Keycloak Azure AD Integration for Secure Authentication

Keycloak and Azure AD can be integrated to provide secure authentication for your applications.

Keycloak is an open-source identity and access management solution that supports multiple authentication protocols, including SAML, OAuth, and OpenID Connect.

This integration allows you to leverage Azure AD as an identity provider, enabling users to access your applications with their existing Azure AD credentials.

Azure AD provides a scalable and secure identity management solution that can be used in conjunction with Keycloak to provide a robust authentication system.

To configure Keycloak with Azure AD, start by logging in to the Microsoft Azure Portal and navigating to Azure Active Directory. Click on App registrations and then create a new registration for your application as an OpenID client. Enter a user-facing display name for the application and click the Register button.

In Keycloak, click on Identity Providers and select OpenID Connect v1.0 as the identity provider. To import the Azure AD settings, enter the OpenID Connect metadata document URL in the Import from URL field and click the Import button.

Recommended read: Azure Active Directory Url

To fill in the remaining OpenID Connect configuration values, enter the Client ID and Client Secret fields with the Certificates & secrets registered in Azure. Choose the Client secret sent as post for the Client Authentication field. Copy the Redirect URI from Keycloak, which will be used in Azure.

Here are the key configuration values to fill in Keycloak:

Save the configuration in Keycloak and go to the Azure AD app registration overview to find the "OpenID Connect metadata document" URL. This URL will be used to import the metadata automatically, which fills out most of the configuration fields.

In Keycloak, go to Identity Providers > Azure AD > Settings to view the OpenID Connect Config section. Enable the Store Tokens and Stored Tokens Readable settings and save the configuration.

You might enjoy: Azure Ad Connect Export Configuration

Keycloak and OIDC can be a bit tricky to set up, but don't worry, I've got you covered.

To start, you need to create an app registration in Azure AD. This involves filling out the necessary details such as the name and supported account types. You'll also need to note down the Application (client) ID as this will be required in Keycloak configuration.

When creating the app registration, you'll need to add a new client secret and copy the secret value to note it down. This will be used later in the Keycloak setup.

Next, you'll need to set up Keycloak to use the app registration. To do this, you'll need to import the OpenID config from Azure AD, which is obtained from the "OpenID Connect metadata document" URL.

To configure Keycloak, you'll need to click on the Settings tab and fill in the appropriate redirect URI for your UI app. You'll also need to fill in the "Web origins" field with a wildcard (*) to allow all origins.

Here's a summary of the steps to set up Keycloak with OIDC:

To register Keycloak as an application in Azure AD, you need to obtain the Client ID and Client Secret from Azure AD. Save these values, as you'll need them later in Keycloak.

Broaden your view: Azure Ad Connect Client

To register Keycloak as an application in Azure AD, go to the Azure AD portal and click on "App registrations". Click on "New registration" to create a new registration for Keycloak as a new OpenID client.

In the Azure AD portal, navigate to "Certificates & secrets" and create a new client secret. Copy the value of the client secret, as it won't be shown again.

To add the required Microsoft Graph API permissions, go to "API permissions" and add the following permissions: `User.Read`, `openid`, `profile`, and `email`.

To update an existing AKS cluster, you'll need to follow the instructions in the Azure AD portal.

To configure Azure AD in Keycloak, you need to log in to the Keycloak Administration Console and click on "Identity Providers". Select OpenID Connect v1.0 as an identity provider.

To import the OpenID Connect metadata document URL, go to "Identity Providers > Azure AD > Settings" and enter the URL in the "Import from URL" field. Click the "Import" button to import the settings.

To set the remaining OpenID Connect configuration values, enable the "Store Tokens" and "Stored Tokens Readable" settings. Save the configuration.

For more insights, see: Azure Active Directory Portal

To create a new role in Keycloak, go to "Roles > Realm Roles > Add Role" and create a new role named "read-token". Move the "read-token" role to the "Realm Default Roles" category.

To create a new scope in Keycloak, go to "Client Scopes > Create" and create a new scope called "read-token". Add the scope to the "Assigned Default Client Scopes" category.

To add a mapper in Keycloak, go to the "mappers" tab and add a new mapper with a Template value as `${CLAIM.preferred_username}` and a target as LOCAL. Specify the Mapper Type as Username Template Importer.

In Azure App Registration, you need to create a new registration for Keycloak as a new OpenID client. Enter a user-facing display name for the application and click the "Register" button.

To create the OpenID Connect configuration, fill out the details as required, including the alias, Discovery URL, Client ID, and Client Secret. Copy the redirect URL and update it in the Azure app registration.

To verify the Keycloak SSO integration with Azure AD, click on the "account-console" URL and it should take you to the Azure AD SSO page.

Here's an interesting read: Azure Ad Connect Move to New Server

To register an Entra ID application, you need to add a redirect URI in the Web platform. Initially, I added the openid profile as scopes in Azure AD identity provider.

To get email in a user's profile, you must add email in the Scopes of the identity provider by editing it. This ensures that email is mapped correctly.

You can test this by running the sign-in flow again and selecting Azure AD as the alternate option to log in. After successful authentication, check the user's profile to see if the email field is mapped.

I deleted the previous user and created a new one, which successfully populated the email field in the profile.

You might like: Azure Ad User