Great info. But how can we move to angular dashboard after authentication from AD ? For simple keycloak authentication I have configured it but for AD how can we configure it ?
Thanks for explanations, i don't know why but in older tenant in multitenant mode all is ok but with new tenant in single tenant it's not ok, restrictions in new tenant ?
Hi Nikolas, thank you so much for sharing the procedure to configure Keycloak with AAD, could you please explain how to intergrate applications like Miro or Excel in Keycloak.
Hi Niko kobler , Good explanation, could you please also send any videos for Client create and configuration for web application in keycloak. Thanks in advance
Thanks for these great videos and all your work on keycloak and in the community! Do you have any advice for getting single-sign-out working with this Azure AD/keycloak setup? In particular how to construct the front-channel logout url for the app registration such that Azure can log the user out of keycloak (which will in turn log out of all clients)
Thanks Niko for the video, this so clear and work perfectly. If there anyone know video how to register SAML client in the Keycloak, much appreciated if you can share it with me
Thanks for the video Niko. I did these settings in order to import groups from Azure ad into keycloak. But, unfortunately, it is not working. Do you have any idea about it? I need to map groups from Azure AD into keycloak. Thank you
Hallo, and thank you for the video. Once the integration has been set, can we use the Azure AD Enterprise Application feature to provide MFA instead of the Keycloak native MFA mechanism? Thank you in advance. Javier.
You can do whatever you want in your Azure environment. If it's part of the regular authentication process/flow there, it will be executed. This is completely independent of Keycloak.
Hello thank you this video i want to add coursera metadata to my keycloak but when i upload metadata file it's always failed how can i link keycloak to shibboleth (SP)
Nicve video!, I have a question, Azure AD B2C has all the features shown in Keycloak, if I have Azure and my users are in the AD, why would I use Keycloak?, Thanks
didn't get how the "localhost:8080" redirect URI had worked fine in azure... can you please clarify on this? why didn't you use a good resolvable fqdn and how did that worked in your demo scenario?
No need for a fqdn when doing a demo on localhost. Azure doesn't need to have access to the domain, as it is only sending the users browser with a redirect to the specified domain (in this case with localhost). There's no access from Azure to Keycloak.
there is a terraform provider for keycloak available that helps with setup idp providers, realms and clients. there is also a terraform provider available that helps with creating the azure ad. you can also use ansible or a python api to automate via a script.
Hello Niko, Thanks for Video. We have Configured AzureAd as Identity provider for keycloak for webapplication. The issue we face is when User logs-out from web application in browser, he logged-out only from web application, But the AzureAD user session still remains active in browser. I am suspecting we can achieve this by configuring Logout URL in Identity provider configuration in key cloak Admin console page . But not sure what Log out URL to configure there? Also "Backchannel Logout" option should be enabled?
I have checked the redirect url in keycloak and azure Redirect URIs both are the same, but the Redirect URI in the browser does not contain the port number (after error)
Thanks. Authentication using your application is not how OIDC works, please read the specs for understanding the concepts. However, you can create custom Themes you deploy to Keycloak to have a customized / corporate design for your users in Keycloak.
Niko Köbler, I have tried integrating AAD with keycloak running on AWS ECS cluster but getting below error while doing sso. "Unexpected error when authenticating with identity provider « Back to Application"
I suppose a connection is required between Keycloak and AAD as an Identity Provider... but is a connection between keycloak and AAD necessary for authentication if AAD is set up in user federation and using SAML or OIDC? Or does all communication go through the browser and redirection?
Thank you for this video. I get error after authentication when Azure redirect to my application. I need to do something in my application ? ERROR -> "An internal server error has occurred" just it.
Hi All, Can anyone share why it is desirable to integrate Azure AD to Keycloak and not connect your app directly to Azure AD? It is my understanding that Azure AD can serve as Auth2/OIDC provider, so what does Keycloak add to the architecture? Any help to understand this is greatly appreciated.
If you only interact with AAD, there's possibly no need to use Keycloak in between. But if your application has different kinds of users, coming from various sources and identity providers and AAD is only one of them, then it get's more easy to configure them all in Keycloak and let your application interact only with one identity provider (Keycloak) instead of multiple. Also, if you have many applications, you won't configure them all to use/handle multiple IdPs.
Its nice video Niko. Can you have user auth flow setting to link azure AD id with existing user in keycloak at first login. please let me know so can help in configuring authenticaton flow.
Hello , Can you help me how to create role in azure and after integration that role should reflect in the key cloak ( role mapping for the user between Azure and key cloak)
See my videos about Keycloak and React and my repo here: github.com/dasniko/keycloak-reactjs-demo There's nothing special for React-Keycloak-AzureAD. The react app will just use Keycloak as IdP and Keycloak itself redirects to AAD as external IdP. No React involved.
With using 3rd party IdPs, there is IMHO no need to sync anything. After a user authenticates, a representation of this user is created in Keycloak. This is necessary, so that Keycloak „knows“ this user. But the authentication itself, and thus the knowledge of the password, remains still at the IdP, which is important in such a scenario.
@@dasniko yes i know, keycloak creates user after authentication, but i dont want this situation.i want to sync users periodically from azure ad and handle all azure ad users in Keycloak
@@dasniko yeah u are right ,in case if we want to do then is it possible to do that ?of storing username and password of users from IDP to keycloak and next tym user can aunthenticate from keycloak login page instead of again going to IDP
This was more a hint for other which see this video. I searched for azure active directory and could not find it. After research I found (yes typo thanks) entra Id. Danke für den Klugschwätzer Titel .....
@Niko Köbler (@dasniko) - In the newer version on Keycloak v22.0.5, keycloak is not copying email from IDP, even if username is mapped as email, How can we achieve this.
As of today, v25 is the latest version, not 22... And if everything is configured properly (also the external system), it just works. If it doesn't, then something isn't properly configured.
@@dasniko I meant on v 22, keycloak is not mapping email as email even if email is mapped as username, firstName, lastName are also copied. I followed exactly how it has been discussed in this video or similar others.
i am facing an issue while login AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fe655095-8579-4f7d-97e8-066825b0c4a2'.
This is what called simple strait forward content love it
I've been trying for days to configure keycloak with Azure AD and this video cleared everything up. Thank you!
Great Demo on the config - good content and flow and how to's all answered - Thanks.
Thanks, looking really simple and very helpful for our future Keycloak implementation.
This is perfect & exactly what I needed, thank you!
Niko you are the champion. :) stay blessed.
Great info. But how can we move to angular dashboard after authentication from AD ? For simple keycloak authentication I have configured it but for AD how can we configure it ?
Very good explanation, plain and simple flow. I tried and it worked for me
Thanks
Thank you, Matheus! This is really appreciated!! 🙏
@@dasniko my pleasure mate. Your videos have helped me a lot
Hi Niko thank you very much for creating this, works perfectly and helped a lot!
Cristal clear, Thank you 👍
Thanks, super clear :)
Thanks, I needed that!
Thank you It was really helpful and an easy explanation
Very clear and useful, thank you
Thanks for explanations, i don't know why but in older tenant in multitenant mode all is ok but with new tenant in single tenant it's not ok, restrictions in new tenant ?
Is Adele Single by chance ? Very useful well explain and simple. - Big Thanks.
Very useful, thank you!
Very good video. Thank you.
Hi Nikolas, thank you so much for sharing the procedure to configure Keycloak with AAD, could you please explain how to intergrate applications like Miro or Excel in Keycloak.
I don‘t focus on configuring clients to interact with any OIDC provider. I‘m only focussing on the Keycloak server itself.
Hi Niko kobler , Good explanation, could you please also send any videos for Client create and configuration for web application in keycloak.
Thanks in advance
Man I love r videos
Really crisp. Is Keyclock introspect the token with AAD?
No
Nice, thank you.
Thanks for these great videos and all your work on keycloak and in the community! Do you have any advice for getting single-sign-out working with this Azure AD/keycloak setup? In particular how to construct the front-channel logout url for the app registration such that Azure can log the user out of keycloak (which will in turn log out of all clients)
Got any lucky on this? Same requirement here...
No, I haven't been able to get it to work unfortunately.
@@roscode96 Thanks buddy. Sorry for the late question.
Very nice explanation. Any plan to upload vuejs app authentication using keycloak ? I saw you already posted video using react.
Hi, thanks.
Currently I‘ve not planned to do a Vue.js video. Indeed it‘s pretty similar to React, afair.
Thanks!!!
Awesome
works perfectly, thx!!!
Thanks Niko for the video, this so clear and work perfectly. If there anyone know video how to register SAML client in the Keycloak, much appreciated if you can share it with me
Nice video. Any plan to include Azure AD SAML 2.0 with Keycloak integration?
I don‘t use SAML at all, sorry.
Fantastic
Thanks for the video Niko.
I did these settings in order to import groups from Azure ad into keycloak. But, unfortunately, it is not working. Do you have any idea about it?
I need to map groups from Azure AD into keycloak.
Thank you
you did? you help me
I'm also trying to figure this out, did you find a solution?
If possible make a video on integrating Active Directory, via user federation
Thank you so much
Hallo, and thank you for the video.
Once the integration has been set, can we use the Azure AD Enterprise Application feature to provide MFA instead of the Keycloak native MFA mechanism?
Thank you in advance.
Javier.
You can do whatever you want in your Azure environment. If it's part of the regular authentication process/flow there, it will be executed. This is completely independent of Keycloak.
Which underlying OAuth 2.0 Flow is used by the OpenID Connect Flow used here?
Auth Code
Hello thank you this video i want to add coursera metadata to my keycloak but when i upload metadata file it's always failed how can i link keycloak to shibboleth (SP)
Nicve video!, I have a question, Azure AD B2C has all the features shown in Keycloak, if I have Azure and my users are in the AD, why would I use Keycloak?, Thanks
didn't get how the "localhost:8080" redirect URI had worked fine in azure... can you please clarify on this? why didn't you use a good resolvable fqdn and how did that worked in your demo scenario?
No need for a fqdn when doing a demo on localhost. Azure doesn't need to have access to the domain, as it is only sending the users browser with a redirect to the specified domain (in this case with localhost). There's no access from Azure to Keycloak.
Thanks for the video. Is there a way to customize this so the Keycloak username automatically is only what is in front of the @?
If you implement a custom authenticator which will be used in the first broker flow, then yes.
Hello Niko. this is very good. is there a way to automate these steps through a script? thank you. your intro was fantastic.
there is a terraform provider for keycloak available that helps with setup idp providers, realms and clients. there is also a terraform provider available that helps with creating the azure ad. you can also use ansible or a python api to automate via a script.
Hello Niko,
Thanks for Video.
We have Configured AzureAd as Identity provider for keycloak for webapplication.
The issue we face is when User logs-out from web application in browser, he logged-out only from web application, But the AzureAD user session still remains active in browser.
I am suspecting we can achieve this by configuring Logout URL in Identity provider configuration in key cloak Admin console page .
But not sure what Log out URL to configure there? Also "Backchannel Logout" option should be enabled?
Thanks for the explainer, do you know how I can map the an Azure AD Group to a Keycloak Role?
add the groups to the azure token and use a claim-to-role mapper in keycloak
@@dasniko Thanks Niko, I have done that and it works as expected now. Thanks for the response :)
I have checked the redirect url in keycloak and azure Redirect URIs both are the same, but the Redirect URI in the browser does not contain the port number (after error)
Awesome Work, very straightforward approach, but what if I want to log in using my application UI?
Thanks.
Authentication using your application is not how OIDC works, please read the specs for understanding the concepts.
However, you can create custom Themes you deploy to Keycloak to have a customized / corporate design for your users in Keycloak.
Niko Köbler, I have tried integrating AAD with keycloak running on AWS ECS cluster but getting below error while doing sso.
"Unexpected error when authenticating with identity provider
« Back to Application"
can u do a vdio to do it with LDAP
I suppose a connection is required between Keycloak and AAD as an Identity Provider... but is a connection between keycloak and AAD necessary for authentication if AAD is set up in user federation and using SAML or OIDC? Or does all communication go through the browser and redirection?
There‘s a mandatory backchannel communication between Keycloak and the AAD.
how to set policy id in Azure AD B2C OAuth 2.0 token endpoint (v2)
Great video, is it possible to pass a group value from Azure AD to keycloak?
Yes. Please consult Azure docs for details.
Hi Niko, How do i configure logout option.
Thank you for this video. I get error after authentication when Azure redirect to my application. I need to do something in my application ? ERROR -> "An internal server error has occurred" just it.
The problem was...Keycloak 16 does not work with java 8, because I supose 16 was compiled with java 9. I update to java 11 and everything working now
Is it possible to get a token via REST using postman with this configuration?
Niko, Can we use keycloak to manage AAD Based ssh authentication for linux vms??
hi Niko, can you share one example for ADFS and OTP in one single flow for login, your videos are very helpful... Life savior...
Hi All,
Can anyone share why it is desirable to integrate Azure AD to Keycloak and not connect your app directly to Azure AD? It is my understanding that Azure AD can serve as Auth2/OIDC provider, so what does Keycloak add to the architecture?
Any help to understand this is greatly appreciated.
If you only interact with AAD, there's possibly no need to use Keycloak in between. But if your application has different kinds of users, coming from various sources and identity providers and AAD is only one of them, then it get's more easy to configure them all in Keycloak and let your application interact only with one identity provider (Keycloak) instead of multiple. Also, if you have many applications, you won't configure them all to use/handle multiple IdPs.
Thank you.
Can you do a demo for keycloak to azure B2C?
Its nice video Niko. Can you have user auth flow setting to link azure AD id with existing user in keycloak at first login. please let me know so can help in configuring authenticaton flow.
That‘s how it works.
@@dasniko yes. got the flow. created manual flow with conditions
How can I map Azure AD groups or roles in Keycloak
You need to add them into the token(s) issued by AAD, then you can create the proper mappers in Keycloak.
Hello , Can you help me how to create role in azure and after integration that role should reflect in the key cloak ( role mapping for the user between Azure and key cloak)
i'm not an azure expert, don't know about azure
what are the possible root cause when after redirection I go back to the login page of my application and thank you
How the provider id and provider username are mapped for newly created user and what happens if the user is already created
does anyone has a React SPA example for this kind of stack?
See my videos about Keycloak and React and my repo here: github.com/dasniko/keycloak-reactjs-demo
There's nothing special for React-Keycloak-AzureAD. The react app will just use Keycloak as IdP and Keycloak itself redirects to AAD as external IdP. No React involved.
Good work. Is it possible to sync users from Azure AD to Keycloak ?
With using 3rd party IdPs, there is IMHO no need to sync anything.
After a user authenticates, a representation of this user is created in Keycloak. This is necessary, so that Keycloak „knows“ this user. But the authentication itself, and thus the knowledge of the password, remains still at the IdP, which is important in such a scenario.
@@dasniko yes i know, keycloak creates user after authentication, but i dont want this situation.i want to sync users periodically from azure ad and handle all azure ad users in Keycloak
That‘s not what IdPs are here for. Also, Keycloak is not a „user management tool“ for 3rd party IdPs.
@@dasniko yeah u are right ,in case if we want to do then is it possible to do that ?of storing username and password of users from IDP to keycloak and next tym user can aunthenticate from keycloak login page instead of again going to IDP
pls do idp initiated sso saml using two keycloack servers
How to do direct Microsoft login
without this password and username?
Basically directly going to Microsoft login
Configure the "Identity Provider Redirector" step in Browser Authentication Flow.
Azure AD is now Microsoft Extra ID :-) (edit Entra ID)
hey smart-arse, it's called Entra-ID, not Extra ID and the video was produced long before the renaming!
This was more a hint for other which see this video. I searched for azure active directory and could not find it. After research I found (yes typo thanks) entra Id.
Danke für den Klugschwätzer Titel .....
Hi i want an springboot api which call internally azude without exposing the UI of keycloaqk to the users plesae provide
@Niko Köbler (@dasniko) - In the newer version on Keycloak v22.0.5, keycloak is not copying email from IDP, even if username is mapped as email, How can we achieve this.
As of today, v25 is the latest version, not 22...
And if everything is configured properly (also the external system), it just works. If it doesn't, then something isn't properly configured.
@@dasniko I meant on v 22, keycloak is not mapping email as email even if email is mapped as username, firstName, lastName are also copied. I followed exactly how it has been discussed in this video or similar others.
i am facing an issue while login AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'fe655095-8579-4f7d-97e8-066825b0c4a2'.