Reputation: 830
keycloak integration with Azure AD for webapp authentication
I am trying to use keycloak for saml broking between my web application and IDP Azure AD.
I have created few users in Azure AD and added my webapp as Application there. I have configured KeyCloak with SAML IDP and imported Azure AD federation data in Keycloak.
But somewhere something is wrong as I did not get any link on web which can give me step by step process to integrate KeyCloak with Azure AD.
I am getting Microsoft login page and on putting password authentication is getting passed but then I get the following error before it redirects back to Keycloak:
Sorry, but we’re having trouble signing you in.
AADSTS700016: Application with identifier 'http://localhost:8280/auth/realms/localRealm' was not found in the directory '<>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I used the below 2 links to do the configuration:
https://ultimatesecurity.pro/post/okta-saml/ This link describes how to configure Keycloak with Okta for SAML
https://docs.pivotal.io/p-identity/1-5/azure/config-azure.html This link describes how to configure Azure AD as SAML IDP
Edit: It looks like Keycloak is sending wrong application identifier in SAML (maybe) as this localhost:8280... is Keycloak Realm URL and not the Azure Application Identifier which is some string key in Azure -> Applications
Upvotes: 4
Views: 22773
Answers (3)
Reputation: 1294
If your Keycloak logs are similar to mine, which had something similar to Assertion _5c69599c-cf6a-4965-934c-6221a6b8a800 is not addressed to this SP.
The solution in my scenario, when trying to connect to Microsoft Azure AD SAML, was to:
On https://portal.azure.com/, set the
Application ID URItohttps://<host>.co/auth/realms/<realm>On the Keycloak instance, in the IdP configuration, the
Service Provider Entity IDin the Keycloak settings also tohttps://<host>.co/auth/realms/<realm>.
Upvotes: 0
Reputation: 61
I believe there might be 2 things you are missing:
- The
App ID URIfield in the Azure AD app registration properties must be replaced with the Redirect URI of the Keycloak identity provider, but without the "/broker/...../endpoint" part at the end.
For example, if your identity provider was named myprovider for realm named myrealm, your Redirect URI probably looks like this https://mykeycloakserver/auth/realms/myrealm/broker/myprovider/endpoint, so the value you need to use in Azure AD for the App ID URI would look like: https://mykeycloakserver/auth/realms/myrealm
- Make sure the full keycloak redirect url is listed as one of the "Reply URLs" in the Azure AD app registration.
PS - the APP ID URI property of the app is not (currently, as of 2019/04) available in the App Registrations (preview) panel - you need to go to App Registrations > {app name} > Settings > Properties
Hope that helps
Upvotes: 6
Related Questions
- Client Credentials grant with Keycloak as an identity broker for Azure AD
- Configure SQL Server with Azure Active Directory Service Principal authentication for Keycloak
- Using Azure Active Directory with Azure Key Vault
- Accessing Key vault in Azure active directory App registration
- SSO with Keycloak and Azure Active Directory
- How to synchronize Microsoft users from Azure into the Keycloak
- Assertion expired - Keycloak
- Configure Azure AD as Identity provider OIC in Keycloack and email attribute
- Do I need a premium edition of Azure Active Directory when I integrate it with Keycloak?
- How keycloak sets up user information from an external identity provider