Azure AD iDP with Keycloak as SP
Creating a Directory inside Azure: -
To create a new Azure AD tenant:
1. Browse to the Azure portal and sign in with an account that has an Azure subscription.
2. Select the plus icon (+) and search for Azure Active Directory.
- Select Azure Active Directory in the search results.
2. Select Create.
3. Provide an Organization name and an Initial domain name. Then select Create. Your directory is created.
Created OIDC provider inside test Realm: -
Register a new Application using the Azure portal: -
Follow instruction as per this link,
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Imported Azure AD configuration with Azure OpenID Connect Endpoint:-
Copy the above highlighted link from OpenID connect metadata document.
Now Paste the copied URL of open-id connect endpoint metadata document at highlighted location and click import. Important information specific to IDP will get imported.
If Keycloak application is running behind some proxy server then you need to set path for X.509 Client Certificate. Otherwise it won’t allow you to simply import this configuration. For this purpose you need to set the path properly for certificate. Here is link to guide you through this from keycloak,
In my case, since I was using Apache as proxy server so I need to do this configuration changes in standalone.xml file of keycloak,
<spi name="x509cert-lookup">
<default-provider>apache</default-provider>
<provider name="apache" enabled="true">
<properties>
<property name="sslClientCert" value="SSL_CLIENT_CERT"/>
<property name="sslCertChainPrefix" value="CERT_CHAIN"/>
<property name="certificateChainLength" value="10"/>
</properties>
</provider>
</spi>After successfully import from endpoint URL, you need to fill some azure application specific details to keycloak provider configuration,
Fill these details from Azure registered application details.
Click on the Redirect URI as per above screenshot.
Now we need to do some configuration changes inside KEYCLOAK authentication tab as per below screenshot.
Click on the actions button in Identity provide tab go to Config and Add your Identity provider as authentication.
This is all done from keycloak to Azure Ad side of flow. Now if you application is configured with keycloak properly, you will be able to redirect to Microsoft login page on hit of your application URL.
I hope everyone find is helpful. I would suggest to once go through with identity broker concept to get the whole flow working with application.
