Configure Azure AD as a brokered Identity Provider in KeyCloak


KeyCloak is an open-source identity and access management tool that provides an extensive set of capabilities to cater to modern authentication services. KeyCloak provides an easy way to secure application with great features like user federation, Identity brokering, and social login. Many enterprises are leveraging these tools to meet their Identity and Access management requirements. Today we will share a step-by-step process of easily integrating Azure Active Directory as a brokered identity provider in KeyCloak to extend the Single sign onsign on solution to Azure Active Directory Users.


  • Azure Active Directory Tenant (Assuming we already have Azure Active Directory Provisioned).
  • KeyCloak Application running on a VM and configured to accept HTTPS connections.

Register App in Azure AD Tenant

  1. In this section, we will register an app in Azure AD to map the KeyCloak Identity Broker.
  2. Login to Azure Portal and navigate to Azure Active Directory and App Registration.
  3. Click on New Registration and fill out the information as per the following.
  4. Now click on the newly created Application registration and update the Application ID URI.
  5. Now Click on the Endpoint and copy Federation Metadata URL.
  6. Now we need to create an Identity Provider in KeyCloak for identity brokering. To complete this step, log in to the KeyCloak Admin console and navigate to the Identity Providers page and add a new SAML v2.2 Provider.
  7. Now scroll to the button of the page and enter the Federation MetaData URL copied from Azure Portal and click import.
  8. Enter the Alias and Display Name for this Identity Provider, which you would like to show on the KeyCloak Login page and save.

At this point, we have successfully configured Azure Active Directory as a brokered Identity provider in KeyCloak. Let’s test out the login process.

Get Started With Azure AD

Ready to enhance your organization's security and streamline user management? Kickstart your journey with Azure AD today! Discover the benefits and get started now for a more secure and efficient digital environment.

Request a Demo

Validating the Configuration

Let’s validate the configuration.

  1. Open any browser window and navigate to the KeyCloak Application login page. We should see the Azure AD button. This is the Alias of Azure AD identity provider we added in the KeyCloak in the 1st step.
  2. Enter your Azure AD credentials, and, and you should be redirected back to the KeyCloak application.


This can easily extend your IAM requirements to cloud- native identity Providers. KeyCloak supports SAML as well as OpenID Connect to cater to the modern Authentication requirements. This can significantly reduce the User management efforts by integrating the users from Identity providers for our KeyCloak secured applications.

The main objective was to cover the bare minimum configurations to familiarize the capabilities, an example integration method, and how it can be configured, validated, and tested. If you would like to extend your Single Sign on solution.

Please see our other blog on Configuring ADFS with Azure AD and Dynamics 365 on-prem systems.

Explore Recent Blog Posts

Infographics show the 2021 MSUS Partner Award winner

Related Posts

Receive Updates on Youtube