Keycloak token for external idp(Azure) users

Hello All,

I could really use some help.

I’ve configured a keycloak instance. I’ve configured azure ad as external idp and set it as the default redirect in the browser flow. I can successfully login to a browser based app secured by keycloak using azure credentials. I can see the azure ad user is created in keycloak and it is linked to the provider.

I’m trying to do the same for an api. I’ve secured an api using keycloak. I’m able to get tokens by performing a post to {{kcl_url}}/auth/realms/{{kcl_realm}}/protocol/openid-connect/token when the user is local to keycloak. However, when I use azure credentials from the user above, I get a 401 response.

“error”: “invalid_grant”,
“error_description”: “Invalid user credentials”

Since Keycloak was started with the preview profile enabled, token exchange and fine grained permissions are both enabled. I granted both the azure ad external idp and the client(api being secured) permissions to perform token exchanges.

Is what I’m trying to accomplish achievable? Am I overlooking some setting for this to work?

Any assistance would be greatly appreciated.

Thank you,

Hello Doblezero,

im really concern by your post, i hope that you’ve found a way to solve your problem,

and i would like to ask you if you can help me for the problem i have,
im trying to have ad azure as idp and keycloak as sp with SAML but still have trouble to get authentication with ad azure user into keycloak apps.

Could you please give me some explanation for the way you did to have ad azure as IDP and keycloak as SP ?

thanks in advance and hope you’re doing well.

Hello @doblezero and @AnasM,

I hope you’re well.

I’ve been stuck on the exact same problem for several days now.
May I ask if one of you found a solution for this ?

Thanks in advance,

I’m interested in the same.
Was someone eventually able to achieve this?

has anyone solved this and know how to setup?