[keycloak-user] Using Keycloak with Microsoft Azure Active Directory

Jonas Weismueller jw at blue-yonder.com
Thu Aug 31 11:09:03 EDT 2017 

Hi,
I try to summarize, what we did:
1.    Download
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
and import as client in your realm.
2.    Edit Client
  a.    Settings: Disable Client Signature Required and set Signature
Algorithm to “RSA_SHA1”
  b.    Mapper: Name: IDPEmail, Mapper Type: User Property, Property:
email, SAML Attribute Name: IDPEmail
3.    Currently we use local user database
  a.    Add user
  b.    Attributes: add/change key
“saml.persistent.name.id.for.urn:federation:MicrosoftOnline” to “$foo”
<- $foo must be the value of the ImmutableId attribute of the user
synchronized to Azure AD.

On Azure site we followed the instruction on the website:
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp

With Powershell we changed the authentication domain to be federated:

$cer=" " <- get the public key certificate from keycloak
https://keycloak-host.tld /auth/realms/Azure/protocol/saml/descriptor,
see X509Certificate
$uri="https://keycloak-host.tld/auth/realms/Azure/protocol/saml"
$issuer_uri="https://keycloak-host.tld /auth/realms/Azure"
$dom="<your-authentication-domain.tld>"
Set-MsolDomainAuthentication -DomainName $dom  -Authentication Federated
-ActiveLogOnUri $uri -SigningCertificate $cer -PassiveLogOnUri $uri
-IssuerUri $issuer_uri -LogOffUri $uri -PreferredAuthenticationProtocol
SAMLP

You can verify the settings via: Get-MsolDomainFederationSettings
-DomainName "<your-authentication-domain.tld>"

If you want to change the settings, you have to set the domain back to
managed first: Set-MsolDomainAuthentication -DomainName
"<your-authentication-domain.tld>" -Authentication Managed

The federation change of the domain might take up to 72 hours until
properly applied.

Hope this helps

Cheers Jonas


On 31.08.17 14:15, songokudbz wrote:
> Hi,
>
> Can you please help other poor people like me and tell us how did you
> configure the mapper?
>
> Thanks
>
>
>
> --
> Sent from: http://keycloak-user.88327.x6.nabble.com/
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list