In this post, I'm going to write about keycloak and Microsoft Azure Active Directory (AD).
I have decided to write this post for two reasons: first, in my current job (02/2021), we need to integrate between keycloak and active directory because a customer uses azure AD, and second because I had a lot of difficulties searching for other posts on the subject to configure the keycloak and AD. So go ahead.
Register an app in Azure Active Directory
Acess the Microsoft azure portal and click in Azure Active Directory
When you click on the menu, you'll be to redirect to the tenant overview. If you don't have any tenants, please see the quickstart to create a new tenant.
Registering a new app
On this page search for the App registrations menu, click it to show the App registrations page.
After this we'll register a new app. So, click on New registration to go to the app registration page.
On the Register an application, write a Name, select the Accounts in this organizational directory only and click on Register.
After you click on Register, you'll be redirected to the new app overview page.
Now on this page, we'll go to the Certificates & secrets menu. Clicking on the menu, a screen will appear and we'll see Certificates and Client secrets below. On Client secrets, click on New client secret to open a window to register a new client secret.
Write a Description (optional), choose an Expires, and click on Add. After this new client secrets will appear on the table below.
Copy the Value and save it, because after you won't be able to see the value again.
Now we need to configure the keycloak.
First, we'll create a realm, but if you already have a realm, go to the Configuring an Identity Providers
Creating a realm
If you don't have yet a realm, It is easy to create a realm in keycloak.
In the left menu, above Configure, pass the mouse over the realm name and click in Add realm.
Just type a name and click on Create.
Configuring a Identity Providers
On the left menu, go to the Identity Providers menu.
On Add provider, select the OpenID connect V1.0.
After this, the window Add identity provider will open.
Type an Alias, and a Display Name if you want. After, Go to the Import External IDP Config, and see the Import from URL field.
Now we need to back to the Azure AD, access the application on App registration, and see the Endpoints.
Copy the OpenID Connect metadata document information and back to the keycloak.
In Import for URL paste the metadata copied above, and click on the Import button.
That done, some settings must appear in OpenID Connect Config as shown in the image below
Now see these last three fields in the image above. We need to fill the Client ID and Client Secret fields with the Certificates & secrets, registered in the Azure.
The Client Authentication field, choose the Client secret sent as post.
The Client ID field, go to the Azure, App registration, select the application. In the application Overview, look at the Application (Client) ID and copy this value. Back to the keycloak, and paste the information in the field.
The Client secret field, do you remember that we need to save some information in the Client secret section in this post? So we need the client secret Value, get this value and paste into the field.
Once this is done, the settings should look like the image below:
Now save it and go to the top page, and copy the Redirect URI. This information we need to use in the azure.
After those configurations, back to azure again to the last configurations.
Configure the Authentication
Now back to the Azure, and go to Azure Active Directory > App registration > application > Authentication.
The Platform configurations will appear, click on the Add a platform button as the image below
When we click, a window will appear on the right side. Select the Web option.
Now paste the Redirect URI, copied in the last section, in the Redirect URIs and click on Configure.
Once this is done, the configuration should appear as in the image below.
Now we can test our application.
So back to the keycloak, select the realm and go to menu Clients.
Click in the account's Base URL. We will be redirected to the sign-in page as the imagem below.
Click in Sign In button, and We will be redirected to the sign-in form. See the Or sign in with button. This button is our previously configured Identity provider.
Click on this button, and we will be redirected to the Microsoft Sign-in form. Put your azure user (e-mail/username) and after your password.
If everything went well, this page should appear.
Update some information and click on Submit, you will be redirected to this page:
Well that's it. I hope this post can help you.
Send your feedback/suggestion and/or if you need some help, please contact me.
Thank you very much and see you soon.