KEYCLOAK & Azure AD - How to configure AAD as an Identity Provider | Niko Köbler (@dasniko)

Поделиться
HTML-код
  • Опубликовано: 31 янв 2025

Комментарии • 109

  • @WahidRezgui
    @WahidRezgui 5 месяцев назад +3

    This is what called simple strait forward content love it

  • @haskellbcurry2666
    @haskellbcurry2666 3 года назад +3

    I've been trying for days to configure keycloak with Azure AD and this video cleared everything up. Thank you!

  • @Random_-Dude
    @Random_-Dude 4 месяца назад +1

    Great Demo on the config - good content and flow and how to's all answered - Thanks.

  • @michelvanvliet2741
    @michelvanvliet2741 2 года назад +2

    Thanks, looking really simple and very helpful for our future Keycloak implementation.

  • @lolitssbee
    @lolitssbee 2 года назад +3

    This is perfect & exactly what I needed, thank you!

  • @MrAngelsfriend
    @MrAngelsfriend 3 года назад +2

    Niko you are the champion. :) stay blessed.

    • @mohammadumar443
      @mohammadumar443 3 месяца назад

      Great info. But how can we move to angular dashboard after authentication from AD ? For simple keycloak authentication I have configured it but for AD how can we configure it ?

  • @geekassess734
    @geekassess734 3 года назад +2

    Very good explanation, plain and simple flow. I tried and it worked for me

  • @cafe-valente
    @cafe-valente 2 года назад +1

    Thanks

    • @dasniko
      @dasniko  2 года назад +1

      Thank you, Matheus! This is really appreciated!! 🙏

    • @cafe-valente
      @cafe-valente 2 года назад

      @@dasniko my pleasure mate. Your videos have helped me a lot

  • @alexanderbrovman
    @alexanderbrovman 3 года назад +2

    Hi Niko thank you very much for creating this, works perfectly and helped a lot!

  • @wamp1738
    @wamp1738 3 года назад +1

    Cristal clear, Thank you 👍

  • @oliviermasseau566
    @oliviermasseau566 Год назад +1

    Thanks, super clear :)

  • @nicklausbrain
    @nicklausbrain 3 года назад +1

    Thanks, I needed that!

  • @pablogvivo
    @pablogvivo 3 года назад +1

    Thank you It was really helpful and an easy explanation

  • @80co
    @80co 3 года назад +1

    Very clear and useful, thank you

  • @remi-lehoux
    @remi-lehoux 4 месяца назад

    Thanks for explanations, i don't know why but in older tenant in multitenant mode all is ok but with new tenant in single tenant it's not ok, restrictions in new tenant ?

  • @Random_-Dude
    @Random_-Dude 4 месяца назад +1

    Is Adele Single by chance ? Very useful well explain and simple. - Big Thanks.

  • @borislavatanasov2388
    @borislavatanasov2388 3 года назад +1

    Very useful, thank you!

  • @yasithkumara3070
    @yasithkumara3070 3 года назад +1

    Very good video. Thank you.

  • @nirupachristy7884
    @nirupachristy7884 2 года назад

    Hi Nikolas, thank you so much for sharing the procedure to configure Keycloak with AAD, could you please explain how to intergrate applications like Miro or Excel in Keycloak.

    • @dasniko
      @dasniko  2 года назад

      I don‘t focus on configuring clients to interact with any OIDC provider. I‘m only focussing on the Keycloak server itself.

  • @mahenderboini5179
    @mahenderboini5179 3 года назад +1

    Hi Niko kobler , Good explanation, could you please also send any videos for Client create and configuration for web application in keycloak.
    Thanks in advance

  • @SuperAdilMorocco
    @SuperAdilMorocco 2 года назад +1

    Man I love r videos

  • @JUNO2206
    @JUNO2206 2 года назад +1

    Really crisp. Is Keyclock introspect the token with AAD?

  • @GerryLSmith
    @GerryLSmith 3 года назад +1

    Nice, thank you.

  • @roscode96
    @roscode96 2 года назад +1

    Thanks for these great videos and all your work on keycloak and in the community! Do you have any advice for getting single-sign-out working with this Azure AD/keycloak setup? In particular how to construct the front-channel logout url for the app registration such that Azure can log the user out of keycloak (which will in turn log out of all clients)

    • @higorpereira1263
      @higorpereira1263 Год назад +1

      Got any lucky on this? Same requirement here...

    • @roscode96
      @roscode96 Год назад

      No, I haven't been able to get it to work unfortunately.

    • @higorpereira1263
      @higorpereira1263 Год назад +1

      @@roscode96 Thanks buddy. Sorry for the late question.

  • @prasadborkar8157
    @prasadborkar8157 3 года назад +1

    Very nice explanation. Any plan to upload vuejs app authentication using keycloak ? I saw you already posted video using react.

    • @dasniko
      @dasniko  3 года назад

      Hi, thanks.
      Currently I‘ve not planned to do a Vue.js video. Indeed it‘s pretty similar to React, afair.

  • @alejandromartinezcoviza8728
    @alejandromartinezcoviza8728 3 года назад +1

    Thanks!!!
    Awesome

  • @WorkerJJ
    @WorkerJJ 3 года назад

    works perfectly, thx!!!

  • @sriyanto6662
    @sriyanto6662 2 года назад +2

    Thanks Niko for the video, this so clear and work perfectly. If there anyone know video how to register SAML client in the Keycloak, much appreciated if you can share it with me

  • @rainellen
    @rainellen 3 года назад +1

    Nice video. Any plan to include Azure AD SAML 2.0 with Keycloak integration?

    • @dasniko
      @dasniko  3 года назад

      I don‘t use SAML at all, sorry.

  • @domingosdias5988
    @domingosdias5988 8 месяцев назад +1

    Fantastic

  • @osmarfj6752
    @osmarfj6752 2 года назад +1

    Thanks for the video Niko.
    I did these settings in order to import groups from Azure ad into keycloak. But, unfortunately, it is not working. Do you have any idea about it?
    I need to map groups from Azure AD into keycloak.
    Thank you

  • @yasarbaigh3172
    @yasarbaigh3172 3 года назад +2

    If possible make a video on integrating Active Directory, via user federation

  • @tarekfathi2003
    @tarekfathi2003 2 месяца назад

    Thank you so much

  • @javierangelmorenomonton4487
    @javierangelmorenomonton4487 10 месяцев назад

    Hallo, and thank you for the video.
    Once the integration has been set, can we use the Azure AD Enterprise Application feature to provide MFA instead of the Keycloak native MFA mechanism?
    Thank you in advance.
    Javier.

    • @dasniko
      @dasniko  10 месяцев назад

      You can do whatever you want in your Azure environment. If it's part of the regular authentication process/flow there, it will be executed. This is completely independent of Keycloak.

  • @patrikmaier5260
    @patrikmaier5260 Год назад

    Which underlying OAuth 2.0 Flow is used by the OpenID Connect Flow used here?

  • @papaamadoubabandiaye23
    @papaamadoubabandiaye23 5 месяцев назад

    Hello thank you this video i want to add coursera metadata to my keycloak but when i upload metadata file it's always failed how can i link keycloak to shibboleth (SP)

  • @vktop2
    @vktop2 2 года назад

    Nicve video!, I have a question, Azure AD B2C has all the features shown in Keycloak, if I have Azure and my users are in the AD, why would I use Keycloak?, Thanks

  • @q3rageq3
    @q3rageq3 3 года назад +1

    didn't get how the "localhost:8080" redirect URI had worked fine in azure... can you please clarify on this? why didn't you use a good resolvable fqdn and how did that worked in your demo scenario?

    • @dasniko
      @dasniko  3 года назад +3

      No need for a fqdn when doing a demo on localhost. Azure doesn't need to have access to the domain, as it is only sending the users browser with a redirect to the specified domain (in this case with localhost). There's no access from Azure to Keycloak.

  • @bart3460
    @bart3460 Год назад

    Thanks for the video. Is there a way to customize this so the Keycloak username automatically is only what is in front of the @?

    • @dasniko
      @dasniko  Год назад

      If you implement a custom authenticator which will be used in the first broker flow, then yes.

  • @pioamalraj9791
    @pioamalraj9791 3 года назад

    Hello Niko. this is very good. is there a way to automate these steps through a script? thank you. your intro was fantastic.

    • @tekknokrat
      @tekknokrat 3 года назад

      there is a terraform provider for keycloak available that helps with setup idp providers, realms and clients. there is also a terraform provider available that helps with creating the azure ad. you can also use ansible or a python api to automate via a script.

  • @noblebhaskar
    @noblebhaskar 3 года назад

    Hello Niko,
    Thanks for Video.
    We have Configured AzureAd as Identity provider for keycloak for webapplication.
    The issue we face is when User logs-out from web application in browser, he logged-out only from web application, But the AzureAD user session still remains active in browser.
    I am suspecting we can achieve this by configuring Logout URL in Identity provider configuration in key cloak Admin console page .
    But not sure what Log out URL to configure there? Also "Backchannel Logout" option should be enabled?

  • @AlanDevOps
    @AlanDevOps 2 года назад

    Thanks for the explainer, do you know how I can map the an Azure AD Group to a Keycloak Role?

    • @dasniko
      @dasniko  2 года назад +2

      add the groups to the azure token and use a claim-to-role mapper in keycloak

    • @AlanDevOps
      @AlanDevOps 2 года назад

      @@dasniko Thanks Niko, I have done that and it works as expected now. Thanks for the response :)

  • @harikuttan9426
    @harikuttan9426 3 года назад

    I have checked the redirect url in keycloak and azure Redirect URIs both are the same, but the Redirect URI in the browser does not contain the port number (after error)

  • @ahmedeisa4752
    @ahmedeisa4752 3 года назад

    Awesome Work, very straightforward approach, but what if I want to log in using my application UI?

    • @dasniko
      @dasniko  3 года назад

      Thanks.
      Authentication using your application is not how OIDC works, please read the specs for understanding the concepts.
      However, you can create custom Themes you deploy to Keycloak to have a customized / corporate design for your users in Keycloak.

  • @aryapriyadarshi8227
    @aryapriyadarshi8227 3 года назад

    Niko Köbler, I have tried integrating AAD with keycloak running on AWS ECS cluster but getting below error while doing sso.
    "Unexpected error when authenticating with identity provider
    « Back to Application"

  • @AshinsanaMayuminda
    @AshinsanaMayuminda 6 месяцев назад

    can u do a vdio to do it with LDAP

  • @tanhc2
    @tanhc2 Год назад

    I suppose a connection is required between Keycloak and AAD as an Identity Provider... but is a connection between keycloak and AAD necessary for authentication if AAD is set up in user federation and using SAML or OIDC? Or does all communication go through the browser and redirection?

    • @dasniko
      @dasniko  Год назад +1

      There‘s a mandatory backchannel communication between Keycloak and the AAD.

  • @nania0218
    @nania0218 2 года назад

    how to set policy id in Azure AD B2C OAuth 2.0 token endpoint (v2)

  • @stevelewis383
    @stevelewis383 2 года назад

    Great video, is it possible to pass a group value from Azure AD to keycloak?

    • @dasniko
      @dasniko  2 года назад

      Yes. Please consult Azure docs for details.

  • @earther-v2w
    @earther-v2w 2 года назад

    Hi Niko, How do i configure logout option.

  • @guilhermeduartecosta3320
    @guilhermeduartecosta3320 3 года назад

    Thank you for this video. I get error after authentication when Azure redirect to my application. I need to do something in my application ? ERROR -> "An internal server error has occurred" just it.

    • @guilhermeduartecosta3320
      @guilhermeduartecosta3320 3 года назад

      The problem was...Keycloak 16 does not work with java 8, because I supose 16 was compiled with java 9. I update to java 11 and everything working now

  • @cemcoral2336
    @cemcoral2336 2 года назад

    Is it possible to get a token via REST using postman with this configuration?

  • @silentwatcher13
    @silentwatcher13 Год назад

    Niko, Can we use keycloak to manage AAD Based ssh authentication for linux vms??

  • @TusharGanorkar
    @TusharGanorkar 2 года назад

    hi Niko, can you share one example for ADFS and OTP in one single flow for login, your videos are very helpful... Life savior...

  • @ronnisorensen9367
    @ronnisorensen9367 2 года назад

    Hi All,
    Can anyone share why it is desirable to integrate Azure AD to Keycloak and not connect your app directly to Azure AD? It is my understanding that Azure AD can serve as Auth2/OIDC provider, so what does Keycloak add to the architecture?
    Any help to understand this is greatly appreciated.

    • @dasniko
      @dasniko  2 года назад +3

      If you only interact with AAD, there's possibly no need to use Keycloak in between. But if your application has different kinds of users, coming from various sources and identity providers and AAD is only one of them, then it get's more easy to configure them all in Keycloak and let your application interact only with one identity provider (Keycloak) instead of multiple. Also, if you have many applications, you won't configure them all to use/handle multiple IdPs.

  • @Grikoify
    @Grikoify 3 года назад

    Thank you.

    • @marcusross2099
      @marcusross2099 3 года назад

      Can you do a demo for keycloak to azure B2C?

  • @bhushan0504
    @bhushan0504 Год назад

    Its nice video Niko. Can you have user auth flow setting to link azure AD id with existing user in keycloak at first login. please let me know so can help in configuring authenticaton flow.

    • @dasniko
      @dasniko  Год назад +1

      That‘s how it works.

    • @bhushan0504
      @bhushan0504 Год назад

      @@dasniko yes. got the flow. created manual flow with conditions

  • @victoradolfomosqueragonzal6704
    @victoradolfomosqueragonzal6704 2 года назад

    How can I map Azure AD groups or roles in Keycloak

    • @dasniko
      @dasniko  2 года назад

      You need to add them into the token(s) issued by AAD, then you can create the proper mappers in Keycloak.

  • @prajaktapalaskar82
    @prajaktapalaskar82 2 года назад

    Hello , Can you help me how to create role in azure and after integration that role should reflect in the key cloak ( role mapping for the user between Azure and key cloak)

    • @dasniko
      @dasniko  2 года назад

      i'm not an azure expert, don't know about azure

  • @chamseddineabderrahim2853
    @chamseddineabderrahim2853 Год назад

    what are the possible root cause when after redirection I go back to the login page of my application and thank you

  • @kothanikhila2800
    @kothanikhila2800 3 года назад

    How the provider id and provider username are mapped for newly created user and what happens if the user is already created

  • @daniellaerachannel
    @daniellaerachannel 3 года назад

    does anyone has a React SPA example for this kind of stack?

    • @dasniko
      @dasniko  3 года назад

      See my videos about Keycloak and React and my repo here: github.com/dasniko/keycloak-reactjs-demo
      There's nothing special for React-Keycloak-AzureAD. The react app will just use Keycloak as IdP and Keycloak itself redirects to AAD as external IdP. No React involved.

  • @oguzhanduran6142
    @oguzhanduran6142 3 года назад

    Good work. Is it possible to sync users from Azure AD to Keycloak ?

    • @dasniko
      @dasniko  3 года назад +2

      With using 3rd party IdPs, there is IMHO no need to sync anything.
      After a user authenticates, a representation of this user is created in Keycloak. This is necessary, so that Keycloak „knows“ this user. But the authentication itself, and thus the knowledge of the password, remains still at the IdP, which is important in such a scenario.

    • @oguzhanduran6142
      @oguzhanduran6142 3 года назад

      @@dasniko yes i know, keycloak creates user after authentication, but i dont want this situation.i want to sync users periodically from azure ad and handle all azure ad users in Keycloak

    • @dasniko
      @dasniko  3 года назад +1

      That‘s not what IdPs are here for. Also, Keycloak is not a „user management tool“ for 3rd party IdPs.

    • @mukeshwars5570
      @mukeshwars5570 3 года назад

      @@dasniko yeah u are right ,in case if we want to do then is it possible to do that ?of storing username and password of users from IDP to keycloak and next tym user can aunthenticate from keycloak login page instead of again going to IDP

  • @JohnSinha-eh2ov
    @JohnSinha-eh2ov 7 месяцев назад

    pls do idp initiated sso saml using two keycloack servers

  • @gmmkeshav
    @gmmkeshav 2 года назад

    How to do direct Microsoft login
    without this password and username?
    Basically directly going to Microsoft login

    • @dasniko
      @dasniko  2 года назад +1

      Configure the "Identity Provider Redirector" step in Browser Authentication Flow.

  • @nerospeed
    @nerospeed 9 месяцев назад

    Azure AD is now Microsoft Extra ID :-) (edit Entra ID)

    • @dasniko
      @dasniko  9 месяцев назад +1

      hey smart-arse, it's called Entra-ID, not Extra ID and the video was produced long before the renaming!

    • @nerospeed
      @nerospeed 9 месяцев назад

      This was more a hint for other which see this video. I searched for azure active directory and could not find it. After research I found (yes typo thanks) entra Id.
      Danke für den Klugschwätzer Titel .....

  • @AbhilashaVar
    @AbhilashaVar 9 месяцев назад

    Hi i want an springboot api which call internally azude without exposing the UI of keycloaqk to the users plesae provide

  • @Avishekk111
    @Avishekk111 7 месяцев назад

    @Niko Köbler (@dasniko) - In the newer version on Keycloak v22.0.5, keycloak is not copying email from IDP, even if username is mapped as email, How can we achieve this.

    • @dasniko
      @dasniko  7 месяцев назад

      As of today, v25 is the latest version, not 22...
      And if everything is configured properly (also the external system), it just works. If it doesn't, then something isn't properly configured.

    • @Avishekk111
      @Avishekk111 7 месяцев назад

      @@dasniko I meant on v 22, keycloak is not mapping email as email even if email is mapped as username, firstName, lastName are also copied. I followed exactly how it has been discussed in this video or similar others.

  • @harikuttan9426
    @harikuttan9426 3 года назад

    i am facing an issue while login AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fe655095-8579-4f7d-97e8-066825b0c4a2'.