{"type":"doc","content":[{"type":"paragraph","content":[{"text":"The following is an example ","type":"text"},{"text":"keycloak-saml.xml","type":"text","marks":[{"type":"code"}]},{"text":" file for integrating Weave with Microsoft Entra ID (formerly Azure AD).","type":"text"}]},{"type":"paragraph","content":[{"text":"This example relies upon a new client being created in Entra ID specifically for Weave, and there are some values in this file that will need be replaced those from that Entra client. The ","type":"text"},{"text":"SP entityID","type":"text","marks":[{"type":"code"}]},{"text":" attribute (","type":"text"},{"text":"APPLICATION_ID_FROM_ENTRA","type":"text","marks":[{"type":"code"}]},{"text":" in the example below) taken from the ","type":"text"},{"text":"Application (client) ID","type":"text","marks":[{"type":"em"}]},{"text":" and the ","type":"text"},{"text":"Directory (tenant) ID","type":"text","marks":[{"type":"em"}]},{"text":" (","type":"text"},{"text":"DIRECTORY_ID_FROM_ENTRA","type":"text","marks":[{"type":"code"}]},{"text":" in the example below) for the various Entra URL endpoints.","type":"text"}]},{"type":"paragraph","content":[{"text":"Additionally Entra ID may need to be configured to return role or group information as described here:","type":"text"},{"type":"hardBreak"},{"text":" ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration"}},{"text":".","type":"text"},{"type":"hardBreak"},{"text":"Entra may report the users groups using the groups object id, rather that it’s name, so to convert the object id’s back to their names you can either export the groups from Entra to a .csv file (the Entra console provides a button to do this, see below) and then reference that file in the xml config. Alternatively you can create your own properties file with a list object id to group mappings and reference that.","type":"text"},{"type":"hardBreak"},{"text":"You do not need to do this but if you do no you will need to create ACL’s within Weave using the Object ID of the groups.","type":"text"}]},{"type":"paragraph","content":[{"text":"When creating the new client in Entra the redirect URL (back to Weave, see the last screen shot below) should be set to https://","type":"text"},{"text":"hostname.domainname","type":"text","marks":[{"type":"em"}]},{"text":"/weave/saml (assuming the default application context is still /weave, and Weave is exposed on port 443 which it must be). If your Entra client configuration has multiple redirect URL’s, that is you’re trying to use the same Entra client definition for multiple Weave server instances, e.g. test and prod, then you may need to add an ","type":"text"},{"text":"assertionConsumerServiceUrl","type":"text","marks":[{"type":"code"}]},{"text":" attribute to the ","type":"text"},{"text":"SingleSignOnService","type":"text","marks":[{"type":"code"}]},{"text":" providing the full URL of Weave SAML endpoint, similar to the ","type":"text"},{"text":"bindingUrl","type":"text","marks":[{"type":"code"}]},{"text":" but pointing to Weave, not Microsoft. It will be one of the URL's you added to the Entra client configuration as the redirect URL, and if you do not set it Entra will always redirect back to the first redirect URL you specified.","type":"text"}]},{"type":"paragraph","content":[{"text":"Note, this example does not perform any verification of the information exchanged between the Entra IS identity provider and Weave, which is ","type":"text"},{"text":"not","type":"text","marks":[{"type":"strong"}]},{"text":" recommended. You can find a more complete example that does use certificates at ","type":"text"},{"text":"Keycloak - Securing Applications and Services Guide","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.keycloak.org/docs/latest/securing_apps/index.html#_saml-general-config"}}]},{"text":".","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"marks":[{"type":"breakout","attrs":{"mode":"wide"}}],"content":[{"text":"\n\n\t\n\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\t\n\t\t\n\n\t\t\n\t\t\n\t\t\n\t\t\t\n\t\t\n\n\t\t\n\n\n\t\t\n\t\t\t\n\n\t\t\t\n\t\t\n\t\n\n\n","type":"text"}]},{"type":"paragraph"},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":959,"id":"b6c7360f-8e85-4614-847f-ac7a30e26fd8","collection":"contentId-1789886504","type":"file","height":395}},{"type":"caption","content":[{"text":"App registrations","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":958,"id":"73638f6b-f80f-451c-85bc-1d8c33913bc2","collection":"contentId-1789886504","type":"file","height":326}},{"type":"caption","content":[{"text":"App registration details","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":949,"id":"01dfc6ec-f479-48c8-875f-4d16e4cdd169","collection":"contentId-1789886504","type":"file","height":401}},{"type":"caption","content":[{"text":"App redirect URL","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center"},"content":[{"type":"media","attrs":{"width":1162,"id":"ac8bc081-7326-4ebd-a001-604b7fa56007","collection":"contentId-1789886504","type":"file","height":483}},{"type":"caption","content":[{"text":"Export Group mappings from Azure","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Ensuring group information is sent to Weave","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1144,"alt":"image-20250221-001023.png","id":"d5e8104f-cf58-451e-91a8-08d0d0555a46","collection":"contentId-1789886504","type":"file","height":742}},{"type":"caption","content":[{"text":"Step 1. Add groups claim","type":"text"}]}]},{"type":"mediaSingle","attrs":{"layout":"center","width":760,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1146,"alt":"image-20250221-001132.png","id":"fad63f35-ea8b-47ed-85d2-04768f056328","collection":"contentId-1789886504","type":"file","height":798}},{"type":"caption","content":[{"text":"Step 2. Enable Security groups","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Note that for groups that originated on-premises it may be possible to select sAMAccountName and have Entra ID return the group name rather than the GUID, removing the need to export the group mappings and setting up a RoleMappingsProvider.","type":"text"}]}],"version":1}

Browser not supported