Hi,
I’m new to keycloak, AD, MS365, kerberos (literally everything).
Pretty sure that my question is really dumb or doesn’t even make sense…
Please let me know if I’m understanding something wrong or need to provide more information or so.
[Situation]
1. PC AD - UPN : @a.com
2. Site AD - UPN : @b.com (email)
3. Azure AD - uses Site AD’s UPN
Currently using AD FS
User opens MS365(word/excel/teams etc) > Azure AD asks for email > User enters email > Redirect to AD FS login form (email feild is already filled as received) > User enters password > Redirect to Azure AD (Correctly signed in, show the word document)
I tested Sign in with Kerberos using PC AD; works all good.
Now I’m tyring to connect MS365 and found out that it uses Site AD’s UPN.
So I’m going to create another User Federation for Site AD.
I have not imported (and will not import) users from any of the User Federation.
The priority would be (0)PC AD then (1)Site AD.
I created saml client for MS365 following the official MS guide (Microsoft Entra Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra ID | Microsoft Learn) and the discussion (Using Keycloak as IdP for Azure AD).
The only settings I manually changed are below:
- signatre required > off
- logout service post binding url > blank
- full scope allowed > off
Then I added the attribute in keycloak admin console.
-
[AADC] Synchronization Rules Editor - Send ImmutableID to Site AD (info)
–
Add new rule (ImmutableID to info)
Name : New Rule
Connected System : Site AD
Connected System Object Type : user
Metaverse Object Type : person
Precedence : 1
–
Scope
Add clause > Attribute : sourceAnchor, Operator : ISNOTNULL
–
Transtormations
FlowType : Direct
Target Attribute : info
Merge Type : Update
– -
[Keycloak] User Federation - Site AD (Add Mapper)
–
IDPEmail(UPN)
Name : userPrincipalName
Mapper Type : user-attribute-ldap-mapper
User Model Attribute : userPrincipalName
LDAP Attribute : userPrincipalName
–
ImmutableID(NameID)
Name : ImmutableID
Mapper Type : user-attribute-ldap-mapper
User Model Attribute : ImmutableID
LDAP Attribute : info
– -
[Keycloak] Client - MS (Add Mapper)
–
IDPEmail(UPN)
Name : IDPEmail
Mapper Type : User Attribute
User Attribute : userPrincipalName
SAML Attribute Name : IDPEmail
SAML Attribute NameFormat : Unspecified
–
ImmutableID(NameID)
Name : NameID
Mapper Type : User Attribute Mapper For NameID
Name ID Format : urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
User Attribute : ImmutableID
–
How would the flow work?
Since I cannot use PC log in info (cuz the UPN doesn’t match with Azure AD’s one), I cannot use kerberos, correct?
So the Authentication Flow for MS365 client will have username-password-form
- Is it possible to use password-form instead?
- Do I need to set [Login with email] on?
Would it work like below?
case1. PC Log in > Web site Login redirects to keycloak > Check PC AD > Kerberos sign in & redirect to web site main page
case2. Open MS365(word/teams etc) > redirect to Azure AD > User enters email > Azure AD redirects to keycloak > keycloak shows username-password-form > user enters email&password > Check PC AD but it does not allow sign-in > Check Site AD, correct, send back to Azure AD > show the word document
I’m not sure what happened but my post disappeared that I post this again…