Skip to content

Use with Microsoft Azure AD

Jump to bottom
Pascal Knüppel edited this page Dec 23, 2020 · 3 revisions

Thanks to the contribution of Raffael Grob who provided a description in how to use scim-for-keycloak with Microsoft Azure AD:

  1. Create a client in Keycloak that delivers your Access Token and that has permission to perform SCIM operations
  2. Handle the token expiration in a way that fits you i.e. set it on the client to a high number of days (This is necessary due to Azure ADs lack of support for login mechanisms. Unfortunately Azure AD does not provide the possibility to do a login with the OAuth2 Client Credentials Grant and expects a long living access token to be configured in the web-admin which is a potential security risk):
    • I would recommend to use JWT authentication instead of clientId and clientSecret for this OAuth2 client.
  3. Restrict access to the SCIM endpoints to the created client
    • alternatively you'll be able to restrict access by roles. But you have to do this on Resource Type level.
  4. If you use clientId and clientSecret to authenticate with the created client "scim-from-azuread" you can get an access token with the following powershell script: 
    $server = "your.keycloak-server.ch"
$realm = "beta"
$client_id = "scim-from-azuread"
$client_secret = "******-****-****-****-f698b440ca6d"

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")
$body = "client_id=$client_id&client_secret=$client_secret&grant_type=client_credentials"

$response = Invoke-RestMethod "https://$server/auth/realms/$realm/protocol/openid-connect/token" -Method 'POST' -Headers $headers -Body $body

write-host "This is your access token to be filled in to the Secret Token Field"
write-host $response.access_token
Write-host
write-host "you want to see some results via scim too?"
read-host

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/scim+json")
$headers.Add("Authorization", "Bearer "+ $response.access_token)

$response2 = Invoke-RestMethod "https://$server/auth/realms/$realm/scim/v2/Users" -Method 'GET' -Headers $headers -Body $body
$response2 | ConvertTo-Json
  5. Add the root URL of your SCIM Endpoint and the Access Token to the provisioning configuration in your Enterprise Application. Test the connection.
  6. Create mappings
  7. Start with a minimal set of attributes
  8. Run it
Clone this wiki locally