I know it is pretty easy to setup Azure AD as an IdP for Keycloak, but I’d like to use Keycloak as an identity provider for Azure AD / Microsoft 365.
Here is some documentation on using SAML 2.0 for Azure AD. Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure | Microsoft Docs
How would I setup Azure AD to redirect to Keycloak for auth?
Start my reviewing the Keycloak documentation on setting up a SAML client: Server Administration Guide
You can use the import functionality in Keycloak with the SAML metadata Microsoft distributes here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
Looks like everything is either there or in the Azure AD Connect link you posted above.
@xgp thank you so much for your swift help.
Over the past two days, I’ve been working at this, but keep running into the same error: AADSTS50107: The requested federation realm object 'https://<KEYCLOAK_SERVER>/auth/realms/<realm>' does not exist.
Is there a way to view the interactions between Azure AD and Keycloak in detail?
I’ve been searching online to try and resolve this error, but am getting nowhere. I’d greatly appreciate any help.
Dear William, did you manage to solve this?
The link you provided doesn’t mention where to create the connection to test this, I know how to create a keycloak client but I don’t know what configuration I need in azure AD to create the link that uses the keycloak client as IDP.
Cheers
I managed to get this up an running with the following settings:
Import the file above into keycloak, but set Client Signature Required to OFF.
Then, copy the X509Certificate from the SAML 2.0 Identity Provider Metadata file (found on the General page of your realm settings).
Open PowerShell in Windows (Does not work on Linux/Azure Cloud Shell) and issue the Connect-MsolService command to login to your Azure AD account.
After logging in, use this template to setup your domain for federation:
$dom = "DOMAIN_TO_FEDERATE"
$BrandName = "Sample SAML 2.0 IDP"
$keycloakURL = "https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/saml"
$issuerURI = "https://KEYCLOAK_URL/auth/realms/REALM_NAME"
$MySigningCert = "<X509Certificate>"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication `
-DomainName $dom `
-FederationBrandName $BrandName `
-Authentication Federated `
-PassiveLogOnUri $keycloakURL `
-ActiveLogOnUri $keycloakURL `
-SigningCertificate $MySigningCert `
-IssuerUri $issuerURI `
-LogOffUri $keycloakURL `
-PreferredAuthenticationProtocol $Protocol
That’s the basic setup. You’ll need to manually add each user to AzureAD.
When a user tries to sign into Microsoft 365 a new attribute will be created in Keycloak, but they cannot sign in yet. The new attribute is saml.persistent.name.id.for.urn:federation:MicrosoftOnline and will contain a string.
In PowerShell, run this command
Set-MsolUser -UserPrincipalName "USER_LOGIN" -ImmutableId "PERSISTENT_ID_ATTRIBUTE"
where PERSISTENT_ID_ATTRIBUTE is the string in saml.persistent.name.id.for.urn:federation:MicrosoftOnline and USER_LOGIN is the email address the user uses to login to Microsoft 365.
Alternatively you can create this attribute in Keycloak before the user attempts signing in.
Dear William, This is actual gold, thanks a lot!
On another note, this works for me only if I start from the SAML client setting up
IDP Initiated SSO URL_Name
I get from keycloak a URL like this:
https://KEYCLOAK_URL/auth/realms/cdsdev/protocol/saml/clients/URL_NAME
this works and once it is properly configured as suggested, my question is now, do you know how to make azure to use that domain as an external organization?
What I mean is that when I try to login with the new user can azure redirect to keycloak for the login?
Please use the Powershell commands above to setup domain federation which redirects users to your Keycloak to login.
Dear William, do you mind share the SAML client setting in Keycloak. Thanks.
Hi William,
I’ve been testing this implementation and I got to the point where Azure redirects me to the Keycloak page, however once there I get a “Sorry Page not found” from keycloak.
I am wondering what I am missing.
Thanks for your time.
Tetrus
Hey @tetrus,
Keycloak 17/18 removed the /auth/ prefix in urls. If you go to your realm’s general settings, you can download the SAML identity metadata which has your specific urls.
If that doesn’t help you, send me a PM and we can look at your individual setup.
William I just figured it out it was /auth lol, i came here to tell you but I guess you beat me to the punch…
I noticed it when I imported the IDP metadata into a SP on the same keycloak and the url was missing auth.
Thanks for your help,
Tetrus
You’re quite welcome. I might remember to update this guide to the new version of Keycloak soonish™️
No worries,
I’m running into an error when im trying to run the Set-Msol user command, I still get user not found, however the sign in attempt did create the persistent name id attribute in keycloak.
Any clues? Thanks again for your time.
Tetrus
OpenIdConnectMessage.Error+was+not+null%2C+indicating+an+error.+Error%3A+‘server_error’.+Error_Description+(may+be+empty)[…]A+SAML+assertion+validation+failed%3A+no+supported+token+signature+is+provided.
Its probably a misconfig again on my part based on the error message in the URL string
Does your user exist in AzureAD? If not, you may need to create the user in AAD first. Your best bet is to use the command line rather than the AAD web interface.
I’ve recently ran into a problem where I had to create the UPN as user@ORG.onmicrosoft.com then change it to my federated domain.
You can set the Immutable ID to whatever you want so long as it’s the same in KC. You can even change it if need be. I don’t know the consequences of doing so, however.
PS: No need to sign your posts as your profile is displayed on each of your posts. Discourse actually recommends against this in their community guidelines/suggestions.
Thanks, I’ll try that.
Great success I got it working! That last error was because I needed to enable “Sign Documents”, “Sign Assertions”.
I guess Azure was waiting for some type of signature based on that URL error message.
Thanks again William.
Hello William,
I have the same problem. Can you help me for setup this? Where at first I need to import the SAML information and then I need to insert the SAML information to office O365.
Thanks
Best regards
Matthias
Hey guys,
thank you for all the hard work getting this to run. I have one remark though for those who are still getting errors after being redirected from Keycloak. It seems necessary to activate “Sign documents” OR “Sign assertions”, but not both.
I’ve been thinking about how to give back to the community so I created a powershell script to automatically create Azure AD accounts with the necessary information.
My Github gist of it is here: keycloak-sync.ps1 · GitHub