Identity Provider Open ID Connect ​

Overview ​

Connecting your Keycloak with an external Identity Providers allows users to log in to applications using their existing accounts, such as Azure AD, Microsoft Entra ID, another Keycloak,... This provides a convenient and streamlined login experience for users while also enabling applications to leverage the user's existing identity from an existing identity provider.

Use cases ​

Corporate IAM ​

For internal applications, integrating with identity providers such as Azure AD and Microsoft Entra ID centralizes user management and simplifies access control. This is particularly useful in corporate environments where employees use various enterprise applications.

IdP broker ​

As an Identity Provider broker, Keycloak can facilitate authentication across multiple IdPs, enabling flexible and scalable identity federation. This is ideal for organizations needing to support multiple authentication sources for their users.

Pros & cons ​

Pros ​

• Seamless user experience: Easily connect with widely-used IdPs like Azure AD and Microsoft Entra ID, providing a familiar login experience for users.
• Enhanced security: Leverage the advanced security features of established IdPs, including multi-factor authentication and conditional access policies.
• Scalability: Support for multiple IdPs allows for scalable identity federation across diverse user bases.

Cons ​

• Complex configuration: Initial setup and configuration with external IdPs can be complex and may require detailed knowledge of both Keycloak and the external IdP.
• Dependency on external services: Relying on external IdPs introduces a dependency that may affect availability and performance if the external service experiences issues.

Supported by Keycloak ​

Yes, natively supported on Managed Keycloak by Cloud-IAM

Configuration ​

How to connect Azure AD / Microsoft Entra ID to Keycloak ​

The following tutorial provides a quick example of configuring the "Azure AD / Microsoft Entra ID Authentication" method to help you navigate Keycloak and test it with Microsoft Azure (https://portal.azure.com/).

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak Console - Create new Identity Provider (OIDC) ​

1. Open your Keycloak
2. Select your realm from the dropdown list (here: tutorial-demo)
3. Click on Identity provider (1.)
4. Then click on OpenId Connect v1.0 (2.)

Keycloak Console - Configure new Identity Provider (OIDC) ​

1. Register your alias (here: azuread-entraid)
2. Register your Display Name (here: Azure AD & Entra ID)
3. Disable Use discovery Endpoint
4. Copy the Redirect URI (here: https://your-keycloak/auth/realms/tutorial-demo/broker/azuread-entraid/endpoint)

Azure Portal - Access to Microsoft Entra ID / Azure AD ​

1. On another window browser, Go to Microsoft - Azure Portal
2. Connect yourself with your Microsoft account credentials
3. Click on Menu
4. Click on Microsoft Entra ID, (Your url should be: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
5. Then click on App registrations

Azure Portal - Configure Microsoft Entra ID / Azure AD ​

1. Select New registration
2. Register the name (here: Keycloak Tutorial)
3. Make sure that only Accounts in this organizational directory only is selected
4. From Select a platform list, select "Web"
5. Paste the previous Redirect URI (here: https://your-keycloak/auth/realms/tutorial-demo/broker/azuread-entraid/endpoint)
6. Then click on Register

You have now register your Keycloak app on Microsoft Entra ID / Azure AD.

Azure Portal & Keycloak Console - Configure Authorization URL and Token URL ​

1. Click on Endpoints
2. Copy / paste URL from Azure portal OAuth 2.0 authorization endpoint (v2) to Keycloak Authorization URL (1.)
3. Copy / paste URL from Azure portal OAuth 2.0 token endpoint (v2) to Keycloak Token URL (2.)
4. Make sure Client secret sent a post is selected on Client authentication list (3.)

Azure Portal & Keycloak Console - Configure Client ID ​

1. Close the Endpoints window
2. Copy / paste from the overview of Azure portal Application (client) ID to Keycloak Client ID

Azure Portal & Keycloak Console - Configure Client Secret ​

1. On Azure portal, click on Manage list (1.)
2. Click on Certificate & secrets (2.)
3. Select New client scret (3.)
4. Register a description (here: keycloak secret) (4.) and keep the recommendation of client secret expiration (180 days)
5. Click on Add(5.)
6. Copy / paste from the certificates & secrets of Azure portal Value to Keycloak Client Secret (here: 987654321-abcd)
7. Then on Keycloak Console click on Add

Keycloak Console - Define scope to be extracted from Microsoft Entra ID / Azure AD ​

1. Select Advance to deploy the list (1.)
2. Register on Scopes section, "openid profile email" (2.)
3. Then click on Save (3.)

Keycloak login screen - Microsoft Entra ID / Azure AD ​

You have now connected your Microsoft Entra ID / Azure AD to your keycloak via OIDC. Users registered on your Microsoft Entra ID / Azure AD can now connect themselves with their Microsoft credentials through your Keycloak.

How to connect Keycloak to Keycloak ​

The following tutorial provides a quick example of configuring the "Keycloak to Keycloak Authentication" method to help you navigate Keycloak. Please notice that this tutorial does not cover all the necessary security best practices for a complete configuration.

For this tutorial, we will assume that you already have 2 Keycloaks (here: Keycloak A and Keycloak B), and you want to use your keycloak B as Identity Provider, which you want to connect to keycloak A.

Keycloak Console (A) - Create new Identity Provider (OIDC) ​

1. Open your Keycloak A
2. Select your realm from the dropdown list (here: tutorial-demo)
3. Click on Identity Provider (1.)
4. Then click on Keycloak OpenID Connect (2.)

Keycloak Console (B) - Create a new client ​

1. On another window browser, Open your Keycloak B
2. Select your realm from the dropdown list (here: test-tutorial)
3. Click on Clients (1.)
4. Then click on Create client (2.)

Keycloak Console (B) - Configure your new client ​

1. Register the Client ID (here: keycloak-b-idp )
2. Click on Next
3. Enable Client Authentication (1.)
4. Disable Direct access grants (2.)
5. Click on Next

Keycloak Console (B) - Configure login settings ​

1. Copy / paste from Keycloak A Redirect URI to Keycloak B Valid redirect URIs
2. Register "+" on Valid post logout redirect URIs
3. Register "+" on Web origins
4. Then click on Save

You have now created a new client on your Keycloak B.

Keycloak Console (A) - Configure your Identity Provider ​

1. Go back on your Keycloak A
2. Rename Alias (here: keycloak-to-keycloak)
3. Copy / paste from Keycloak B Client ID to Keycloak A Client ID (here: Keycloak-b-idp)
4. On Keycloak B, click on Credential
5. Copy / paste from Keycloak B Client Secret to Keycloak A Client Secret

Keycloak Console (B)- Configure Endpoint ​

1. Go back on your Keycloak B
2. Click on Realm Settings (1.)
3. Copy / paste the link from Keycloak BOpenID Endpoint Configuration to Keycloak A Discovery endpoint (2.)
4. Then click on Add from your Keycloak A. (3.)

You have now created and configured a new Identity Provider Keycloak A.

Keycloak login screen - Keycloak to Keycloak ​

You can now connect yourself from Keycloak A to Keycloak B via OIDC. Users registered on your Keycloak B can now connect themselves with their Keycloak B credentials through your Keycloak A.

Resources ​

• Quickstart
• Red Hat Guide
• Customize Login Pages and Themes