Set up Microsoft Azure AD as IdP in Keycloak

This page describes how to set up Microsoft Azure AD as an additional identity provider (IdP). This is then offered as an additional button on the login page.

Setting up an application in Microsoft Azure AD

In order for Keycloak to authenticate itself, it must be stored as an application in Azure Active Directory(AD).

Add new application

First, a new "app" must be registered in Azure AD.

  1. To do this, navigate to the menu item App registrations

    Not to be confused with the item "Enterprise applications". However, this can also be found there later.
    new app 1

  2. A descriptive name is then assigned.

    new app 2

  3. A secret key must then be generated for the client (keycloak).

    add client secret 1

  4. The key is displayed immediately after generation and should be saved directly. It is no longer possible to view the key later. If the key is lost, a new one must be generated.

    add client secret 2

  5. The client ID and the URL for the OpenID Connect configuration must then be determined in addition to the secret key.

    azure get url and id

Store IdP in Keycloak

Now you can create a new identity provider in Keycloak.

Do not select "Microsoft" under "Social" here. For this option, the client must be configured differently in Azure AD, as in this case login is possible with any Microsoft account (even outside your own organization).
add idp 1

  1. In the first step, an alias should be assigned. This has an effect on the redirect URI, which we will need later. The display name determines the name in the login mask of the application.

    add idp 2

  2. Next, the OpenID Connect URL from the Azure AD should be used to configure the endpoints. This must be entered accordingly and loaded using the "Import" button.
    All relevant URLs are then filled in automatically.

    add idp 3

  3. Finally, the client ID and the secret key must be entered.

    add idp 4

  4. The redirect URI from the previous step must now be stored in the Azure AD.

    set callback url

Result

Finally, a login screen with additional buttons should be available.

login

Troubleshooting

It is not so easy to find errors in this setup. One source can be the logs in Keycloak. In case of doubt, however, it is up to you to decide what is wrong on the Azure AD side. To see incorrect logins, you must navigate through the interface as follows.

  1. Open company applications in Azure AD.

    azure debug 1

  2. Select your own application/APP.

    azure debug 2

  3. Open log-in logs.

    azure debug 3
Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen