Setup Azure AD

• Good Tutorial: https://docs.getvisibility.com/enterprise-setup/authentication/single-sign-on-sso/using-azure-ad-as-keycloak-identity-provider

• Login https://portal.azure.com

• Open Microsoft Entra ID

  

• On the left menu pane, go to App-Registration

• In the top bar, click on New Registration

• Specify a new, e.g: DataUnit_ApprovalPortal

• Click on Registration

• 

• Navigate to Certificates & Secrets

• Create a new secret client-key

• 

• Give a description, eg. DataUnit_ApprovalPortal

• Set valid date to maximum

• Add the key

  • 

• Copy the value and the secret id and save it in Keeper

• navigate to Overview and copy the Client ID and OpenID Connect URL → Click on Endpoints

• 

• Login into KeyCloak

• Import the AzureAD

Azure Custom Claim

To use the Approval with Azure IDP, we have to define a Custom Claim in Azure IF the SAP User does not exists in the default Azure Fields (like Username == SAP Username).

1. Navigate to App Registrations and go to the App we just created in the Steps above

2. If not already done, navigate to API permission and Grant admin consent to xyz
   

3. Navigate to “Expose an API” and click on “Add a Scope”
   You have to provide the Application (client) ID, which can be found on the “Overview” page from the Steps above. The name of the Scope can be random, and should look like this in the End:
   

4. Click on “Add a client application”
   Provide here the Client ID (from above) and create the new Scope
   
   Now, lick on “add Applications”

5. Navigate to Manifast (Bottom of the Menu) and replace in the Manifest JSON following values:
   

   "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": null,

with

"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 2,

Click on Save. This change can take several minutes to have an effect.

6. Now, navigate to the Overview back and click on “Manage Application in Enterprise Applications”

7. Navigate to “Single Sign-On” and click on Edit on “Attributes & Claims”
   

8. Click on “Add new Claim”

9. Provide a Token Name and Select the source attribute where the SAP Username is stored
   

10. Save the Settings

11. Now lets try to access the JWT Token with Postman:
    

12. Copy the JWT Token and Copy it into https://jwt.io
    
    You should see the encrypted JWT and the new created token attribute: