Digitalboard/docs
5
1
Fork 0
Code Pull requests 1 Activity Actions

Compare commits

base: Digitalboard:ff6f0f00e4c6e0c5dd66be405a185121e53d62c6
Branches Tags
Digitalboard:main
Digitalboard:feature/keycloak-integration
Digitalboard:chore(docs)ipv6-docu
..
compare: Digitalboard:52719b47b90cf0a45b1a84ee6573fdc1595f0723
Branches Tags
Digitalboard:main
Digitalboard:feature/keycloak-integration
Digitalboard:chore(docs)ipv6-docu

1 commit
ff6f0f00e4 ... 52719b47b9

Author SHA1 Message Date
Bert-Jan Fikse
52719b47b9
chore: add step-by-step guide on how to integrate msentra as idp in keycloak 2025-09-17 14:50:51 +02:00
2 changed files with 4 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -20,8 +20,6 @@ This repository contains documentation, guides, and reference material.
Documentation and guides related to Keycloak configuration and best practices.
- [Enforce OTP 2FA for Internal Users](./keycloak/enforce-otp-internal.md)
Step-by-step instructions for enforcing OTP-based two-factor authentication for internal users, while excluding external Microsoft Entra users.
- [Integrate MS Entra in Keycloak as IDP](./keycloak/idp-ms-entra.md)
Step-by-step instructions for integrating MS Entra as identity-provider.
- **[Microsoft Entra](./ms-entra/)**
Documentation and guides related to Microsft Entra configuration and best practices.

8
keycloak/idp-ms-entra.md
View file

@ -11,7 +11,7 @@ From the [Entra guide](../ms-entra/enterprise-app-keycloak.md) you should have:
- **Client secret (Value)**
- (Optional) **Tenant ID** — useful to verify you used the correct discovery URL
You'll also need:
Youll also need:
- Access to the **Keycloak Admin Console**
- The **realm** where you want to add the provider (e.g., `Digitalboard`)
- The **alias** you decided on (this must match the alias in the Entra Redirect URI)
@ -54,7 +54,7 @@ On the **Add identity provider** form:
---
## Step 3 — Set recommended options
After saving, on the provider's **Settings** tab, adjust:
After saving, on the providers **Settings** tab, adjust:
- **Default Scopes**: `openid profile email`
(ensures Entra returns the claims you added in the [Entra guide](../ms-entra/enterprise-app-keycloak.md))
@ -70,12 +70,12 @@ Click **Save**.
## Step 3 — Check the provider appears on the login page
Back on **Configure → Identity providers**, you should see your new provider listed.
Open your realm's login page (or log out of the Admin Console and choose **Sign in with <Provider-Display-Name>**). You should be redirected to Microsoft, then back to Keycloak, and end up authenticated.
Open your realms login page (or log out of the Admin Console and choose **Sign in with <Provider-Display-Name>**). You should be redirected to Microsoft, then back to Keycloak, and end up authenticated.
---
## Troubleshooting
- **`invalid_redirect_uri` (on Microsoft)**: The Redirect URI in Entra must match exactly what Keycloak shows (including realm name and **alias**).
- **`AADSTS50105`**: Access to the Enterprise App is restricted. Follow Steps 10-11 in the [Entra guide](../ms-entra/enterprise-app-keycloak.md) to assign the user/group.
- **`AADSTS50105`**: Access to the Enterprise App is restricted. Follow Steps 1011 in the [Entra guide](../ms-entra/enterprise-app-keycloak.md) to assign the user/group.
- **No name/email in Keycloak user**: Check **Default Scopes** include `profile email`, verify Entra **Token configuration** (claims) and Keycloak **Mappers**.
- **Issuer/metadata errors**: Ensure the **Discovery endpoint** uses your real **tenant ID** and is reachable over HTTPS from Keycloak.