Using Keycloak as IDP for Office365 and SharePoint Online

I recently got Keycloak setup and working as my IDP for Office365 and SharePoint Online.
Since it required info from some different sources, I thought I would put my setup here for others looking to do the same.

Good source reading:

Save the xml config file from Microsoft found here:

In Keycloak, under your Realm, click Clients

Here, import the federationmetadata.xml from Microsoft.

Your new client should look like this


Under the Client Scopes tab, click the default scope

Click Add Mapper → by Configuration, then select User Attribute

Add the IDPEmail attribute required by Microsoft

That should complete the Keycloak part of the setup.
Now to set up your federation to Keycloak, we need to go to PowerShell.

Connect to your Office365 instance using: Connect-MsolService

Once connected, run the following set up with your information:

$dom = "[DOMAINNAME]" 
$BrandName = "[BrandName]" 
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$MyURI = "urn:federation:MicrosoftOnline" 
$MySigningCert = "[KeycloakSigningCert]" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $LogOnUrl `
  -ActiveLogOnUri $ecpUrl `
  -SigningCertificate $MySigningCert `
  -IssuerUri $MyURI `
  -LogOffUri $LogOffUrl `
  -PreferredAuthenticationProtocol $Protocol

If you were previously federated with a different IDP like ADFS, you need to first change it back to Managed mode

Set-MsolDomainAuthentication -Authentication Managed -DomainName

Then run the command Set-MsolDomainAuthentication above to federate.

If you want to have SharePoint bypass the default prompt and throw you directly to keycloak, you can set this in powershell

Set-SPOTenant -SignInAccelerationDomain ""

Thanks for this I really appreciate but could I make It work without the custom domain?
In my tenant I have only the default one which is
Do I need to purchase and configure an alternative not primary custom domain like ?

You don’t need a custom domain. The domain is just whatever SharePoint is using.

From powershell, you can run: Get-MsolDomain to list your available domains for federation.
Most likely it will just be

Hi, my Keycloak version (19.0.1) only allows me to upload JSON file, not xml. I tried to convert the xml to JSON, but it doesn’t work. I want to ask you how did you reach that link. Can’t find it on the Internet