User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit

Keycloak Active Directory Integration

Use the following instructions to enable basic Single Sign-on via Keycloak with Azure Active Directory as the Identity Provider using SAML.

We will only cover Authentication. In this case, when a user logs into Ataccama for the first time, a user record is created in Keycloak with the user’s email address (as their username) and their first and last names for use within Ataccama ONE.

These instructions assume that the client has a fully-qualified-domain-name (FQDN) associated with the Ataccama Platform, which typically points to the gateway server’s / load balancer’s IP Address.

Prepare Keycloak realm for integration with AD

  1. Login to the Keycloak Administration Console.

  2. Open Ataccamaone realm in Keycloak.

  3. Go to the Identity Providers.

  4. From the dropdown list select SAML v2.0.

    keycloak active directory integration identity provider saml

  5. The Add identity provider screen will open, setup up the Alias 'saml': This alias will be used in the redirect URL. You can also add a Display Name which will be visible on the Ataccama Login page

  6. Make a note of the Redirect URI as it will be required later. Redirect URI should look something like <ataccama_platform_fqdn>/auth/realms/ataccamaone/broker/saml/endpoint: where saml matches the value of the Alias field.

  7. Leave this window open, we will return to it later.

Information for Client’s IAM Team

Further information will be required by the Client’s IAM Team, as can be seen in the example below:

keycloak active directory integration client iam

The following responses (or similar) can be provided:

After supplying the above information to the client’s IAM team, they should be able to an .xml file with the Identity Provider metadata. You will need this to complete the Keycloak Realm Integration.

Keycloak realm integration (continued)

Return to the open Keycloak Add Identity Provider page, and follow the steps below:

  1. Scroll to the bottom of the page until you find the Import External IDP Config section and paste the metadata link into the Import from URL field. Select Import.

  2. If the format of the file is correct you should receive:

    keycloak active directory integration idp metadata

    The Single Sign-On Service URL will now be populated. Other settings may have been changed too.

  3. Select Save.

Set up the first login flow

The First Login Flow is the process that executes when a user logs into Ataccama for the first time. In the scenario described here, a user record will be created in Keycloak with the user’s email address as their username along with their first and last names, for use within Ataccama ONE.

  1. Login to the Keycloak Administration Console.

  2. Ensure the Ataccamaone Realm is selected.

  3. In the left-hand-menu, select Authentication.

  4. On the Flows tab, click New on the right-hand-side.

    keycloak active directory integration authentication first login

  5. Enter an Alias eg. Simple Login Flow and click Save.

    keycloak active directory integration alias simple login flow

  6. With the new flow selected, click Add execution.

    keycloak active directory integration add execution

  7. Under Provider, scroll down the list and select Create User If Unique.

    keycloak active directory integration create user if unique

  8. Select Save.

  9. Under Requirement, select ALTERNATIVE.

    keycloak active directory integration alternative

  10. The next time the user logs in, we want them to go directly to the platform. This involves the Browser authentication flow:

    • Login to the Keycloak Administration Console.

    • Ensure the Ataccamaone Realm is selected.

    • In the left-hand-menu, select Authentication.

    • Under Flows select Browser.

      keycloak active directory integration browser

  11. On the Identity Provider Redirector line, click on Actions, and then select Config.

    keycloak active directory integration identity provider redirector

  12. Enter the name of the Identity provider, e.g. saml, in both the Alias and Default Identity Provider boxes.

    keycloak active directory integration create authenticator config

  13. Select Save.

Single sign-on configuration

  1. Login to the Keycloak Administration Console.

  2. Ensure the Ataccamaone Realm is selected.

  3. In the left-hand-menu, select Identity Providers.

  4. Click on the name of the previously created IDP, e.g. saml:

    keycloak active directory integration identity provider

  5. Under First Login Flow, select the flow that we created in the previous section, e.g., Simple Login Flow.

    keycloak active directory integration select first login flow

  6. Under SAML Config, set NameID Policy Format to Email.

    keycloak active directory integration nameid policy

  7. The SAML Config section should now look similar to:

    keycloak active directory integration saml config section

  8. If so, select Save. If not go back and edit as necessary.

Set up mappers

  1. Login to the Keycloak Administration Console.

  2. Ensure the Ataccamaone Realm is selected.

  3. In the left-hand-menu, select Identity Providers.

  4. Click on the name of the previously created IDP, e.g. saml.

  5. Select the Mappers tab.

    keycloak active directory integration mappers

  6. Select Create.

  7. Enter a Name, e.g. Surname mapper, and then select Attribute Importer as the Mapper Type.

    keycloak active directory integration attribute importer

  8. The following screen will appear. The important fields here are Attribute Name and User Attribute Name.

    keycloak active directory integration surname mapper

    • Attribute Name: e.g.:

    • User Attribute Name: lastName.

      The value of Attribute Name must match the name of the attribute coming from the Azure AD Claims. There are a few ways to determine this. In the example .xml, the Claims are listed as part of the <fed:ClaimTypesOffered> section. However, this doesn’t necessarily mean that these attributes will be returned as part of the security handshake. Refer to the Mapping the Claims section below to retrieve and decode the Claims as they are returned during the login process.

      Ensure to use camel case for User Attribute Name.
  9. Now do the same for first name

    keycloak active directory integration first name

Map the claims

This section provides a method for capturing and decoding the claims that are returned by Azure Active Directory as part of the login process.

For this method to work, a user needs to be set up in Azure AD with the correct permissions (e.g. AD Group) that provides the user with access to the Ataccama Platform.
  1. Login to the Keycloak Administration Console.

  2. Ensure the test user does not already have a record in Keycloak (if it does, make a separate note of the associated Roles and simply delete the user record).

  3. Open an Incognito Chrome window (Ctrl+Shift+N).

  4. Open Developer Tools (Ctrl+Shift+I).

    For ease, move the Console to the bottom of the window – click on the three vertical dots, and select the third Dock side option

    keycloak active directory integration dockside

  5. Ensure the Preserve log option is checked.

  6. Attempt to login to Ataccama, e.g. point the browser at <ataccama_platform_fqdn>/.

  7. In the Console, find the Azure AD reply that contains the SAMLResponse.

    keycloak active directory integration saml; response

  8. Copy the entire SAMLResponse (PHNhbWxwOlJlc3BvbnNlIElEPSJfYTE0ZWY2ODQtZmEwMy00OT…) and use a website such as to decode it. After reformatting the .xml, the (anonymised) response should look something like this:

    Example SAML response
    <?xml version="1.0" encoding="UTF-8"?>
    <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_a14ef684-fa03-4990-a427-4dfb85478533" Version="2.0" IssueInstant="2019-07-02T07:19:35.874Z" Destination="https://<ataccama_platform_fqdn>/auth/realms/ataccamaone/broker/saml/endpoint" InResponseTo="ID_9338c443-1ecd-4f6f-8a24-4622ded87ca7">
       <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"></Issuer>
          <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
       <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3ae03e36-e461-4f61-b204-720f19f17300" IssueInstant="2019-07-02T07:19:35.858Z" Version="2.0">
          <Signature xmlns="">
                <CanonicalizationMethod Algorithm="" />
                <SignatureMethod Algorithm="" />
                <Reference URI="#_3ae03e36-e461-4f61-b204-720f19f17300">
                      <Transform Algorithm="" />
                      <Transform Algorithm="" />
                   <DigestMethod Algorithm="" />
             <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"></NameID>
             <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="ID_1234…7ca7" NotOnOrAfter="2019-07-02T07:24:35.858Z" Recipient="https://<ataccama_platform_fqdn>/auth/realms/ataccamaone/broker/saml/endpoint" />
          <Conditions NotBefore="2019-07-02T07:14:35.858Z" NotOnOrAfter="2019-07-02T08:19:35.858Z">
             <Attribute Name="">
             <Attribute Name="">
             <Attribute Name="">
                <AttributeValue>Anderson, Adrian</AttributeValue>
             <Attribute Name="">
             <Attribute Name="">
             <Attribute Name="">
             <Attribute Name="">
             <Attribute Name="">
             <Attribute Name="">
          <AuthnStatement AuthnInstant="2019-07-02T07:19:35.101Z" SessionIndex="_3ae03e36-e461-4f61-b204-720f19f17300">

    The attribute names can be clearly seen in the response. The full value from between the double-quotes is required.

  9. Check the resulting User record in Keycloak. If the mappers were not set up correctly, simply update the mappers, delete the User record and login to the platform again.

Map the roles

These steps rely on the completion of identity-related claims (see, Set up mappers).
To get mappers for identity providers see
  1. Create a counterpart in Keycloak for each role in Active Directory, e.g. AD_ROLE_ADMIN.

  2. Map those roles to Ataccama-specific roles as required.

  3. Navigate to Identity Provider > Identity Provider Mappers.

  4. Identify the claim as groups from AD, see example:

    <Attribute Name=""><AttributeValue>a8dfc3d4-c0c3-48f1-9d8e-157c645ef26e</AttributeValue></Attribute>
  5. Use SAML Attribute to Role, and fill in as required. Based on the example above this would be:

  6. Save Mapper.

  7. Repeat the steps above for as many groups as needed.

Was this page useful?