Multiple User Federation (different UPN) - MS365 client

Hi,

I’m new to keycloak, AD, MS365, kerberos (literally everything).
Pretty sure that my question is really dumb or doesn’t even make sense…
Please let me know if I’m understanding something wrong or need to provide more information or so.

[Situation]
1. PC AD - UPN : @a.com
2. Site AD - UPN : @b.com (email)
3. Azure AD - uses Site AD’s UPN

Currently using AD FS
User opens MS365(word/excel/teams etc) > Azure AD asks for email > User enters email > Redirect to AD FS login form (email feild is already filled as received) > User enters password > Redirect to Azure AD (Correctly signed in, show the word document)

I tested Sign in with Kerberos using PC AD; works all good.
Now I’m tyring to connect MS365 and found out that it uses Site AD’s UPN.

So I’m going to create another User Federation for Site AD.
I have not imported (and will not import) users from any of the User Federation.
The priority would be (0)PC AD then (1)Site AD.

I created saml client for MS365 following the official MS guide (Microsoft Entra Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft Entra ID | Microsoft Learn) and the discussion (Using Keycloak as IdP for Azure AD).
The only settings I manually changed are below:

  • signatre required > off
  • logout service post binding url > blank
  • full scope allowed > off

Then I added the attribute in keycloak admin console.

  1. [AADC] Synchronization Rules Editor - Send ImmutableID to Site AD (info)

    Add new rule (ImmutableID to info)
    Name : New Rule
    Connected System : Site AD
    Connected System Object Type : user
    Metaverse Object Type : person
    Precedence : 1

    Scope
    Add clause > Attribute : sourceAnchor, Operator : ISNOTNULL

    Transtormations
    FlowType : Direct
    Target Attribute : info
    Merge Type : Update

  2. [Keycloak] User Federation - Site AD (Add Mapper)

    IDPEmail(UPN)
    Name : userPrincipalName
    Mapper Type : user-attribute-ldap-mapper
    User Model Attribute : userPrincipalName
    LDAP Attribute : userPrincipalName

    ImmutableID(NameID)
    Name : ImmutableID
    Mapper Type : user-attribute-ldap-mapper
    User Model Attribute : ImmutableID
    LDAP Attribute : info

  3. [Keycloak] Client - MS (Add Mapper)

    IDPEmail(UPN)
    Name : IDPEmail
    Mapper Type : User Attribute
    User Attribute : userPrincipalName
    SAML Attribute Name : IDPEmail
    SAML Attribute NameFormat : Unspecified

    ImmutableID(NameID)
    Name : NameID
    Mapper Type : User Attribute Mapper For NameID
    Name ID Format : urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    User Attribute : ImmutableID

How would the flow work?
Since I cannot use PC log in info (cuz the UPN doesn’t match with Azure AD’s one), I cannot use kerberos, correct?
So the Authentication Flow for MS365 client will have username-password-form

  • Is it possible to use password-form instead?
  • Do I need to set [Login with email] on?

Would it work like below?
case1. PC Log in > Web site Login redirects to keycloak > Check PC AD > Kerberos sign in & redirect to web site main page
case2. Open MS365(word/teams etc) > redirect to Azure AD > User enters email > Azure AD redirects to keycloak > keycloak shows username-password-form > user enters email&password > Check PC AD but it does not allow sign-in > Check Site AD, correct, send back to Azure AD > show the word document

I’m not sure what happened but my post disappeared that I post this again…

Hi! Did you get any response to this? Did you succeed? If yes, then what was your successful configuration in the end?
Best regards
Charles

I ended up using keycloak for kerberos only and developed my own sso server (which is used for AzureAD’ IDP and grabs Site AD’s info using keycloak’s token made using PC AD)
Shame that I can’t help you :frowning:
FYI. AzureAD connection using SAML doesn’t support intune; if you use those kinds of security solutions, you need to use ws-federation