Table of Contents |
---|
Intro
This manual page is mainly for area owners, key customer contacts, but also for end-users so that they can be aware of such solution and can ask management or proper ICT contacts to implement it also in their environment.
...
- Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
- Click "New registration"
- Set name "Tietoevry DevOps Space (TDS) Keycloak" or something similar
- Select who can use it, usually first option "Accounts in this organizational directory only (Tietoevry only - Single tenant)" is OK
Set Redirect URI to callback URL:
Code Block https://identity.core.tds.CUSTOMERX.com/auth/realms/tds/broker/main-oidc/endpoint
Note It says that it is optional, but it is mandatory in our case.
- Click "Register"
- On shown overview screen you shall find and copy following values that will be needed later for setup on Keycloak side:
- Application (client) ID
- Directory (tenant) ID
- Following claims need to enabled:
- sAMAccountName (onpremisessamaccountname)
- firstname
- lastname
- AzureAD team must run following powershell commands to properly enable "sAMAccountName" claim
First we add new policy for TDS Keycloak in Azure AD, for example "Tietoevry-TDS-Keycloak-Policy" in this case:
Code Block New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"givenname","JwtClaimType":"given_name"},{"Source":"user","ID":"surname","JwtClaimType":"family_name"},{"Source":"user","ID":"mail","JwtClaimType":"mail"},{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"samaccountname"}]}}') -DisplayName "Tietoevry-TDS-Keycloak-Policy" -Type "ClaimsMappingPolicy"
- Obtain relevant Enterprise application ID
- Go to Enterprise Applications https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview/menuId/
- Search for application with name that you registered in previous step
Then we link service principal policy to Enterprise application (always remember to use correct ID):
Code Block Add-AzureADServicePrincipalPolicy -Id "<Enterprise-Application-UUID>" -RefObjectId "9cb83e39-8b0b-40da-8e2c-e49b8d2522b7" #'Tietoevry DevOps Space (TDS) Keycloak' & 'Tietoevry-TDS-Keycloak-Policy'
Then go to application permissions and grant "Admin" consent (on behalf of all users in this tenant) as following:
Microsoft Graph Claim value Permission Type Granted through Granted by Microsoft Graph User.Read Sign in and read user profile Delegated Admin consent An administrator - Then go to "Manifest" and enable custom claims mapping as suggested in https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#security-considerations
Find line with "acceptMappedClaims" and change it from "null" to "true"
Click "Save"
...
TDS team needs following details in order to finish integration:
Attribute | Example/template value |
---|---|
Authorization URL | https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize |
Token URL | https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token |
Client ID | b1a10f18-5456-47c3-9843-d90cd58c5278 |
Client Secret | m4yg87DR-_juvp~Tv4U9w-q9x8Mzmo~1Lp Please make secret valid for as long applicable period as possible - infinity or maximum number of months that organisation allows. |
We also need to setup process for replacing secret on regular basis according to validity possibilities.
...