IAMWorkz

Connect Microsoft Entra ID with Keycloak

, ,
hands, puzzle pieces, connect, connection, cooperation, holding, isolated, jigsaw, join, partnership, people, pieces, puzzle, teamwork, two, unity, monochrome, idea, concept, black and white, hands, hands, connect, connect, connection, connection, connection, cooperation, cooperation, partnership, partnership, partnership, people, people, people, people, puzzle, puzzle, puzzle, puzzle, puzzle, teamwork, teamwork, teamwork, teamwork, two, idea, idea, idea

Integrating Microsoft Entra ID (formely known as Azure Active directory) with Keycloak as an Identity Provider (IdP) enables organizations to leverage Microsoft Entra ID for authentication while using Keycloak for application and access management. This setup is beneficial when you want to:

  • Centralize authentication across multiple applications.
  • Extend Microsoft Entra ID authentication to Keycloak-managed applications.
  • Enhance security by leveraging Microsoft Entra ID’s advanced identity features.
  • Implement role-based access control (RBAC) using Keycloak.

By setting up Microsoft Entra ID as an IdP in Keycloak, users can log in with their Microsoft credentials, and their roles and group memberships can be mapped within Keycloak for authorization.

How to Integrate Microsoft Entra ID with Keycloak

Step 1: Register an Application in Microsoft Entra ID

  1. Go to Azure Portal: Navigate to Microsoft Entra ID.
  2. Register a new application:
    • Go to App RegistrationsNew Registration.
    • Provide a name, e.g., “Keycloak-Integration”.
    • Set Supported account types to “Accounts in this organizational directory only”.
    • Set the Redirect URI to: https://<your-keycloak-url>/auth/realms/<your-realm>/broker/entra/endpoint.
    • Click Register.
  3. Configure client credentials:
    • In the application settings, go to Certificates & secretsNew client secret.
    • Copy and save the secret for later use.
  4. Grant permissions:
    • Under API Permissions, add Microsoft Graph permissions:
      • openid
      • email
      • profile
      • User.Read
    • Click Grant admin consent.

Step 2: Configure Keycloak to Use Microsoft Entra ID as an Identity Provider

  1. Log in to Keycloak Admin Console.
  2. Select the realm where you want to integrate Microsoft Entra ID.
  3. Navigate to Identity Providers:
    • Click Add provider → Select OpenID Connect v1.0.
  4. Configure Microsoft Entra ID settings:
    • Alias: entra
    • Display Name: “Microsoft Entra ID”
    • Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/authorize
    • Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/token
    • Client ID: Enter the Application ID from Microsoft Entra ID.
    • Client Secret: Enter the client secret generated earlier.
    • Default Scopes: openid email profile
    • Save the configuration.
  5. Test the integration:
    • Go to the Keycloak login page and choose “Login with Microsoft Entra ID”.
    • Enter Microsoft Entra ID credentials to verify authentication.

Keycloak Mappers

Keycloak mappers are used to transform and map identity information between external identity providers (IdPs) and Keycloak’s internal user model. When integrating Microsoft Entra ID (or any other IdP) with Keycloak, mappers help extract attributes such as roles, groups, and user profile information from authentication tokens and map them to Keycloak attributes.

Mapping Microsoft Entra ID Groups to Keycloak Roles

By default, Microsoft Entra ID does not send group claims in ID tokens. To enable this:

  1. Modify Microsoft Entra ID App Manifest:
    • Go to App Registrations → Select your app.
    • Click on Manifest.
    • Find the attribute "groupMembershipClaims" and set it to "All".
    • Save the changes.
  2. Configure Keycloak Mappers:
    • In Keycloak, go to Identity ProvidersMicrosoft Entra IDMappers.
    • Click Create and set the following:
      • Name: “Microsoft Entra ID Groups to Keycloak Roles”.
      • Mapper Type: “User Attribute to Role”.
      • User Attribute: groups.
      • Role: Map Microsoft Entra ID groups to specific Keycloak roles.
    • Save the configuration.
  3. Verify Group Mapping:
    • Login with a Microsoft Entra ID user and check their roles under UsersUser Details in Keycloak.

Conclusion

In this setup Microsoft Entra ID manages authentication reducing complexity. By utilising Microsoft Entra ID for authentication you can use its security features such as Multi-Factor Authentication (MFA).

Using Keycloak you can utilize Keycloak’s role mapping feature for fine-grained authorization. This solution is ideal for enterprises managing many users and applications.

By integrating Microsoft Entra ID with Keycloak, organizations can leverage the best of both—Microsoft Entra ID for authentication and Keycloak for application-specific access control, ensuring a secure, scalable, and flexible identity management solution.