Skip to content

Identity Provider Open ID Connect

Overview

Connecting your Keycloak with an external Identity Providers allows users to log in to applications using their existing accounts, such as Azure AD, Microsoft Entra ID, another Keycloak,... This provides a convenient and streamlined login experience for users while also enabling applications to leverage the user's existing identity from an existing identity provider.

Keycloak - Identity Provider (OIDC)
Keycloak - Identity Provider (OIDC)

Use cases

Corporate IAM

For internal applications, integrating with identity providers such as Azure AD and Microsoft Entra ID centralizes user management and simplifies access control. This is particularly useful in corporate environments where employees use various enterprise applications.

IdP broker

As an Identity Provider broker, Keycloak can facilitate authentication across multiple IdPs, enabling flexible and scalable identity federation. This is ideal for organizations needing to support multiple authentication sources for their users.

Pros & cons

Pros

  • Seamless user experience: Easily connect with widely-used IdPs like Azure AD and Microsoft Entra ID, providing a familiar login experience for users.
  • Enhanced security: Leverage the advanced security features of established IdPs, including multi-factor authentication and conditional access policies.
  • Scalability: Support for multiple IdPs allows for scalable identity federation across diverse user bases.

Cons

  • Complex configuration: Initial setup and configuration with external IdPs can be complex and may require detailed knowledge of both Keycloak and the external IdP.
  • Dependency on external services: Relying on external IdPs introduces a dependency that may affect availability and performance if the external service experiences issues.

Supported by Keycloak

Yes, natively supported on Managed Keycloak by Cloud-IAM

Configuration

How to connect Azure AD / Microsoft Entra ID to Keycloak

The following tutorial provides a quick example of configuring the "Azure AD / Microsoft Entra ID Authentication" method to help you navigate Keycloak and test it with Microsoft Azure (https://portal.azure.com/).

This tutorial does not cover all the necessary security best practices for a complete configuration.

Keycloak Console - Create new Identity Provider (OIDC)

  1. Open your Keycloak
  2. Select your realm from the dropdown list (here: tutorial-demo)
  3. Click on Identity provider (1.)
  4. Then click on OpenId Connect v1.0 (2.)
[Keycloak Console] - Create new Identity Provider (OIDC)
[Keycloak Console] - Create new Identity Provider (OIDC)

Keycloak Console - Configure new Identity Provider (OIDC)

  1. Register your alias (here: azuread-entraid)
  2. Register your Display Name (here: Azure AD & Entra ID)
  3. Disable Use discovery Endpoint
  4. Copy the Redirect URI (here: https://your-keycloak/auth/realms/tutorial-demo/broker/azuread-entraid/endpoint)
[Keycloak Console] - Configure new Identity Provider (OIDC)
Configure new Identity Provider (OIDC)

Azure Portal - Access to Microsoft Entra ID / Azure AD

  1. On another window browser, Go to Microsoft - Azure Portal
  2. Connect yourself with your Microsoft account credentials
  3. Click on Menu
  4. Click on Microsoft Entra ID, (Your url should be: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
  5. Then click on App registrations
[Azure Portal] - Microsoft Entra ID Overview
[Azure Portal] - Microsoft Entra ID Overview

Azure Portal - Configure Microsoft Entra ID / Azure AD

  1. Select New registration
  2. Register the name (here: Keycloak Tutorial)
  3. Make sure that only Accounts in this organizational directory only is selected
  4. From Select a platform list, select "Web"
  5. Paste the previous Redirect URI (here: https://your-keycloak/auth/realms/tutorial-demo/broker/azuread-entraid/endpoint)
  6. Then click on Register

You have now register your Keycloak app on Microsoft Entra ID / Azure AD.

[Azure Portal] - Configure Microsoft Entra ID / Azure AD
[Azure Portal] - Configure Microsoft Entra ID / Azure AD

Azure Portal & Keycloak Console - Configure Authorization URL and Token URL

  1. Click on Endpoints
  2. Copy / paste URL from Azure portal OAuth 2.0 authorization endpoint (v2) to Keycloak Authorization URL (1.)
  3. Copy / paste URL from Azure portal OAuth 2.0 token endpoint (v2) to Keycloak Token URL (2.)
  4. Make sure Client secret sent a post is selected on Client authentication list (3.)
[Azure Portal] - Configure Microsoft Entra ID / Azure AD
[Azure Portal] - Configure Microsoft Entra ID / Azure AD

Azure Portal & Keycloak Console - Configure Client ID

  1. Close the Endpoints window
  2. Copy / paste from the overview of Azure portal Application (client) ID to Keycloak Client ID
[Azure Portal] - Configure Client ID
[Azure Portal] - Configure Client ID

Azure Portal & Keycloak Console - Configure Client Secret

  1. On Azure portal, click on Manage list (1.)
  2. Click on Certificate & secrets (2.)
  3. Select New client scret (3.)
  4. Register a description (here: keycloak secret) (4.) and keep the recommendation of client secret expiration (180 days)
  5. Click on Add(5.)
  6. Copy / paste from the certificates & secrets of Azure portal Value to Keycloak Client Secret (here: 987654321-abcd)
  7. Then on Keycloak Console click on Add
[Azure Portal] - Certificate & secrets
[Azure Portal] - Certificate & secrets
[Azure Portal / Keycloak Console] - Configure client secret
[Azure Portal] - Configure client secret

Keycloak Console - Define scope to be extracted from Microsoft Entra ID / Azure AD

  1. Select Advance to deploy the list (1.)
  2. Register on Scopes section, "openid profile email" (2.)
  3. Then click on Save (3.)
[Keycloak Console] - Define dcope from Microsoft Entra ID / Azure AD
[Keycloak Console] - Define dcope to be extracted from Microsoft Entra ID / Azure AD

Keycloak login screen - Microsoft Entra ID / Azure AD

You have now connected your Microsoft Entra ID / Azure AD to your keycloak via OIDC. Users registered on your Microsoft Entra ID / Azure AD can now connect themselves with their Microsoft credentials through your Keycloak.

Keycloak login screen - Microsoft Entra ID / Azure AD
Keycloak login screen - Microsoft Entra ID / Azure AD

How to connect Keycloak to Keycloak

The following tutorial provides a quick example of configuring the "Keycloak to Keycloak Authentication" method to help you navigate Keycloak. Please notice that this tutorial does not cover all the necessary security best practices for a complete configuration.

For this tutorial, we will assume that you already have 2 Keycloaks (here: Keycloak A and Keycloak B), and you want to use your keycloak B as Identity Provider, which you want to connect to keycloak A.

Keycloak Console (A) - Create new Identity Provider (OIDC)

  1. Open your Keycloak A
  2. Select your realm from the dropdown list (here: tutorial-demo)
  3. Click on Identity Provider (1.)
  4. Then click on Keycloak OpenID Connect (2.)
[Keycloak Console] - Add Identity Provider (OIDC)
[Keycloak Console] - Add Identity Provider (OIDC)

Keycloak Console (B) - Create a new client

  1. On another window browser, Open your Keycloak B
  2. Select your realm from the dropdown list (here: test-tutorial)
  3. Click on Clients (1.)
  4. Then click on Create client (2.)
[Keycloak Console] - Create a new client
[Keycloak Console] - Create a new client

Keycloak Console (B) - Configure your new client

  1. Register the Client ID (here: keycloak-b-idp )
  2. Click on Next
  3. Enable Client Authentication (1.)
  4. Disable Direct access grants (2.)
  5. Click on Next
[Keycloak Console] - Configure your new client
[Keycloak Console] - Configure your new client

Keycloak Console (B) - Configure login settings

  1. Copy / paste from Keycloak A Redirect URI to Keycloak B Valid redirect URIs
  2. Register "+" on Valid post logout redirect URIs
  3. Register "+" on Web origins
  4. Then click on Save

You have now created a new client on your Keycloak B.

[Keycloak Console] - Configure login settings
[Keycloak Console] - Configure login settings

Keycloak Console (A) - Configure your Identity Provider

  1. Go back on your Keycloak A
  2. Rename Alias (here: keycloak-to-keycloak)
  3. Copy / paste from Keycloak B Client ID to Keycloak A Client ID (here: Keycloak-b-idp)
  4. On Keycloak B, click on Credential
  5. Copy / paste from Keycloak B Client Secret to Keycloak A Client Secret
[Keycloak console] - Configure your Identity Provider
[Keycloak Console] - Configure your Identity Provider

Keycloak Console (B)- Configure Endpoint

  1. Go back on your Keycloak B
  2. Click on Realm Settings (1.)
  3. Copy / paste the link from Keycloak BOpenID Endpoint Configuration to Keycloak A Discovery endpoint (2.)
  4. Then click on Add from your Keycloak A. (3.)

You have now created and configured a new Identity Provider Keycloak A.

[Keycloak console] - Configure endpoint
[Keycloak Console] - Configure endpoint

Keycloak login screen - Keycloak to Keycloak

You can now connect yourself from Keycloak A to Keycloak B via OIDC. Users registered on your Keycloak B can now connect themselves with their Keycloak B credentials through your Keycloak A.

[Keycloak console] - Keycloak to Keycloak
[Keycloak Console] - Keycloak to Keycloak

Resources