I recently got Keycloak setup and working as my IDP for Office365 and SharePoint Online.
Since it required info from some different sources, I thought I would put my setup here for others looking to do the same.
Good source reading:
Save the xml config file from Microsoft found here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
In Keycloak, under your Realm, click Clients
Here, import the federationmetadata.xml from Microsoft.
Your new client should look like this
Under the Client Scopes tab, click the default scope
Click Add Mapper → by Configuration, then select User Attribute
Add the IDPEmail attribute required by Microsoft
That should complete the Keycloak part of the setup.
Now to set up your federation to Keycloak, we need to go to PowerShell.
Connect to your Office365 instance using: Connect-MsolService
Once connected, run the following set up with your information:
$dom = "[DOMAINNAME]" $BrandName = "[BrandName]" $LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" $LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" $ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" $MyURI = "urn:federation:MicrosoftOnline" $MySigningCert = "[KeycloakSigningCert]" $Protocol = "SAMLP" Set-MsolDomainAuthentication ` -DomainName $dom ` -FederationBrandName $BrandName ` -Authentication Federated ` -PassiveLogOnUri $LogOnUrl ` -ActiveLogOnUri $ecpUrl ` -SigningCertificate $MySigningCert ` -IssuerUri $MyURI ` -LogOffUri $LogOffUrl ` -PreferredAuthenticationProtocol $Protocol
If you were previously federated with a different IDP like ADFS, you need to first change it back to Managed mode
Set-MsolDomainAuthentication -Authentication Managed -DomainName
Then run the command Set-MsolDomainAuthentication above to federate.
If you want to have SharePoint bypass the default prompt and throw you directly to keycloak, you can set this in powershell
Set-SPOTenant -SignInAccelerationDomain "contoso.com"