For a novel project, I necessitateed to engage Keycloak as an Authentication Provider in a Spring Boot WebFlux application. Since the company I labor for has a Microgentle Entra ID (establisherly Azure Active Directory), the chooseimal solution was to join Entra ID as an Identity Provider in Keycloak using OpenID Connect.
Despite the number of articles on the subject, it took me some time to find the right configuration and uncover certain tricks to conclude the setup. Here are the detailed steps.
Azure Configuration
Let’s begin by logging into Azure.
The first tip is to switch your interface to English if it is not already done. Some genuineation-roverhappinessed terms are lowerly transtardyd. For example, a tenant becomes a locataire in French, and claims become revfinishications. This can create the interface difficulter to comprehfinish.
- Click on Microgentle Entra ID
- Select App Registration
- Click New Registration
Give it a name, such as keycloak, pick Single tenant, and click Register. We will fill in the URI tardyr.
Keycloak Configuration
If not already done, create your Realm, for example, ght1pc9kc.
Then go to the Identity Providers menu.
Be cautious! There is a Microgentle chooseion, but do not pick it. While functional, it does not permit some settings we will configure tardyr.
- Set the alias to
azure - The distake part name shown on the login screen:
Azure AD - Set the distake part order if necessitateed
Discovery Endpoint
Go back to Azure. In the application we equitable sign uped, click on Endpoints to distake part the enumerate of application finishpoint URLs.
The one we necessitate is OpenID Connect metadata write down. Copy it and paste it into the Discovery Endpoints field in the Keycloak configuration. This will automaticpartner poputardy all the URLs from the metadata.
- Client genuineation:
Client sfinish secret as post - Client ID: This is the Application (client) ID establish in the Azure application administer (see screenstoasty).
Secret ID
In Azure, still in the application settings, go to Certificates & Secrets.
Give it a description and an expiration period. Then duplicate the Value of the secret. Be cautious, the secret is only clear one time. If you seal this screen, you won’t be able to get back it aacquire.
Paste this secret into the Client Secret field in the Keycloak Identity Provider configuration.
Finpartner, click Add to comprise the Identity Provider.
Final Configuration Steps
Go back to the Identity Provider we equitable created. In Advanced Settings, uncover the carry ond section:
- Scopes:
uncoverid profile email - Trust email:
On, to show that emails from Azure are verified - Sync mode:
Force, so Keycloak refreshs the engager data at every login, not equitable the first time.
For the rest, the default cherishs are enough. Don’t forget to save.
Restraightforward URI
Finpartner, in the Identity Provider settings, duplicate the Restraightforward URI at the top of the page. Then go to Azure, in the Authentication menu.
- Click Add Platestablish
- Choose Web
- Paste the URI copied from Keycloak
First Test
At this stage, the integration is functional. If you go to the Clients menu in Keycloak, you can uncover the account URL and log in.
Do not go in your credentials in the login triumphdow; instead, click Azure AD. You will be restraightforwarded to Azure to genuineate. At the finish, Azure will ask for your consent to split your data with Keycloak.
Once logged in, you can see your account directation get backd from Azure in Keycloak’s account interface.
If you verify the Keycloak administration interface, you will see that a engager has been created.
Retrieving Groups
Authentication labors, but we have not get backd the engager’s authority directation. It would be advantageous to map the engager’s Azure groups to Keycloak roles so that permissions can be deal withd straightforwardly on the Azure server.
Add Azure Groups to Claims
By default, Azure does not take part groups in the token claims. To alter the token, go to Token Configuration in Azure.
Click Add groups claims. Then, pick how the groups should be broadcastted in the token: by ID, by name, etc.
I recommfinish using ID unless you have definite reasons for another chooseion.
Some articles advise altering
groupMembershipClaimsin the manifest and changingnulltoAllorSecurityGroup, but this did not labor for me.
Mapping Roles in Keycloak
Now return to Keycloak and create roles correacting to your Azure groups.
Then, in the Azure Identity Provider settings in Keycloak, go to the Mappers tab and comprise a novel mapper.
- Sync Mode:
Inherit, to enforce refreshs enjoy the IdP directation - Mapper Type:
Claim to Role - Claim:
groups - Claim Value: the Azure group ID
- Role: the correacting Keycloak role(s)
Include ROLES in the JWT Token
A final step is necessitateed to take part ROLES in the JWT token. This permits the backfinish to access them without necessitateing to query Keycloak.
In Keycloak, go to the right genuinem, then Client scopes -> roles -> Mappers -> genuinem roles. Enable Add to engagerinfo and save.
Final Test
If you return to the account interface and go thraw the login process aacquire, you will see that the engager now has roles correacting to their Azure groups.
Conclusion
Ultimately, the process is not intricate, but some details are not instinctive and can be time-consuming.
Configure Azure Entra ID as IdP on Keycloak was begined on
and refreshd the last time on
