This application will be what Keycloak uses to authenticate your active directory users with your Azure tenant.

Navigate to https://portal.azure.com and select the App registrations option under the Azure services section. (*This could also be the Microsoft 365 Admin Center as well)

Select the New registration option in the upper left-hand corner.

Provide a name for the application you are registering and select the account type that you would like to be supported (CalypsoAI is a single-tenant). Then select the register button.

Once you have registered your application you will be returned to the Application registration’s overview page. Note your Application (client) ID as you will need it later when creating your identity provider in the Keycloak administration console.

Navigate to the Certificates and secrets section. Create a new client secret and copy the client secret value that was generated as you will need to use this when establishing your identity provider in the Keycloak administration console.

Once you have the Moderator solution up and running, Keycloak should be as well. Login to the Keycloak admin console at https://hostname/auth where hostname is the name of your Moderator server. Once logged in, click on the “Administration Console” link.

Navigate to the Identity Provider tab and select OpenID Connect v1.0 as your provider from the dropdown list.

Make sure to note the redirect URI for your identity provider as you will need to use it in the following step.

Navigate to the Display Name Field and type in a name for the connection. For Example: “Active Directory” and leave all the other fields in this top section as is.

Navigate to the OpenID Connect Settings section, Click into the Discovery Endpoint field and paste the following url where directoryID is the Directory (tenant) ID for your Azure single-tenant application that you have registered.

https://login.microsoftonline.com/{directoryID}/v2.0/.well-known/openid-configuration

You will now add in the client ID and client secret value that you previously saved when registering your application in Microsoft Azure. Once you have entered these values in their respective fields, Click the Add Button.

Once Added the following settings should be automatically populated for the identity provider: Authorization URL, Token URL, Logout URL, User Info URL, Issuer, and JWKS URL.

If the provider was configured properly, you should see the Sign In With SSO Identity on the CalypsoAI Login page. You can click this and it will redirect to the provider’s authentication page. Once credentials are entered, you will be redirected back to CalypsoAI.

Once a user logs in for the first time, the user is automatically added to the list of users in KeyCloak. To verify, simply click on Users in the left hand navigation of Keycloak, and you should see that user listed now.

From here, you can add them to any Groups you’ve created inside of CalypsoAI.