Configure Azure AD as a brokered Identity Provider in KeyCloak

Picture of alphabold

alphabold

Introduction

KeyCloak is an open-source identity and access management tool that simplifies the process of securing applications with features like user federation, identity brokering, and social login. Many enterprises leverage these capabilities to meet their Identity and Access Management (IAM) requirements. In this guide, I will share a step-by-step process of easily integrating Azure Active Directory (AAD) as a brokered identity provider in KeyCloak, allowing you to extend the Single Sign-On (SSO) to Azure Active Directory (AAD) Users.

Understanding KeyCloak and Azure AD Integration

When it comes to managing user authentication across multiple systems, KeyCloak and Azure AD are a powerful duo. But how do they actually work together? Let’s break it down.

At the heart of their integration is the SAML (Security Assertion Markup Language) protocol. Think of SAML as a bridge that securely passes user information between Azure AD and KeyCloak. Here’s how it works:

  1. Identity Federation: Imagine you have a bunch of different identity systems—Azure AD for your Microsoft services, Google for some cloud apps, and maybe even a legacy system or two. Identity federation is like having a universal translator that helps all these systems speak the same language. With KeyCloak as your central hub, you can unify these systems, making it possible for a user to log in once and gain access to everything.

  2. Identity Providers (IdP): In this setup, Azure AD acts as the identity provider. This means it’s responsible for authenticating users—verifying that they are who they say they are. When a user tries to log in, Azure AD checks their credentials and then sends a confirmation (called a SAML assertion) to KeyCloak.

  3. Service Providers (SP): KeyCloak, on the other hand, plays the role of the service provider. It receives the authentication data from Azure AD and then allows or denies access to the application the user is trying to reach, based on the information it received.

Picture this: you have a user, let’s call her Jane. Jane works for a company that uses Azure AD to manage employee identities. She needs to access an internal app that’s secured by KeyCloak. When Jane clicks on the app link, she’s redirected to the Azure AD login page, where she enters her credentials. Azure AD verifies her identity and sends a SAML assertion back to KeyCloak, saying, “Yes, this is Jane, and she’s allowed in.” KeyCloak then grants her access to the app—seamlessly, without needing to ask her for credentials again.

This setup not only simplifies the login process for users like Jane but also centralizes identity management for IT admins, making it easier to control who has access to what. By integrating Azure AD with KeyCloak, you get the best of both worlds: the robust identity management features of Azure AD and the flexibility and control of KeyCloak as an identity broker.

In today’s multi-cloud, multi-application world, having a single sign-on solution that works across all your platforms is crucial. It improves user experience, reduces the number of passwords floating around, and significantly lowers the risk of security breaches. With KeyCloak and Azure AD working together, you’re building a strong foundation for secure and scalable identity management.

So, whether you’re dealing with employees logging in to internal systems or partners accessing external portals, this integration has you covered—making your identity management both simple and secure.

Prerequisites

Before beginning the integration of Azure AD as a brokered identity provider in KeyCloak, ensure you meet the following prerequisites. These foundational steps will ensure a smooth configuration process and secure communication between your KeyCloak and Azure AD environments.

1.Azure Active Directory Tenant:

  • Ensure you have a properly configured Azure AD tenant. If your organization uses a custom domain, verify that it is correctly associated with your Azure AD tenant. This is crucial for ensuring that your organization’s users can authenticate seamlessly.
  • User Permissions: Make sure that the account you are using to configure the integration has sufficient permissions. Typically, you will need at least the ‘Application Administrator’ role in Azure AD to create app registrations and manage enterprise applications.

2. KeyCloak Application: 

  • It is highly recommended to secure your KeyCloak instance with HTTPS to protect sensitive authentication data during transmission. Obtain a valid SSL certificate from a trusted Certificate Authority (CA). This could be a self-signed certificate for testing environments or a CA-signed certificate for production use.
  • You can also use free services like Let’s Encrypt for SSL certificates in non-production environments.
  • Before integrating with Azure AD, set up the necessary roles and permissions within KeyCloak. These roles will be mapped to Azure AD roles and are critical for controlling access to your KeyCloak-secured applications.
  • To create roles, log in to the KeyCloak Admin Console, navigate to your realm, and select Roles from the menu. Define roles that match the access requirements of your application, such as Admin, User, or Manager.

3. App Registration Permissions: 

  • Verify that you have the necessary permissions to create new app registrations in Azure AD. This is required for setting up the KeyCloak integration as an identity provider.
  • If your organization enforces restrictions on app registrations, you may need to request additional permissions or coordinate with your IT admin to proceed.

4. Network Security Configurations: 

  • Ensure that your network allows communication between Azure AD and the KeyCloak server. This may involve configuring firewalls or VPNs to permit traffic on the necessary ports.

By ensuring these prerequisites are met and configured correctly, you will lay a solid foundation for integrating Azure AD as a brokered identity provider in KeyCloak. This preparation will minimize potential issues during the integration process and enhance the security and efficiency of your identity management setup.

Step 1: Register KeyCloak App in Azure AD

In this section, we will register an app in Azure AD to map the KeyCloak Identity Broker.

  1. Login to Azure Portal: Navigate to Azure Portal and sign in, preferably using a service account. 
  2. Go to Azure Active Directory: Select Azure Active Directory from left-hand navigation menu and click on App Registrations. 
  3. Create a New Registration: Click on New registration and provide the necessary information such as the name, and supported account types. Under Redirect URI, add the KeyCloak callback URL. 
  4. Update Application ID URI: After registration, go to the Overview page of the app and update the Application ID URI as required.
  5. Copy Federation Metadata URL: Click on Endpoints and copy Federation Metadata URL for later use.

Step 2: Configure KeyCloak as an Identity Broker

Now, we’ll go in and configure KeyCloak as an Identity Broker within the KeyCloak Admin Console. 

  1. Log in to KeyCloak Admin Console: Navigate to your KeyClock admin console and log in. 
  2. Add a New Identity Provider: Go to Identity Providers in the left-hand menu. Select SAML v2.0 from the dropdown menu. 
  3. Import Federation Metadata: Scroll to the bottom of the page and paste the Federation Metadata URL you copied from Azure AD. Click on Import to auto-fill the required settings. 
  4. Set Alias and Display Name: Enter an Alias and Display Name for the identity provider. This name will appear on the KeyCloak login page. Then, save the configuration. 

Get Started With Azure AD

Ready to enhance your organization's security and streamline user management? Kickstart your journey with Azure AD today! Discover the benefits and get started now for a more secure and efficient digital environment.

Request a Demo

Step 3: Test & Validate the Configuration

  1. Navigate to the KeyCloak Login Page: Open a new browser window and go to your KeyCloak application’s login page. You should now see an option to log in with Azure AD, identified by the display name set earlier. 
  2. Log in with Azure AD: Click on the Azure AD login button and enter your Azure AD credentials. Upon successful authentication, you should be redirected back to the KeyCloak application, confirming the integration. 

Conclusion

Integrating Azure AD as a brokered identity provider in KeyCloak extends your IAM capabilities to include cloud-native identity providers. This configuration supports both SAML and OpenID Connect, catering to modern authentication requirements and reducing user management efforts.

The main objective was to cover the bare minimum configurations to familiarize the capabilities, an example integration method, and how it can be configured, validated, and tested. If you would like to extend your Single Sign on solution.

Please see our other blog on Configuring ADFS with Azure AD and Dynamics 365 on-prem systems.

Explore Recent Blog Posts

Infographics show the 2021 MSUS Partner Award winner

Related Posts

Receive Updates on Youtube