I need some recommendations for a multi-tenant project I'm working on, and I'm facing an issue with our Keycloak setup.

Our backend is a .NET API and our frontend is built with Angular. Currently, we have a dedicated realm called "prod," and we differentiate clients (companies) using a CompanyId attribute in Keycloak, which is sent as a claim with every request. This approach has worked well so far.

However, the problem arises when I need to enable SSO (using OpenID, Microsoft, or another provider) for specific companies and have it available only to them. Is there a way to avoid creating a new realm—perhaps by using multiple subdomains?

There’s also the possibility that two different clients might require distinct configurations with the Microsoft SSO provider (for example, allowing login only through their own Azure anization). If I use multiple realms, I would be forced to deploy multiple instances of both the API and the Angular application since our API project currently has a hardcoded Authority server URL with the "prod" realm, and the same applies to the Angular app.

What is the best solution for these scenarios? I would like to maintain a single database and, if possible, only one instance for the backend and one for the frontend.

I have also noticed that starting with version 26, Keycloak supports Organizations, which might be relevant here.