- Two server hosts:
- Microsoft Windows Server 2012 with Active Directory Federation Services (AD FS) installed. The AD domain will be named DOMAIN.NAME in this post.
- Keycloak server. This can be generally placed anywhere but here it is expected to be running on separate host
- DNS setup:
- The Windows host name will be fs.domain.name in this post
- The Keycloak host name will be kc.domain.name in this post
Setup Keycloak Server
- Setup keycloak for incoming HTTPS connections - steps are provided here.
- Export AD FS certificate into a Java truststore to enable outgoing HTTPS connections:
- In the AD FS management console, go to Service → Certificates node in the tree and export the Service communications certificate.
- Import the certificate into a Java truststore (JKS format) using Java keytool utility.
- Setup the truststore in Keycloak as described here.
Setup Identity Provider in Keycloak
Setup Basic Properties of Brokered Identity Provider
- Mapper named Group: managers will be of type SAML Attribute to Role, and will map attribute named http://schemas.xmlsoap.org/claims/Group, if that has attribute value managers, to role manager.
- Mapper named Attribute: email will be of type Attribute Importer, and will map attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress into user attribute named email.