Mapping Roles from Azure AD to Keycloak

[Arin Kumar]

Hi Folks,

I recently faced an issue while trying to map custom roles from an Identity Provider (Azure AD) to Keycloak for SSO authentication. After much effort, I finally found a solution and was able to successfully map roles. Below are the steps to achieve this:

1. Create an Application in Azure AD

   • Ensure that your application is configured to communicate with Keycloak.

2. Test SSO Login

   • Try logging in with a user created in Azure AD using SSO in Keycloak to verify that authentication works.

3. Create and Assign Roles in Azure AD

   • Navigate to Azure AD > Your Application > App roles and create a role (e.g., Custom-Admin) with the same value as its name.
   • Assign this role to a user in Azure AD.

4. Create a Corresponding Role in Keycloak

   • In Keycloak, go to Your Realm > Roles and create a role (e.g., Custom-Admin-Keycloak).

5. Configure Role Mapping in Keycloak

   • Navigate to Identity Provider (IDP) Configurations > Mappers and create a new mapper named Role Mapper with the following configurations:
     • Sync Mode Override: Import
     • Mapper Type: Advanced Claim to Roles
     • Claims:
       • Key: roles
       • Value: Custom-Admin
     • Regex Claim Values: Off
     • Role: Select the Keycloak realm role (Custom-Admin-Keycloak) from the dropdown.

6. Test Role Mapping

   • Save the mapper and log in again with the user to whom the role was assigned in Azure AD.

7. Verify Role Mapping in Keycloak

   • In Keycloak, navigate to User Section > Select the User > Role Mapping to confirm that the assigned role has been successfully mapped.

This setup ensures a one-to-one mapping of roles from Azure AD to Keycloak. Hope this helps!

Best regards,
Arin Kumar