Connect DMC to Azure AD via SAML

You can create a SAML Connection with Azure AD to DMC. This allows you to authenticate and authorize individuals to use DMC. Follow the steps below to setup this connection.

Note: It is important to note that Azure AD does not support LDAPprotocol or Secure LDAP directly. It is possible to enable Azure AD DS instance on an Azure AD tenant with correctly configured network security groups. Learn more here

Instructions

Tip: Before you begin, you need an Azure account with privileges that allow you to manipulate app registrations, groups, and permissions. Then you need an app registration in Azure Active Directory.

Keycloak Steps:

  1. Go to the Keycloak admin console and find the Identity providers menu.
  2. Add an SAML v2.0 provider.

Azure AD and Keycloak Configuration Steps

This section covers how to setup an identity provider which provides the connection between Azure AD and SAML.

  1. Type in the desired Display name.

    Note: This is a visible name for your custom identity provider. In the provided example, we use SAML Connection as the Display name.

  2. Obtain the discovery endpoint located here: 
    Your application > Overview > Endpoints > Federation Metadata Document.
  3. Next, add the discovery endpoint into it's associated text field.
    The discovery endpoint contains the required metadata to use the identity provider.
  4. Add your application ID URI to the Service provider entity ID field.
  5. Change the NameID policy format to Email.
  6. Once all boxes are filled in, click the Add button.
  7. Copy the Redirect URI and paste it into your application located here:
    Application > Overview > Redirect URIs > Redirect URIs

Sign into DMC DB with SAML Connection

This section covers how to connect DMC with SAML to Azure AD.

  1. On the DMC sign in screen, click the SAML Connection Login link on the bottom of the dialog.
    This will direct you to the Azure AD login page.
  2. Log in to Azure AD.
    This will direct you back to the DMC DB login screen.

  3. Finish your registration by filling in your user name, email, first name, and last name. This will only be required on the initial login. Any login session after this will direct you into DMC.

Note: If there are issues when logging out - change the Backchannel logout toggle value in the identity provider advanced settings.