Proxy identity brokering to map users from multiple Keycloak realms into single end user

Question

I have a system where Keycloak (KC1) used for user management and provides A&A to my application (APP1). I have several realms configured in KC1 where each realm represents a tenant in APP1. This setup works as expected and users from defferent tenants are able to login into APP1. I have another application (APP2) which has its own user model and supports single OAuth2 provider.

I need to setup SSO for APP2, so any user from different tenants logged into APP1 can be automatically authenticated in APP2.

Attempt 1: The first thing I tried is to configure KC1 as IDP for APP2, but since realms are isolated from each over they all have different SAML/OIDC metadata, so it's possible to configure APP2 to use only 1 realm at the time and I need all.

Attempt 2: Next I tried to use another Keycloak instance KC2 as identity broker. I added all realms from KC1 as IDPs into single realm of KC2 and pointed APP2 to that realm of KC2.

With that setup when I can login into APP1 using login screen provided by KC1. Now, if I try to navigate to APP2 in the same browser tab (same session) I will be prompted for credentials (which I need to avoid).

Attempt 3: This attempt is very similar to previous, but instead of adding KC2, I just created separate speciefic realm in KC1, configured all other realms as IDPs and used that speciefic realm in APP2. The outcome is the same - user prompted for login when tries to access APP2 after successfull authentication in APP1.

My understanding is that there should be a way to install trust relationship between KC1 and KC2, so it will be possible to re-use access token generated by KC1 to auth into APP2. Is there a way to organize SSO in my case (maybe using another software to "proxy" auth tokens)?