chore: add step-by-step guide on how to integrate msentra as idp in keycloak

so it matches the rest of the structure

README.md

@@ -6,20 +6,22 @@ This repository contains documentation, guides, and reference material.
 
 - **[Contribution guidelines](./contributing/)**  
   Documentation and guides related to infrastructure configuration and best practices.  
-  - [Git](./infrastructure/git.md)  
+  - [Git](./contributing/git.md)  
     Guidelines for contributing using git
 
 - **[Infrastructure](./infrastructure/)**  
   Documentation and guides related to infrastructure configuration and best practices.  
   - [ACME](./infrastructure/acme.md)  
     Documentation of the ACME concept.
-  - [IPV6](./infrastructure/ipv6/ipv6.md)  
+  - [IPV6](./infrastructure/ipv6.md)  
     Documentation of the ipv6 concept.  
 
 - **[Keycloak](./keycloak/)**  
   Documentation and guides related to Keycloak configuration and best practices.  
   - [Enforce OTP 2FA for Internal Users](./keycloak/enforce-otp-internal.md)  
     Step-by-step instructions for enforcing OTP-based two-factor authentication for internal users, while excluding external Microsoft Entra users.
+  - [Integrate MS Entra in Keycloak as IDP](./keycloak/idp-ms-entra.md)
+    Step-by-step instructions for integrating MS Entra as identity-provider.
 
 - **[Microsoft Entra](./ms-entra/)**  
   Documentation and guides related to Microsft Entra configuration and best practices.

infrastructure/ipv6.md

@@ -0,0 +1,33 @@
+# IPv6 – Overview and Best Practices
+
+## Why IPv6?
+IPv6 was introduced to address the limitations of IPv4, most notably the shortage of available addresses. It provides an almost unlimited address space, improved support for modern networking, and forms the foundation for future-proof infrastructures.
+
+## DNS instead of IP addresses
+- IPv6 addresses are long and difficult to memorize (e.g. `2001:db8:85a3::8a2e:370:7334`).  
+- It is therefore recommended to use **DNS names for virtual machines (VMs)** and other systems.  
+  → This improves administration, readability, and reduces error potential.
+
+## Own IPv6 Stack
+- The **RFC4193 range** (`fd00::/8`) is reserved for **local, private use**, similar to private IPv4 networks (e.g. `192.168.x.x`).  
+- For production environments, it is preferable to use **public, globally routable IPv6 prefixes** obtained from an ISP or an own IPv6 allocation.  
+  → Advantages:  
+  - Unique addressing without overlaps  
+  - Direct reachability and routability on the Internet  
+  - Sustainable, future-oriented network design
+
+## Dual Stack as a Transition Strategy
+- In many environments, IPv4 cannot be replaced immediately.  
+- **Dual Stack** allows IPv4 and IPv6 to operate in parallel.  
+- This enables a gradual transition to IPv6 without requiring a complete redesign of the network infrastructure at once.  
+- Dual Stack can be maintained as long as necessary, until IPv6 adoption is complete.
+
+## Jump Host for IPv6-only Zones
+- When migrating to **IPv6-only environments**, not all clients or tools may yet support IPv6.  
+- A **Jump Host** with both IPv4 and IPv6 connectivity can serve as an entry point.  
+- It enables access from IPv4-based networks into IPv6-only segments, acting as a controlled and secure bridge during the transition phase.  
+- This approach ensures operability while gradually phasing out IPv4.
+
+## Conclusion
+IPv6 is essential for modern IT infrastructures and significantly simplifies network management in the long term.  
+By relying on **DNS names instead of raw IP addresses**, operating an **own, globally valid IPv6 stack**, using **Dual Stack during the migration phase**, and providing a **Jump Host for IPv6-only zones**, networks become more robust, scalable, and future-proof.

keycloak/idp-ms-entra.md

@@ -0,0 +1,81 @@
+# Add Microsoft Entra ID as an Identity Provider in Keycloak
+
+> **Goal:** Connect your Microsoft Entra application (from the previous guide) to Keycloak using OpenID Connect so users can sign in with their Microsoft accounts.
+
+---
+
+## Prerequisites
+From the [Entra guide](../ms-entra/enterprise-app-keycloak.md) you should have:
+- **OpenID Connect metadata document URL** 
+- **Application (client) ID**
+- **Client secret (Value)**
+- (Optional) **Tenant ID** — useful to verify you used the correct discovery URL
+
+You'll also need:
+- Access to the **Keycloak Admin Console**
+- The **realm** where you want to add the provider (e.g., `Digitalboard`)
+- The **alias** you decided on (this must match the alias in the Entra Redirect URI)
+
+---
+
+## Step 1 — Open Identity Providers in your realm
+1. In Keycloak, switch to the target realm (e.g., `Digitalboard`).
+2. Navigate to **Configure → Identity providers**.
+3. Click **Add provider** → **OpenID Connect v1.0**.
+
+![Open “Add provider”](images/idp-ms-entra/step-01-A.png "Add provider → OpenID Connect v1.0")  
+*Figure 1: Adding an OIDC provider.*
+![Open “Add provider”](images/idp-ms-entra/step-01-B.png "Add provider → OpenID Connect v1.0")  
+*Figure 1: Adding an OIDC provider.*
+
+---
+
+## Step 2 — Fill the basic settings
+On the **Add identity provider** form:
+
+1. **Alias**: enter your organization alias (must match the alias used in the Entra Redirect URI).  
+   Example: `test-schule`
+2. **Display name**: a friendly label users will see on the login page.  
+   Example: `Test Schule`
+3. **Use discovery endpoint**: **On**.
+4. **Discovery endpoint**: paste the **OpenID Connect metadata document URL** you copied in Entra (Step 7).  
+   Example: `https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration`
+5. **Client authentication**: keep **Client secret sent as post**.
+6. **Client ID**: paste the **Application (client) ID** from Entra.
+7. **Client Secret**: paste the **client secret Value** from Entra.
+8. **Client assertion signature algorithm**: leave **Algorithm not specified** (default).
+9. Click **Add** (or **Save**).
+
+> As soon as you set the **Alias**, Keycloak shows the **Redirect URI** at the top (read-only). It must exactly match the Redirect URI you registered in Entra.
+
+![Fill OIDC settings](images/idp-ms-entra/step-02-A.png "OIDC identity provider form in Keycloak")  
+*Figure 2: Basic OIDC settings in Keycloak.*
+
+---
+
+## Step 3 — Set recommended options
+After saving, on the provider's **Settings** tab, adjust:
+
+- **Default Scopes**: `openid profile email`  
+  (ensures Entra returns the claims you added in the [Entra guide](../ms-entra/enterprise-app-keycloak.md))
+- **Trust email**: **On** (lets Keycloak trust verified email from Entra)
+- **Sync Mode**: **Import** (default; copies basic attributes into Keycloak)
+- **Disable User Info**: **Off** (keep it off so Keycloak can fetch claims from the UserInfo endpoint)
+- **Backchannel logout**: **On** (optional but recommended)
+
+Click **Save**.
+
+---
+
+## Step 3 — Check the provider appears on the login page
+Back on **Configure → Identity providers**, you should see your new provider listed.
+
+Open your realm's login page (or log out of the Admin Console and choose **Sign in with <Provider-Display-Name>**). You should be redirected to Microsoft, then back to Keycloak, and end up authenticated.
+
+---
+
+## Troubleshooting
+- **`invalid_redirect_uri` (on Microsoft)**: The Redirect URI in Entra must match exactly what Keycloak shows (including realm name and **alias**).
+- **`AADSTS50105`**: Access to the Enterprise App is restricted. Follow Steps 10-11 in the [Entra guide](../ms-entra/enterprise-app-keycloak.md) to assign the user/group.
+- **No name/email in Keycloak user**: Check **Default Scopes** include `profile email`, verify Entra **Token configuration** (claims) and Keycloak **Mappers**.
+- **Issuer/metadata errors**: Ensure the **Discovery endpoint** uses your real **tenant ID** and is reachable over HTTPS from Keycloak.