...
- Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
- Click "New registration"
- Set name "Tietoevry DevOps Space (TDS) Keycloak" or something similar
- Select who can use it, usually first option "Accounts in this organizational directory only (for example Tietoevry only - Single tenant)" is OK
Set Redirect URI to callback URL:
Code Block https://identity.core.tds.CUSTOMERX.com/auth/realms/tds/broker/main-oidc/endpoint
Note It says that it is optional, but it is mandatory in our case.
- Click "Register"
- On shown overview displayed "Overview" screen you shall find and copy following values that will be needed later for setup on Keycloak side:
- Application (client) ID
- Directory (tenant) ID
- Following claims need to enabled:
- sAMAccountName (onpremisessamaccountname)
- firstname
- lastname
- Generate Client Secret
- Go to "Certificates & secrets"
- Click "New client secret"
- Provide some description like "keycloak" or "CustomerX Keycloak"
- Make secret valid for as long period as applicable or possible - usually maximum number of months that organisation allows or even infinity.
- Remember to generate new secrets on regular basis as security measure. Implementing process for replacing secret on regular basis according to validity possibilities is highly recommended.
- Click "Add"
- Now you MUST copy "Value" of new secret otherwise it will disappear soon. It will be needed later for setup on Keycloak side.
- AzureAD team must run following powershell commands to properly enable "sAMAccountName" claim
First we add new policy for TDS Keycloak in Azure AD, for example "Tietoevry-TDS-Keycloak-Policy" in this case:
Code Block New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"givenname","JwtClaimType":"given_name"},{"Source":"user","ID":"surname","JwtClaimType":"family_name"},{"Source":"user","ID":"mail","JwtClaimType":"mail"},{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"samaccountname"}]}}') -DisplayName "Tietoevry-TDS-Keycloak-Policy" -Type "ClaimsMappingPolicy"
- Obtain relevant Enterprise application ID
- Go to Enterprise Applications https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview/menuId/
- Search for application with name that you registered in previous step
Then we link service principal policy to Enterprise application (always remember to use correct ID):
Code Block Add-AzureADServicePrincipalPolicy -Id "<Enterprise-Application-UUID>" -RefObjectId "9cb83e39-8b0b-40da-8e2c-e49b8d2522b7" #'Tietoevry DevOps Space (TDS) Keycloak' & 'Tietoevry-TDS-Keycloak-Policy'
Then go to application permissions and grant "Admin" consent (on behalf of all users in this tenant) as following:
Microsoft Graph Claim value Permission Type Granted through Granted by Microsoft Graph User.Read Sign in and read user profile Delegated Admin consent An administrator - Then go to "Manifest" and enable custom claims mapping as suggested in https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#security-considerations
Find line with "acceptMappedClaims" and change it from "null" to "true"
Click "Save"
...
Attribute | Example/template value |
---|---|
Authorization URL | https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/authorize |
Token URL | https://login.microsoftonline.com/<TENANT-ID>/oauth2/v2.0/token |
Client ID | b1a10f18-5456-47c3-9843-d90cd58c5278 |
Client Secret | m4yg87DR-_juvp~Tv4U9w-q9x8Mzmo~1Lp Please make secret valid for as long applicable period as possible - infinity or maximum number of months that organisation allows. |
...
TDS team then takes over and finishes setup according to internal documentation OpenID Connect brokering setup Identity broker Azure AD OpenID Connect setup#Keycloakpart.
Google integration with TDS Keycloak using SAML
- Follow official instructions to set up custom SAML application - https://support.google.com/a/answer/6087519?hl=en
- Metadata will be provided by TDS team, but usually it is at Keycloak URL like https://identity.core.tds.CUSTOMERX.com/auth/realms/tds/broker/google-saml/endpoint/descriptor
- Make sure to set up following attribute mapping:
- E-mail >> email
- Windows Login >> sAMAccountName
- First Name >> FirstName
- Last Name >> LastName
- Define custom initial page to portal URL, like https://tds.CUSTOMERX.com
- Provide GoogleIDPMetadata.xml metadata file to TDS team.
Azure AD integration with TDS Keycloak using SAML
...