KeyCloak Azure Federation
KeyCloak-w-Ceph-RADOSGW Github repo
Related Integrations
Solution Summary
- Set up AzureAD as the IDC for Keycloak.
- Login to Keycloak via AzureAD.
- Get access tokens from Keycloak using federated user account.
1. Configure Azure AD as an OpenID Connect (OIDC) Provider
- Log into the Azure Portal.
- Navigate to Azure Active Directory > App registrations > New registration.
- Set a name for the app (e.g.,
KeycloakOIDCApp). - Set the redirect URI (e.g.,
https://<keycloak-host>/realms/<realm-name>/broker/azuread/endpoint). This endpoint gets configured in step 2, but we can save some time by configuring this now. - After creation, go to Certificates & Secrets and generate a new client secret.
- Note the following values:
- Client ID
- Client Secret
- Tenant ID
- OIDC discovery URL format:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
2. Set Up Azure AD as an Identity Provider in Keycloak
- Log into the Keycloak Admin Console.
- Navigate to your realm > Identity Providers > Add provider > OIDC.
- Fill in the following:
- Alias:
azuread - Display Name:
Azure AD - Client ID: from Azure
- Client Secret: from Azure
- Discovery URL: from Azure
- Redirect URI: should match Azure’s app registration
- Alias:
- Save the configuration.
3. Authenticate into Keycloak Using Azure Credentials
- Navigate to the Keycloak Account Portal:
https://<keycloak-host>/realms/<realm-name>/account
- Select Azure AD from the login options.
- You will be redirected to the Azure login screen.
- After authentication, a federated Keycloak user is created or linked.
Result
Now you can use Keycloak as an OIDC provider for Ceph RGW STS. Using the federated Keycloak User credentials, we can now get access tokens from key cloak to perform object storage operations (see for an explanation on how to configure Ceph RGW STS). You will find some helpful examples and scripts in [ this] git repository.