Over the past two days, I’ve been working at this, but keep running into the same error: AADSTS50107: The requested federation realm object 'https://<KEYCLOAK_SERVER>/auth/realms/<realm>' does not exist.
Is there a way to view the interactions between Azure AD and Keycloak in detail?
I’ve been searching online to try and resolve this error, but am getting nowhere. I’d greatly appreciate any help.
The link you provided doesn’t mention where to create the connection to test this, I know how to create a keycloak client but I don’t know what configuration I need in azure AD to create the link that uses the keycloak client as IDP.
I managed to get this up an running with the following settings:
Import the file above into keycloak, but set Client Signature Required to OFF.
Then, copy the X509Certificate from the SAML 2.0 Identity Provider Metadata file (found on the General page of your realm settings).
Open PowerShell in Windows (Does not work on Linux/Azure Cloud Shell) and issue the Connect-MsolService command to login to your Azure AD account.
After logging in, use this template to setup your domain for federation:
That’s the basic setup. You’ll need to manually add each user to AzureAD.
When a user tries to sign into Microsoft 365 a new attribute will be created in Keycloak, but they cannot sign in yet. The new attribute is saml.persistent.name.id.for.urn:federation:MicrosoftOnline and will contain a string.
where PERSISTENT_ID_ATTRIBUTE is the string in saml.persistent.name.id.for.urn:federation:MicrosoftOnline and USER_LOGIN is the email address the user uses to login to Microsoft 365.
Alternatively you can create this attribute in Keycloak before the user attempts signing in.
On another note, this works for me only if I start from the SAML client setting up
IDP Initiated SSO URL_Name
I get from keycloak a URL like this:
https://KEYCLOAK_URL/auth/realms/cdsdev/protocol/saml/clients/URL_NAME
this works and once it is properly configured as suggested, my question is now, do you know how to make azure to use that domain as an external organization?
What I mean is that when I try to login with the new user can azure redirect to keycloak for the login?