Using Keycloak as IdP for Azure AD

William_CTO · August 9, 2021, 10:08pm

I know it is pretty easy to setup Azure AD as an IdP for Keycloak, but I’d like to use Keycloak as an identity provider for Azure AD / Microsoft 365.

Here is some documentation on using SAML 2.0 for Azure AD. Azure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure | Microsoft Docs

How would I setup Azure AD to redirect to Keycloak for auth?

xgp · August 10, 2021, 4:53pm

Start my reviewing the Keycloak documentation on setting up a SAML client: Server Administration Guide

You can use the import functionality in Keycloak with the SAML metadata Microsoft distributes here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

Looks like everything is either there or in the Azure AD Connect link you posted above.

William_CTO · August 13, 2021, 3:49am

@xgp thank you so much for your swift help.

Over the past two days, I’ve been working at this, but keep running into the same error: AADSTS50107: The requested federation realm object 'https://<KEYCLOAK_SERVER>/auth/realms/<realm>' does not exist.

Is there a way to view the interactions between Azure AD and Keycloak in detail?
I’ve been searching online to try and resolve this error, but am getting nowhere. I’d greatly appreciate any help.

g-calibrate · October 18, 2021, 9:51am

Dear William, did you manage to solve this?

The link you provided doesn’t mention where to create the connection to test this, I know how to create a keycloak client but I don’t know what configuration I need in azure AD to create the link that uses the keycloak client as IDP.

Cheers

William_CTO · October 27, 2021, 12:30am

I managed to get this up an running with the following settings:

Import the file above into keycloak, but set Client Signature Required to OFF.
Then, copy the X509Certificate from the SAML 2.0 Identity Provider Metadata file (found on the General page of your realm settings).

Open PowerShell in Windows (Does not work on Linux/Azure Cloud Shell) and issue the Connect-MsolService command to login to your Azure AD account.

After logging in, use this template to setup your domain for federation:

$dom = "DOMAIN_TO_FEDERATE"
$BrandName = "Sample SAML 2.0 IDP" 
$keycloakURL = "https://KEYCLOAK_URL/auth/realms/REALM_NAME/protocol/saml" 
$issuerURI = "https://KEYCLOAK_URL/auth/realms/REALM_NAME" 
$MySigningCert = "<X509Certificate>" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $keycloakURL `
  -ActiveLogOnUri $keycloakURL `
  -SigningCertificate $MySigningCert `
  -IssuerUri $issuerURI `
  -LogOffUri $keycloakURL `
  -PreferredAuthenticationProtocol $Protocol

That’s the basic setup. You’ll need to manually add each user to AzureAD.
When a user tries to sign into Microsoft 365 a new attribute will be created in Keycloak, but they cannot sign in yet. The new attribute is saml.persistent.name.id.for.urn:federation:MicrosoftOnline and will contain a string.

In PowerShell, run this command

Set-MsolUser -UserPrincipalName "USER_LOGIN" -ImmutableId "PERSISTENT_ID_ATTRIBUTE"

where PERSISTENT_ID_ATTRIBUTE is the string in saml.persistent.name.id.for.urn:federation:MicrosoftOnline and USER_LOGIN is the email address the user uses to login to Microsoft 365.

Alternatively you can create this attribute in Keycloak before the user attempts signing in.

g-calibrate · October 29, 2021, 1:16pm

Dear William, This is actual gold, thanks a lot!

On another note, this works for me only if I start from the SAML client setting up
IDP Initiated SSO URL_Name
I get from keycloak a URL like this:
https://KEYCLOAK_URL/auth/realms/cdsdev/protocol/saml/clients/URL_NAME

this works and once it is properly configured as suggested, my question is now, do you know how to make azure to use that domain as an external organization?

What I mean is that when I try to login with the new user can azure redirect to keycloak for the login?

William_CTO · October 29, 2021, 4:00pm

Please use the Powershell commands above to setup domain federation which redirects users to your Keycloak to login.

fam · March 16, 2022, 8:03am

Dear William, do you mind share the SAML client setting in Keycloak. Thanks.

William_CTO · March 19, 2022, 7:52am

Sorry for the delay.
Try this file: Azure AD Keycloak Client · GitHub

tetrus · July 21, 2022, 5:27pm

Hi William,

I’ve been testing this implementation and I got to the point where Azure redirects me to the Keycloak page, however once there I get a “Sorry Page not found” from keycloak.

I am wondering what I am missing.

Thanks for your time.

Tetrus

William_CTO · July 21, 2022, 5:46pm

Hey @tetrus,

Keycloak 17/18 removed the /auth/ prefix in urls. If you go to your realm’s general settings, you can download the SAML identity metadata which has your specific urls.

If that doesn’t help you, send me a PM and we can look at your individual setup.

tetrus · July 21, 2022, 5:58pm

William I just figured it out it was /auth lol, i came here to tell you but I guess you beat me to the punch…

I noticed it when I imported the IDP metadata into a SP on the same keycloak and the url was missing auth.

Thanks for your help,

Tetrus

William_CTO · July 21, 2022, 6:00pm

You’re quite welcome. I might remember to update this guide to the new version of Keycloak soonish™️

tetrus · July 21, 2022, 6:02pm

No worries,

I’m running into an error when im trying to run the Set-Msol user command, I still get user not found, however the sign in attempt did create the persistent name id attribute in keycloak.

Any clues? Thanks again for your time.

Tetrus

tetrus · July 21, 2022, 6:08pm

OpenIdConnectMessage.Error+was+not+null%2C+indicating+an+error.+Error%3A+‘server_error’.+Error_Description+(may+be+empty)[…]A+SAML+assertion+validation+failed%3A+no+supported+token+signature+is+provided.

Its probably a misconfig again on my part based on the error message in the URL string

William_CTO · July 21, 2022, 6:10pm

Does your user exist in AzureAD? If not, you may need to create the user in AAD first. Your best bet is to use the command line rather than the AAD web interface.

I’ve recently ran into a problem where I had to create the UPN as user@ORG.onmicrosoft.com then change it to my federated domain.

You can set the Immutable ID to whatever you want so long as it’s the same in KC. You can even change it if need be. I don’t know the consequences of doing so, however.

PS: No need to sign your posts as your profile is displayed on each of your posts. Discourse actually recommends against this in their community guidelines/suggestions.

tetrus · July 21, 2022, 6:10pm

Thanks, I’ll try that.

tetrus · July 21, 2022, 6:31pm

Great success I got it working! That last error was because I needed to enable “Sign Documents”, “Sign Assertions”.

I guess Azure was waiting for some type of signature based on that URL error message.

Thanks again William.

MatthiasB · October 24, 2022, 6:52pm

Hello William,

I have the same problem. Can you help me for setup this? Where at first I need to import the SAML information and then I need to insert the SAML information to office O365.

Thanks

Best regards

Matthias

astachowski · January 11, 2023, 5:02pm

Hey guys,

thank you for all the hard work getting this to run. I have one remark though for those who are still getting errors after being redirected from Keycloak. It seems necessary to activate “Sign documents” OR “Sign assertions”, but not both.

I’ve been thinking about how to give back to the community so I created a powershell script to automatically create Azure AD accounts with the necessary information.
My Github gist of it is here: keycloak-sync.ps1 · GitHub