Using Keycloak as IDP for Office365 and SharePoint Online

I recently got Keycloak setup and working as my IDP for Office365 and SharePoint Online.
Since it required info from some different sources, I thought I would put my setup here for others looking to do the same.

Good source reading:

Save the xml config file from Microsoft found here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

In Keycloak, under your Realm, click Clients

Here, import the federationmetadata.xml from Microsoft.

Your new client should look like this



image

Under the Client Scopes tab, click the default scope

Click Add Mapper → by Configuration, then select User Attribute

Add the IDPEmail attribute required by Microsoft

That should complete the Keycloak part of the setup.
Now to set up your federation to Keycloak, we need to go to PowerShell.

Connect to your Office365 instance using: Connect-MsolService

Once connected, run the following set up with your information:

$dom = "[DOMAINNAME]" 
$BrandName = "[BrandName]" 
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$MyURI = "urn:federation:MicrosoftOnline" 
$MySigningCert = "[KeycloakSigningCert]" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $LogOnUrl `
  -ActiveLogOnUri $ecpUrl `
  -SigningCertificate $MySigningCert `
  -IssuerUri $MyURI `
  -LogOffUri $LogOffUrl `
  -PreferredAuthenticationProtocol $Protocol

If you were previously federated with a different IDP like ADFS, you need to first change it back to Managed mode

Set-MsolDomainAuthentication -Authentication Managed -DomainName

Then run the command Set-MsolDomainAuthentication above to federate.

If you want to have SharePoint bypass the default prompt and throw you directly to keycloak, you can set this in powershell

Set-SPOTenant -SignInAccelerationDomain "contoso.com"
1 Like

Thanks for this I really appreciate but could I make It work without the custom domain?
In my tenant I have only the default one which is onmicrosoft.com.
Do I need to purchase and configure an alternative not primary custom domain like example.com ?

You don’t need a custom domain. The domain is just whatever SharePoint is using.

From powershell, you can run: Get-MsolDomain to list your available domains for federation.
Most likely it will just be YourTenant.onmicrosoft.com

Thank for sharing;

Any suggestions on this error;

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

The sampledomain.com is not default.
Reading about this error suggest that the uri should be unique. It’s a whole new tenant, single user with a Basic subscription.

Get-MsolDomain

Name                            Status   Authentication
----                            ------   --------------
sampledomain.onmicrosoft.com Verified Managed
sampledomain.com              Verified Managed

Hi, my Keycloak version (19.0.1) only allows me to upload JSON file, not xml. I tried to convert the xml to JSON, but it doesn’t work. I want to ask you how did you reach that link. Can’t find it on the Internet

@bwatkins79 The Connect-MsolService is done on the windows os powershell? (unable to do on macos). Also would the main admin user/id on ms 365 be a saml user, meaning goes thru the KC idp flow or locally authenticated by ms 365? What version KC you had when you share this awesome “how-to-do” guide? Thanks in advance for any feedback.