Configure Azure AD as a brokered Identity Provider in KeyCloak

Introduction

KeyCloak is an open-source identity and access management tool that provides an extensive set of capabilities to cater to modern authentication services. KeyCloak provides an easy way to secure application with great features like user federation, Identity brokering, and social login. 

Many enterprises are leveraging these tools to meet their Identity and Access management requirements. Today we will share a step-by-step process of easily integrating Azure Active Directory as a brokered identity provider in KeyCloak to extend the Single sig onsign on solution to Azure Active Directory Users.   

Learn more about our Azure Services

Prerequisites 

  • Azure Active Directory Tenant (Assuming we already have Azure Active Directory Provisioned). 
  • KeyCloak Application running on a VM and configured to accept HTTPS connections. 

Register App in Azure AD Tenant 

In this section, we will register an app in Azure AD to map the KeyCloak Identity Broker.  

  1. Login to Azure Portal and navigate to Azure Active Directory and App Registration. 

image001

2. Click on New Registration and fill out the information as per the following. 

image002

3. Now click on the newly created Application registration and update the Application ID URI. 

image003

4. Now Click on the Endpoint and copy Federation Metadata URL.  

image004

5. Now we need to create an Identity Provider in KeyCloak for identity brokering.  To complete this step, log in to the KeyCloak Admin console and navigate to the Identity Providers page and add new SAML v2.2 Provider. 

image005

6. Now scroll to the boutton of the page and enter the Federation MetaData URL copied from Azure Portal and click import.

image006

7. Enter the Alias and Display Name for this Identity Provider, which you would like to show on the KeyCloak Login page and save.  

image007

At this point, we have successfully configured Azure Active Directory as a brokered Identity provider in KeyCloak. Lets test out the login process.  

Validating the configuration 

Let’s validate the configuration.  

  1. Open any browser window and navigate to the KeyCloak Application login page. We should see the Azure AD button. This is the Alias of Azure AD identity provider we added in the KeyCloak in the 1st step. 

image008

image009

9. Enter your Azure AD credentials ,and, and you should be redirected back to the KeyCloak application.  

image010

Conclusion

That is it, and this can easily extend your IAM requirements to cloud- native identity Providers. KeyCloak supports SAML as well as OpenID Connect to cater to the modern Authentication requirements. This can significantly reduce the User management efforts by integrating the users from Identity providers for our KeyCloak secured applications.

The main objective was to cover the bare minimum configurations to familiarize the capabilities, an example integration method, and how it can be configured, validated, and tested.   

If you would like to extend your Single Sign on solution, please see our other blog on Configuring ADFS with Azure AD and Dynamics 365 on-prem systems. 

Leave a Reply

Your email address will not be published. Required fields are marked *