Keycloak has proven itself in Securing Java web applications. However, it does not offer multi-factor authentication.
Fortunately, it is possible to delegate authentication in Keycloak to a provider that offers MFA. E.g Azure AD. The advantage of this approach is that no changes need to be made in the client applications. You don’t even need to redeploy the application.
In order to achieve this, the following two steps must be taken:
- Add a new registration for the Keycloak instance in Azure portal
- Define Azure Active Directory as an identity provider in Keycloak.
1- Add a new registration for Keycloak instance in Azure portal
Sign in to the Azure portal and then go to Azure Active Directory:
Then switch to „app registrations„
Then register the Keycloak instance as follows:
A meaningful name should be chosen and the link must be that of the Keykloak instance: e.g.
https://sso.yourserver.com/auth/realms/master/broker/azure-ad/endpoint
Note: The link consists of the realms „master“ and identity alias: „azure-ad“. The identity provider will be created later, but the name can be taken from the redirect URI.
The client ID and the directory ID must be noted. These are used in Keycloak:
In order for AD to be accessible from the outside, a new client secret must be created:
In the menu Certificates & secrets → New client secret
The password is generated and must be copied immediately (the password cannot be determined later):
2- Define Azure Active Directory as Identity Provider in Keycloak
In Keycloak as an admin, add OpenID Connect as a provider in the Identity Providers menu:
Then:
- Enter Alias and Display name.
- Enter the following link in the „Discovery endpoint“: https://login.microsoftonline.com/{directoryID}/v2.0/.well-known/openid-configuration
{directoryID} must be replaced with the directory ID from Azure AD. - Client ID and Client Secret from Azure AD (these have already been generated and noted – see above)
That’s all.
You can check my videos about this:
Ahmed Fikri 