Runbook: Using Azure AD as Keycloak Identity Provider
- Space Sync for Confluence
You need Azure Admin permission to complete this integration
Azure app configuration
Create new Azure app
Create a new App registration from portal.azure.com selecting support for Multiple organizations when asked.
Give your application a name and write down Application (client) ID as you will require this later.
Configure a new secret
Next, go to your App Registrations’ Certificates & secrets to create a New client secret. Copy the Value of your secret to your notebook so we have it for later use.
Adding Keycloak IdP
In Keycloak select gv Realm then create a new Identity Provider by selecting Microsoft the list:
Populate Client ID (this is Application (client) ID in Azure) and Client Secret (this is Value from Azure) using values obtained in previous steps.
Finally copy Redirect URI from Keycloak:
and add Redirect ID UI link in Azure App:
If you do not want everyone to be able to connect using SSO you can restrict the app only to a certain group of users.
Restrict a Microsoft Entra app to a set of users - Microsoft identity platform
Test the functionality
Open up a new Incognito mode in a browser and use https://{$your_ip_or_URL}/ui
The last step is important, you need to allow “Consent on behalf of your organization” before clicking [Accept].
If you don’t, you will need to recreate the app from scratch.
This is how a failed attempt looks like:
That is why it is recommended to test this in Incognito mode.
This should result in Dashboard window being loaded:
Classified as Getvisibility - Partner/Customer Confidential