Integrating Microsoft Entra ID with Keycloak for MTG CLM Authentication

× Magnified Image

This guide walks you through configuring Microsoft Entra ID (formerly Azure AD) as an identity provider for Keycloak, enabling single sign-on for MTG CLM users.

Prerequisites: Microsoft Entra ID administrative privileges, Keycloak administrative access, and MTG CLM environment access.

Create the App Registration in Entra ID

To allow Keycloak and MTG CLM to authenticate users against your Microsoft environment, you must first register an application in your Entra ID tenant.

  1. Log in to Azure Portal πŸ”—.

  2. Click the hamburger button on the top left corner.

    entra0

  3. Select Microsoft Entra ID.

    entra0a

  4. Click + Add and then App Registration.

    entra0b

  5. Enter a descriptive Name for the application (e.g., MTG CLM - Keycloak).

  6. Under Supported account types, select Single tenant only.

  7. Leave the Redirect URI blank for now. You will configure this later when setting up Keycloak.

  8. Click Register.

    entrab0

Once the application is created, you are taken to the Overview page.

Copy and securely store the following two values, as you will need them for the Keycloak configuration:

  • Application (client) ID

  • Directory (tenant) ID

entra0c

To allow MTG CLM to read user and directory objects within your tenant, you must grant the App Registration specific Microsoft Graph API permissions.

  1. In your App Registration menu, select API permissions from the left sidebar.

    entra0d

  2. Click + Add a permission.

    entra0e

  3. Select Microsoft Graph.

    entra0f

  4. Select Application permissions (not Delegated permissions).

    entra0g

  5. In the search bar, locate and check the following permission: Directory.Read.All. Click Add permissions at the bottom of the screen.

    entra0h

  6. Once the permissions are added, select them and click the Grant admin consent for [Your Tenant Name] button located above the permissions list.

    entra0i

  7. Click Yes in the confirmation prompt. You should be seeing a similar screen to:

    entra0igranted
If the Grant admin consent button is greyed out, your current account does not have the Global Administrator or Privileged Role Administrator rights required to authorize these permissions.

Generate the Client Secret

Keycloak requires a client secret to authenticate against your Entra ID tenant securely.

  1. In your App Registration menu, select Certificates & secrets from the left sidebar.

    entra00a

  2. Click + New client secret.

  3. Enter a descriptive Description (e.g., MTG CLM-Secret) and select an Expires duration according to your security policy.

  4. Click Add.

    entra00b
Copy the Value string immediately and store it in a secure location. This value will be permanently hidden once you leave this page, and you cannot retrieve it later. You will paste this value into Keycloak in the next section.

Configure Keycloak Identity Provider

Access Identity Provider Configuration

  1. Sign in to your Keycloak administration console.

  2. Navigate to your target realm for MTG CLM integration.

  3. Select Identity Providers from the left navigation menu.

  4. Click OpenID Connect v1.0.

    entra1

Configure Provider Settings

1. Basic Configuration

  • Alias: Enter "microsoft-entra-id" (or organizational standard).

  • Display Name: Enter "Microsoft Entra ID".

    Make sure you store your Redirect URI now. You are going to need it later.
entra2

2. OpenID Connect Settings

The metadata fields related to endpoints will be automatically populated upon pasting.

  • Client Authentication: Select "Client secret sent as post" from the dropdown list.

  • Client ID: Retrieve from portal.azure.com → Overview.

    entra3b

  • Client Secret: Retrieve from portal.azure.com → Certificates & secrets Select "Client secret sent as post" from the dropdown list.

    entra4
Make sure to timely renew the client secret before your selected expiration date.
Upon creation, you must copy the Client Secret Value and store it to a secure location. You will not be able to access it later!
entra5

Paste the Client Secret Value to the appropriate field in Keycloak and keep Client assertion signature algorithm to "Algorithm not specified".

The completed page should now look like this:

entra6

Click "Add" to proceed.

Now copy your redirect URI and paste it in portal.azure.com

entra7

Click "Add a platform" and then select "Web".

entra8

Paste the Redirect URI in the appropriate field and then select "Configure" to finish.

In Keycloak go to Clients (within MTG ERS realm) and choose the account-console client.

In Access Settings make sure Web origins is set to "*".

entra9

3. Group/Role Mapping

Defining app roles in Entra ID

In your Azure app registration, under App roles, create entries such as clm-admin or clm-default. These roles will be included in the roles claim of the ID token.

keycloak extra1
Adding Mappers

In Keycloak β†’ Identity Providers β†’ Your Azure provider:

  • Open the Mappers tabβ‰ˆ β†’ click Add mapper and choose Claim to Role.

    keycloak extra2
Configuring Mappers

Configure mapper as follows:

  • Name: e.g., Admins

  • Mapper type: Claim to Role

  • Claim: roles

  • Claim value: clm-admin

  • Role: select the corresponding Keycloak role e.g., mtg-clm-server ADMIN

  • Sync mode override: Force

Save mapper.

keycloak extra3

Test Authentication Flow

Validate Configuration

Test MTG CLM Access

  • Navigate to MTG CLM login page.

    entra10

  • Click SSO/Keycloak authentication option.

  • The redirect chain is as follows: MTG CLM β†’ Keycloak β†’ Microsoft β†’ back to MTG CLM.

    entra11

  • Confirm authentication and successful profile creation both in Keycloak and in MTG CLM.

    entra12
    entra13