Over the past two days, I’ve been working at this, but keep running into the same error: AADSTS50107: The requested federation realm object 'https://<KEYCLOAK_SERVER>/auth/realms/<realm>' does not exist.
Is there a way to view the interactions between Azure AD and Keycloak in detail?
I’ve been searching online to try and resolve this error, but am getting nowhere. I’d greatly appreciate any help.
The link you provided doesn’t mention where to create the connection to test this, I know how to create a keycloak client but I don’t know what configuration I need in azure AD to create the link that uses the keycloak client as IDP.
I managed to get this up an running with the following settings:
Import the file above into keycloak, but set Client Signature Required to OFF.
Then, copy the X509Certificate from the SAML 2.0 Identity Provider Metadata file (found on the General page of your realm settings).
Open PowerShell in Windows (Does not work on Linux/Azure Cloud Shell) and issue the Connect-MsolService command to login to your Azure AD account.
After logging in, use this template to setup your domain for federation:
That’s the basic setup. You’ll need to manually add each user to AzureAD.
When a user tries to sign into Microsoft 365 a new attribute will be created in Keycloak, but they cannot sign in yet. The new attribute is saml.persistent.name.id.for.urn:federation:MicrosoftOnline and will contain a string.
On another note, this works for me only if I start from the SAML client setting up
IDP Initiated SSO URL_Name
I get from keycloak a URL like this:
this works and once it is properly configured as suggested, my question is now, do you know how to make azure to use that domain as an external organization?
What I mean is that when I try to login with the new user can azure redirect to keycloak for the login?
thank you for all the hard work getting this to run. I have one remark though for those who are still getting errors after being redirected from Keycloak. It seems necessary to activate “Sign documents” OR “Sign assertions”, but not both.
I’ve been thinking about how to give back to the community so I created a powershell script to automatically create Azure AD accounts with the necessary information.
My Github gist of it is here: keycloak-sync.ps1 · GitHub