft
/admins
/users
/tenant-acme
/admins
/users
Users are assigned to tenant groups during onboarding.
When a user authenticates, Keycloak includes group membership information within the OpenID Connect token claims.
Z-Cloud services extract the tenant identifier from these claims and enforce tenant-aware authorization rules.
This design allows the platform to maintain:
- centralized identity management
- clear tenant separation
- scalable user and permission management
By leveraging Keycloak Groups, Z-Cloud avoids building a custom identity system while still supporting a flexible multi-tenant architecture.
Architecture Overview
In the Z-Cloud architecture, Keycloak functions as the central identity provider for all applications.
Authentication flow:
- Users authenticate through the Z-Cloud login interface.
- Authentication requests are handled by Keycloak.
- Keycloak issues OpenID Connect tokens (JWT).
- The Z-Cloud API gateway validates the tokens.
- Backend services extract user roles and tenant information from token claims.
- Access is granted based on tenant context and permissions.
This architecture allows independent services to share a common identity layer while maintaining strong security boundaries.
Keycloak Features Used
Z-Cloud Workspace relies on several core Keycloak capabilities:
- OpenID Connect
- OAuth2 authentication flows
- Groups for tenant management
- Role-based access control
- Token-based authentication
- Identity federation readiness
- Integration with custom gateway middleware
Impact
Adopting Keycloak has enabled Z-SOFT to build a secure and scalable identity foundation for Z-Cloud Workspace.
Key benefits include:
Unified Authentication Experience
Users can log in once and access all services within the Z-Cloud ecosystem.
Centralized Identity Governance
User accounts, roles, and tenant memberships are managed in a single system.
Secure Multi-Tenant Architecture
Tenant boundaries are enforced consistently across all services.
Faster Development of New Services
New services can integrate with Keycloak without implementing their own authentication systems.
Standards-Based Security
Using OAuth2 and OpenID Connect ensures compatibility with enterprise identity ecosystems.
Key Metrics
Z-Cloud Workspace currently uses Keycloak to support:
- multiple integrated collaboration applications
- multi-tenant SaaS architecture
- centralized authentication across services
- secure token-based API authentication
Thank you for maintaining the Keycloak project and ecosystem.
Best regards,
Z-Cloud Engineering Team
Discussion
No response
Motivation
No response
Details
No response
Description
Hello Keycloak team,
We would like to submit Z-Cloud Workspace, developed by Z-SOFT, as a potential case study for the Keycloak website.
Keycloak plays a central role in the identity architecture of our platform, providing authentication and authorization for a multi-tenant collaboration ecosystem.
Below is a summary of how Keycloak is used within our system.
Organization
Z-SOFT
Product
Z-Cloud Workspace
Website
https://workspace.z-cloud.com.vn/
Introduction
Z-Cloud Workspace is a digital workspace platform developed by Z-SOFT that integrates communication, collaboration, and productivity tools into a unified environment.
The platform includes multiple integrated services such as:
Z-Cloud Workspace is designed as a multi-tenant SaaS platform, allowing multiple organizations to operate independently while sharing a common infrastructure.
To provide secure and seamless authentication across the entire ecosystem, Z-SOFT adopted Keycloak as the centralized Identity and Access Management (IAM) solution.
Keycloak serves as the identity backbone for the platform, enabling Single Sign-On (SSO) across all services while maintaining strict tenant isolation.
Challenge
As the Z-Cloud platform expanded into a multi-service ecosystem, identity management became a critical architectural component.
The platform required a solution capable of:
Managing authentication independently in each service would have created operational complexity and security risks.
A centralized identity system was required to ensure consistent authentication, authorization, and governance across the platform.
Solution
Z-SOFT implemented Keycloak as the central identity provider for Z-Cloud Workspace.
Keycloak is responsible for:
All applications within the ecosystem rely on OAuth2 and OpenID Connect tokens issued by Keycloak to authenticate API requests and enforce access policies.
Keycloak integrates with the Z-Cloud architecture through a gateway and middleware layer responsible for validating tokens and propagating identity context across services.
Multi-Tenant Identity Model
Z-Cloud Workspace uses Keycloak Groups to implement multi-tenant identity management.
Each tenant is represented by a group hierarchy within Keycloak, allowing administrators to manage users and permissions within an organizational context.
Example structure:
Users are assigned to tenant groups during onboarding.
When a user authenticates, Keycloak includes group membership information within the OpenID Connect token claims.
Z-Cloud services extract the tenant identifier from these claims and enforce tenant-aware authorization rules.
This design allows the platform to maintain:
By leveraging Keycloak Groups, Z-Cloud avoids building a custom identity system while still supporting a flexible multi-tenant architecture.
Architecture Overview
In the Z-Cloud architecture, Keycloak functions as the central identity provider for all applications.
Authentication flow:
This architecture allows independent services to share a common identity layer while maintaining strong security boundaries.
Keycloak Features Used
Z-Cloud Workspace relies on several core Keycloak capabilities:
Impact
Adopting Keycloak has enabled Z-SOFT to build a secure and scalable identity foundation for Z-Cloud Workspace.
Key benefits include:
Unified Authentication Experience
Users can log in once and access all services within the Z-Cloud ecosystem.
Centralized Identity Governance
User accounts, roles, and tenant memberships are managed in a single system.
Secure Multi-Tenant Architecture
Tenant boundaries are enforced consistently across all services.
Faster Development of New Services
New services can integrate with Keycloak without implementing their own authentication systems.
Standards-Based Security
Using OAuth2 and OpenID Connect ensures compatibility with enterprise identity ecosystems.
Key Metrics
Z-Cloud Workspace currently uses Keycloak to support:
Thank you for maintaining the Keycloak project and ecosystem.
Best regards,
Z-Cloud Engineering Team
Discussion
No response
Motivation
No response
Details
No response