KeyCloak Azure Federation

From OSNEXUS Online Documentation Site
Jump to navigation Jump to search

KeyCloak-w-Ceph-RADOSGW Github repo

Related Integrations

Access Tokens via Keycloak

Solution Summary

  • Set up AzureAD as the IDC for Keycloak.
  • Login to Keycloak via AzureAD.
  • Get access tokens from Keycloak using federated user account.

1. Configure Azure AD as an OpenID Connect (OIDC) Provider

  • Log into the Azure Portal.
  • Navigate to Azure Active Directory > App registrations > New registration.

  • Set a name for the app (e.g., KeycloakOIDCApp).
  • Set the redirect URI (e.g., https://<keycloak-host>/realms/<realm-name>/broker/azuread/endpoint). This endpoint gets configured in step 2, but we can save some time by configuring this now.

  • After creation, go to Certificates & Secrets and generate a new client secret.


Note: The value of the secret will only be shown once, so save its value to somewhere secure.

  • Note the following values:
    • Client ID
    • Client Secret
    • Tenant ID
  • OIDC discovery URL format:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration

  • Add API permission scopes 'openid', 'email', and 'profile' for 'Microsoft Graph'

2. Set Up Azure AD as an Identity Provider in Keycloak

  1. Log into the Keycloak Admin Console.
  2. Navigate to your realm or create a new one. > Identity Providers > Add provider > OIDC.

  1. Fill in the following:
    • Alias: azuread
    • Display Name: Azure AD
    • Client ID: from Azure
    • Client Secret: from Azure
    • Discovery URL: from Azure
    • Redirect URI: should match Azure’s app registration
  2. Save the configuration.
  3. Sync mode should be set to either 'FORCE' or 'IMPORT' based on your use case needs.

3. Authenticate into Keycloak Using Azure Credentials

  • Navigate to the Keycloak Account Portal:
https://<keycloak-host>/realms/<realm-name>/account

  • Select Azure AD from the login options.
  • You will be redirected to the Azure login screen.
  • After authentication, a federated Keycloak user is created or linked.
  • Set a password for your new user. Save the username and password which will be used to acquire access tokens.

Result

Now you can use Keycloak as an OIDC provider for Ceph RGW STS. Using the federated Keycloak User credentials, we can now get access tokens from key cloak to perform object storage operations (see for an explanation on how to configure Ceph RGW STS). You will find some helpful examples and scripts in this git repository.

Retrieved from "https://wiki.osnexus.com/index.php?title=KeyCloak_Azure_Federation&oldid=26360"