Microsoft Azure AD / Entra ID integration [C IG]
Overview
The AuthorisationService (AS) can integrate into a Microsoft Azure Active Directory (AAD, aka Microsoft Entra ID). Similar to the LDAP integration, AS will use KeyCloak to synchronize users and groups with AAD. Synchronized users and groups will also be generated in VidiCore.
The configuration is done in ConfigPortal in the Identity Provider configuration. ConfigPortal ensures that the appropriate configuration parameters are entered into KeyCloak.
The AS login screen was adapted to show a button to log in with Azure AD if it is configured. When the button is pressed, the user is forwarded to the AAD login page, including 2-factor authentication if enabled in the AAD.
The Synchronisierung zwischen AAD und KeyCloak findet regelmäßig zeitgesteuert statt.
Configuration
AAD configuration
Several configuration steps have to be done in AAD before starting the integration. This section
Register new SAML application
The following link leads to a tutorial to register a new SAML application in Azure AD
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial
Create a SAML application from the Enterprise application following the steps from the screenshots:
Enable Single sign-on
In the Enterprise Application, look for the Azure AD SAML service that has been created.
Go to manage → single sign-on and choose SAML as sign-on method.
Configure the ‘Sign on URL’ using the AuthService endpoint
Get Client ID and Client Secret for SAML
Get the Client ID from ‘Application (client) ID’
Create Client Secret from Certification & secrets
When registering the client within Azure Enterprise Applications, the following permissions are required by Keycloak’s Azure AD Provider plugin to be able to federate users and sync locally:
Group.Read.All
GroupMember.Read.All
User.Read.All
Create an Identity Provider in ConfigPortal
A new identity provider can be created in ConfigPortal
Go to Settings → Identity Provider → press + → Add Azure AD Configuration
Fill out the dialog with the data from the AAD:
The “Group Filter” allows to whitelist groups. Only users being member of at least on of these groups will be synched to KeyCloak and VidiCore. This feature can help to reduce the amound of users to be synched and for that reason speed up the synch prozess a lot.
Be aware that this feature will be enhanced in the future, probably without migration of the existing configuration.
Technical detail information
Microsoft Graph API
Microsoft Graph API is used for most of our enterprise app usages for retrieving data for user federation purpose in Keycloak.
Rest API: https://developer.microsoft.com/en-us/graph/graph-explorer/
Client Configuration in Keycloak
The following is the Azure Enterprise App configurations used for Keycloak User Federation usage via client-credentials
Authentication Flow:
Link Login User And User Imported from User Federation
The NameID Policy Format has to set to Email to allow it to auto-link to user imported from the User Federation
Refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/saml-claims-customization#edit-nameid for NameId Policy
Configure Logout URL
Pre-requisite
Setup the Identity Provider in Keycloak.
Front-channel logout URL is required to be configured in Azure AD for the logout redirection to work. It can be configured under the path, Entra ID > App registrations > [Application] > Authentication. The value that can be used to configure logout URL is https://<host>/auth/realms/vidispine/broker/<identity provider name>/endpoint. You can also obtain this value from Identity Providers in Keycloak Admin Console.