Using Keycloak as IdP for Azure AD

I know it is pretty easy to setup Azure AD as an IdP for Keycloak, but I’d like to use Keycloak as an identity provider for Azure AD / Microsoft 365.

Here is some documentation on using SAML 2.0 for Azure AD. Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure | Microsoft Docs

How would I setup Azure AD to redirect to Keycloak for auth?

Start my reviewing the Keycloak documentation on setting up a SAML client: Server Administration Guide

You can use the import functionality in Keycloak with the SAML metadata Microsoft distributes here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

Looks like everything is either there or in the Azure AD Connect link you posted above.

@xgp thank you so much for your swift help.

Over the past two days, I’ve been working at this, but keep running into the same error: AADSTS50107: The requested federation realm object 'https://<KEYCLOAK_SERVER>/auth/realms/<realm>' does not exist.

Is there a way to view the interactions between Azure AD and Keycloak in detail?
I’ve been searching online to try and resolve this error, but am getting nowhere. I’d greatly appreciate any help.

Dear William, did you manage to solve this?

The link you provided doesn’t mention where to create the connection to test this, I know how to create a keycloak client but I don’t know what configuration I need in azure AD to create the link that uses the keycloak client as IDP.

Cheers

I managed to get this up an running with the following settings:

Import the file above into keycloak, but set Client Signature Required to OFF.
Then, copy the X509Certificate from the SAML 2.0 Identity Provider Metadata file (found on the General page of your realm settings).

Open PowerShell in Windows (Does not work on Linux/Azure Cloud Shell) and issue the Connect-MsolService command to login to your Azure AD account.

After logging in, use this template to setup your domain for federation:

$dom = "DOMAIN_TO_FEDERATE"
$BrandName = "Sample SAML 2.0 IDP" 
$keycloakURL = "https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/saml" 
$issuerURI = "https://KEYCLOAK_URL/auth/realms/REALM_NAME" 
$MySigningCert = "<X509Certificate>" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $keycloakURL `
  -ActiveLogOnUri $keycloakURL `
  -SigningCertificate $MySigningCert `
  -IssuerUri $issuerURI `
  -LogOffUri $keycloakURL `
  -PreferredAuthenticationProtocol $Protocol

That’s the basic setup. You’ll need to manually add each user to AzureAD.
When a user tries to sign into Microsoft 365 a new attribute will be created in Keycloak, but they cannot sign in yet. The new attribute is saml.persistent.name.id.for.urn:federation:MicrosoftOnline and will contain a string.

In PowerShell, run this command

Set-MsolUser -UserPrincipalName "USER_LOGIN" -ImmutableId "PERSISTENT_ID_ATTRIBUTE"

where PERSISTENT_ID_ATTRIBUTE is the string in saml.persistent.name.id.for.urn:federation:MicrosoftOnline and USER_LOGIN is the email address the user uses to login to Microsoft 365.

Alternatively you can create this attribute in Keycloak before the user attempts signing in.

2 Likes

Dear William, This is actual gold, thanks a lot!

On another note, this works for me only if I start from the SAML client setting up
IDP Initiated SSO URL_Name
I get from keycloak a URL like this:
https://KEYCLOAK_URL/auth/realms/cdsdev/protocol/saml/clients/URL_NAME

this works and once it is properly configured as suggested, my question is now, do you know how to make azure to use that domain as an external organization?

What I mean is that when I try to login with the new user can azure redirect to keycloak for the login?

Please use the Powershell commands above to setup domain federation which redirects users to your Keycloak to login.