Share via

Establishing Federated Trust between Keycloak and Azure AD for Pipeline Deployments with Multiple Users

Kaushik Ray 5 Reputation points
2025-02-08T15:21:35.11+00:00

Scenario:

I have a Jenkins pipeline where users authenticate with Keycloak. I want to leverage this authentication to allow users to deploy resources in Azure using a service principal.

  1. Keycloak Authentication: Users authenticate with Keycloak, and the pipeline obtains a valid access token.
  2. Azure AD Integration: I have configured an app registration in Azure AD and a federated secret with issuer, subject, and audience to establish trust with Keycloak. This works for a single or couple of users where I add their subjects in federated secrets.
  3. Service Principal Assumption: Upon successful authentication with Keycloak, the pipeline should assume the role of the service principal associated with the app registration.

Challenge:

  • Multiple Users: Since each Keycloak user has a unique subject in the access token, how can I configure the federated secret in Azure AD to accommodate all users within my team (100+ members)?
  • How to setup the App registration and federated secrets for all users(dynamic)
  • Is this the suggested use case to use federated identity for such cases ?
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkata Jagadeep 1,400 Reputation points Microsoft External Staff Moderator
    2025-02-12T00:47:46.6433333+00:00

    Hello Kaushik Ray,

    Thank you for posting your query on Microsoft Q&A.

    We understand that you have Jenkins pipeline where users authenticate with keycloak and the pipeline gets access token and you configured App Registration in Azure AD and federated secret with issuer, subject and audience to establish trust with keycloak and it works for users where you have added their subjects in federated secrets.

    If you want to deploy resources in Azure, you can add Keycloak as External Identity to authenticate with Keycloak.

    Handling the number of users by adding a user subject in the access token is not suggestible.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.