Using Keycloak as IDP for Office365 and SharePoint Online

bwatkins79 · April 13, 2023, 8:54pm

I recently got Keycloak setup and working as my IDP for Office365 and SharePoint Online.
Since it required info from some different sources, I thought I would put my setup here for others looking to do the same.

Good source reading:

Save the xml config file from Microsoft found here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

In Keycloak, under your Realm, click Clients

Here, import the federationmetadata.xml from Microsoft.

Your new client should look like this

Under the Client Scopes tab, click the default scope

Click Add Mapper → by Configuration, then select User Attribute

Add the IDPEmail attribute required by Microsoft

That should complete the Keycloak part of the setup.
Now to set up your federation to Keycloak, we need to go to PowerShell.

Connect to your Office365 instance using: Connect-MsolService

Once connected, run the following set up with your information:

$dom = "[DOMAINNAME]" 
$BrandName = "[BrandName]" 
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$MyURI = "urn:federation:MicrosoftOnline" 
$MySigningCert = "[KeycloakSigningCert]" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $LogOnUrl `
  -ActiveLogOnUri $ecpUrl `
  -SigningCertificate $MySigningCert `
  -IssuerUri $MyURI `
  -LogOffUri $LogOffUrl `
  -PreferredAuthenticationProtocol $Protocol

If you were previously federated with a different IDP like ADFS, you need to first change it back to Managed mode

Set-MsolDomainAuthentication -Authentication Managed -DomainName

Then run the command Set-MsolDomainAuthentication above to federate.

If you want to have SharePoint bypass the default prompt and throw you directly to keycloak, you can set this in powershell

Set-SPOTenant -SignInAccelerationDomain "contoso.com"

Falconizer · April 13, 2023, 11:13pm

Thanks for this I really appreciate but could I make It work without the custom domain?
In my tenant I have only the default one which is onmicrosoft.com.
Do I need to purchase and configure an alternative not primary custom domain like example.com ?

bwatkins79 · April 14, 2023, 4:35pm

You don’t need a custom domain. The domain is just whatever SharePoint is using.

From powershell, you can run: Get-MsolDomain to list your available domains for federation.
Most likely it will just be YourTenant.onmicrosoft.com

hvdhelm · April 24, 2023, 11:06am

Thank for sharing;

Any suggestions on this error;

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

The sampledomain.com is not default.
Reading about this error suggest that the uri should be unique. It’s a whole new tenant, single user with a Basic subscription.

Get-MsolDomain

Name                            Status   Authentication
----                            ------   --------------
sampledomain.onmicrosoft.com Verified Managed
sampledomain.com              Verified Managed

razvan15 · May 24, 2023, 5:40pm

Hi, my Keycloak version (19.0.1) only allows me to upload JSON file, not xml. I tried to convert the xml to JSON, but it doesn’t work. I want to ask you how did you reach that link. Can’t find it on the Internet

coolsoft07 · December 29, 2023, 2:03pm

@bwatkins79 The Connect-MsolService is done on the windows os powershell? (unable to do on macos). Also would the main admin user/id on ms 365 be a saml user, meaning goes thru the KC idp flow or locally authenticated by ms 365? What version KC you had when you share this awesome “how-to-do” guide? Thanks in advance for any feedback.

Abenchrifa · March 22, 2024, 9:53am

hvdhelm:

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

dear hvdhelm,

i was following the same steps here and encountred same error as yours. Have you managed to resolve it? If so, I would greatly appreciate any insights or tips you could share.
Thank you!"

Topic		Replies	Views
Keycloak works for Office365 but fails for SharePoint Online Getting advice authentication , saml	4	1192	April 13, 2023
Using Keycloak as IdP for Azure AD Securing applications identity-brokering	26	14617	April 12, 2024
Keycloak Integration with Outlook Getting advice	0	72	March 22, 2024
Setup a SAML service provider to work with an external Identity Provider Getting advice saml	0	753	October 15, 2020
How to integrate to office 365	5	4026	July 1, 2022

Using Keycloak as IDP for Office365 and SharePoint Online

Related Topics