Using Keycloak as IDP for Office365 and SharePoint Online

I recently got Keycloak setup and working as my IDP for Office365 and SharePoint Online.
Since it required info from some different sources, I thought I would put my setup here for others looking to do the same.

Good source reading:

Save the xml config file from Microsoft found here: https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml

In Keycloak, under your Realm, click Clients

image993×293 20.4 KB

Here, import the federationmetadata.xml from Microsoft.

image476×825 28.3 KB

Your new client should look like this

image1062×720 32.7 KB

image403×534 21.4 KB

Under the Client Scopes tab, click the default scope

image1617×490 35.7 KB

Click Add Mapper → by Configuration, then select User Attribute

image836×831 56.9 KB

Add the IDPEmail attribute required by Microsoft

image612×713 26.1 KB

That should complete the Keycloak part of the setup.
Now to set up your federation to Keycloak, we need to go to PowerShell.

Connect to your Office365 instance using: Connect-MsolService

Once connected, run the following set up with your information:

$dom = "[DOMAINNAME]" 
$BrandName = "[BrandName]" 
$LogOnUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$LogOffUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$ecpUrl = "https://[KeycloakURL]/realms/[REALM]/protocol/saml" 
$MyURI = "urn:federation:MicrosoftOnline" 
$MySigningCert = "[KeycloakSigningCert]" 
$Protocol = "SAMLP" 
Set-MsolDomainAuthentication `
  -DomainName $dom `
  -FederationBrandName $BrandName `
  -Authentication Federated `
  -PassiveLogOnUri $LogOnUrl `
  -ActiveLogOnUri $ecpUrl `
  -SigningCertificate $MySigningCert `
  -IssuerUri $MyURI `
  -LogOffUri $LogOffUrl `
  -PreferredAuthenticationProtocol $Protocol

If you were previously federated with a different IDP like ADFS, you need to first change it back to Managed mode

Set-MsolDomainAuthentication -Authentication Managed -DomainName

Then run the command Set-MsolDomainAuthentication above to federate.

If you want to have SharePoint bypass the default prompt and throw you directly to keycloak, you can set this in powershell

Set-SPOTenant -SignInAccelerationDomain "contoso.com"

Thanks for this I really appreciate but could I make It work without the custom domain?
In my tenant I have only the default one which is onmicrosoft.com.
Do I need to purchase and configure an alternative not primary custom domain like example.com ?

You don’t need a custom domain. The domain is just whatever SharePoint is using.

From powershell, you can run: Get-MsolDomain to list your available domains for federation.
Most likely it will just be YourTenant.onmicrosoft.com

Thank for sharing;

Any suggestions on this error;

Set-MsolDomainAuthentication : Unable to complete this action. Try again later.
At line:1 char:1
+ Set-MsolDomainAuthentication `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolDomainAuthentication], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InternalServiceException,Microsoft.Online.Adm
   inistration.Automation.SetDomainAuthentication

The sampledomain.com is not default.
Reading about this error suggest that the uri should be unique. It’s a whole new tenant, single user with a Basic subscription.

Get-MsolDomain

Name                            Status   Authentication
----                            ------   --------------
sampledomain.onmicrosoft.com Verified Managed
sampledomain.com              Verified Managed

Hi, my Keycloak version (19.0.1) only allows me to upload JSON file, not xml. I tried to convert the xml to JSON, but it doesn’t work. I want to ask you how did you reach that link. Can’t find it on the Internet

@bwatkins79 The Connect-MsolService is done on the windows os powershell? (unable to do on macos). Also would the main admin user/id on ms 365 be a saml user, meaning goes thru the KC idp flow or locally authenticated by ms 365? What version KC you had when you share this awesome “how-to-do” guide? Thanks in advance for any feedback.

dear hvdhelm,

i was following the same steps here and encountred same error as yours. Have you managed to resolve it? If so, I would greatly appreciate any insights or tips you could share.
Thank you!"

Hello, it was really helpful.
Our requirement is that we dont want users in azure AAD , we need that users from keycloak will be able to login to powerbi service .
maybe roles can help but I ma not sure how to configure it.

I will really appreciate any help.

Since PowerBI uses Entra ID, I would assume you need Entra ID’s for users. Possibly you could set up a client to connect to PowerBI, but I’m not sure on that without using AAD.

did you ever resolve, or still looking for guidance?

Hello, I did all the steps you took and I’m getting this error when signing in Azure.

AADSTS51004: The user account G-XXXXXXXXXXXXXXXXX does not exist in the YYYYYYYYYYYYYYYYY directory.

I have user federation setup in Keycloak with our internal DCs via LDAP but since I am using a test tenant and domain, I created a user in keycloak manually with the same email to test the login. Can this be the root cause of the issue ?