Share via

Trying to create external idp for Microsoft office online

Rudyk, Zhanna B 40 Reputation points
2025-03-22T11:24:57.7166667+00:00

I'm trying to configurate sso authentication for keycloak uses to sharepoint. I created an external idp as written here https://learn.microsoft.com/en-us/entra/external-id/direct-federation#how-to-configure-samlws-fed-idp-federation . And client in keycloak. But when I m trying to authorized I get an error AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. In client a configurated attributes: NameId as persistent , IDPEmail - email

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,253 questions
0 comments
Accepted answer
  1. Techhelp Volunteer 225 Reputation points
    2025-03-31T10:48:23.9333333+00:00

    It depends on which federation approach you're using:

    For Direct Federation (what you're configuring):

    • Users do NOT need to be pre-created in Microsoft Entra ID (Azure AD).
    • Azure AD will automatically create "shadow users" in your tenant upon their first successful SAML login via Keycloak.
    • However, their email/UPN in Keycloak must match a verified domain in your Azure AD tenant.

    For Enterprise Application (SAML SSO):

    • Users typically must exist first in Azure AD (either created manually or synced).
    • The SAML NameID/email must match the user's UPN in Azure AD.

    Key Requirements for Automatic User Creation:

    1. Your Keycloak must send:
      • A valid IDPEmail claim (matching the user's email in Azure AD format)
      • A persistent NameID (as you already configured)
    2. The email domain must be:
      • Verified in Azure AD
      • Configured to allow federated authentication

    you may also share your vote so more users can find your case link when they are searching on this Microsoft Learn community.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Techhelp Volunteer 225 Reputation points
    2025-03-22T14:28:42.84+00:00

    I will try to help you to troubleshoot your concern.

    The error AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials typically indicates that Azure Active Directory (Azure AD) is unable to determine the tenant associated with the authentication request.

    if you can check below things:

    1. Verify Keycloak Client Configuration

    • Ensure that the Keycloak client is correctly configured to use Azure AD as the SAML Identity Provider.
    • Check the following settings in Keycloak:
      • Client ID: This should match the identifier configured in Azure AD.
      • Assertion Consumer Service (ACS) URL: This should be the URL where Azure AD will send the SAML response. It should match the Reply URL configured in Azure AD.
      • NameID Format: Set to Persistent.
      • Signature Required: Ensure that the SAML request is signed (if required by Azure AD).
      • Assertion Signature: Ensure that the SAML response from Azure AD is validated.

    2. Verify Azure AD Configuration

    • In Azure AD, ensure that the SAML federation configuration is correct:
      • Identifier (Entity ID): This should match the Entity ID configured in Keycloak.
      • Reply URL: This should match the ACS URL in Keycloak.
      • Claims: Ensure that the required claims (e.g., NameID, email) are mapped correctly.
      • Signing Certificate: Ensure that the certificate used to sign the SAML response is uploaded to Azure AD and matches the one configured in Keycloak.

    3. Check SAML Request and Response

    • Use a SAML tracer tool (e.g., SAML-tracer browser extension) to capture the SAML request and response.
    • Verify the following:
      • The SAML request includes the Issuer element, which should match the Entity ID configured in Azure AD.
      • The SAML response includes the NameID and email claims.
      • The NameID format is set to Persistent.
      • The SAML response is signed and includes the correct audience and recipient URLs.

    4. Tenant-Identifying Information

    • The error AADSTS90019 suggests that Azure AD cannot identify the tenant. Ensure that:
      • The SAML request includes the tenant-specific endpoint URL (e.g., https://login.microsoftonline.com/{tenant-id}/saml2).
      • The Issuer in the SAML request matches the Entity ID configured in Azure AD.
      • The NameID or other claims include tenant-identifying information (e.g., domain hint).

    Hope above insight will help you.

  2. Techhelp Volunteer 225 Reputation points
    2025-03-23T07:32:21.2+00:00

    For your issue, contact Microsoft support team who can help from their end. https://azure.microsoft.com/en-us/support/create-ticket/

  3. Techhelp Volunteer 225 Reputation points
    2025-03-23T13:41:15.1266667+00:00

    Configuring Single Sign-On (SSO) between Keycloak and Microsoft Entra ID (formerly Azure AD) can be complex, and the error AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials typically indicates that Microsoft Entra ID is unable to identify the tenant or user based on the SAML assertion provided by Keycloak.

    1. Verify Keycloak Configuration

    • Client ID: Ensure the Client ID in Keycloak is set to urn:federation:MicrosoftOnline.
    • Assertion Consumer Service (ACS) URL: Ensure the ACS URL is correctly set to https://{tenant}.ciamlogin.com/login.srf, where {tenant} is your Microsoft Entra ID tenant name or ID.
    • NameID Format: Ensure the NameID Format is set to Persistent.
    • Master SAML Processing URL: This should be set to https://login.microsoftonline.com/{tenant}/saml2, where {tenant} is your Microsoft Entra ID tenant name or ID.
    • SAML Assertion Attributes: Ensure the SAML assertion includes the required attributes:
      • NameID (Persistent) mapped to the user's unique identifier.
      • IDPEmail mapped to the user's email address.

    2. Verify Microsoft Entra ID Configuration

    • Issuer URL: Ensure the Issuer URL in Microsoft Entra ID matches the Entity ID of the Keycloak realm (e.g., https://{keycloak-url}/auth/realms/{realm-name}).
    • Passive Login Endpoint: Ensure the passive login endpoint matches the SAML endpoint of your Keycloak client (e.g., https://{keycloak-url}/auth/realms/{realm-name}/protocol/saml).
    • Claims Mapping: Ensure the claims mapping in Microsoft Entra ID matches the attributes sent by Keycloak (e.g., NameID and IDPEmail).

    3. Check SAML Assertion

    • Use a SAML tracer tool (e.g., SAML-tracer browser extension) to capture the SAML assertion sent from Keycloak to Microsoft Entra ID.
    • Verify that the SAML assertion includes:
      • A valid NameID with the Persistent format.
      • The correct IDPEmail attribute.
      • The correct Issuer URL matching the Keycloak realm.
    • Ensure the Audience in the SAML assertion is set to urn:federation:MicrosoftOnline.

    4. Tenant Identification

    • The error AADSTS90019 suggests that Microsoft Entra ID cannot identify the tenant. Ensure the following:
      • The {tenant} placeholder in the ACS URL and Master SAML Processing URL is replaced with your actual tenant name or ID.
      • The SAML assertion includes the correct tenant information in the Issuer or Audience fields.

    5. Keycloak Logs

    • Check the Keycloak server logs for any errors or warnings related to the SAML assertion or client configuration.
    • Ensure the Keycloak client is correctly configured to send the SAML assertion to Microsoft Entra ID.

    6. Microsoft Entra ID Logs

    • Check the Microsoft Entra ID sign-in logs for more details about the error. The logs may provide additional context about why the tenant or user could not be identified.

    7. Common Pitfalls

    • Mismatched URLs: Ensure all URLs (Issuer, ACS, and SAML endpoints) are correctly configured and match between Keycloak and Microsoft Entra ID.
    • Certificate Issues: Ensure the SAML signing certificate in Keycloak is correctly uploaded to Microsoft Entra ID and is valid.
    • Attribute Mapping: Ensure the attributes sent by Keycloak match the expected attributes in Microsoft Entra ID.

    Example Configuration

    Keycloak:

    • Client ID: urn:federation:MicrosoftOnline
    • ACS URL: https://{tenant}.ciamlogin.com/login.srf
    • NameID Format: Persistent
    • Master SAML Processing URL: https://login.microsoftonline.com/{tenant}/saml2
    • SAML Assertion Attributes:
      • NameID → Persistent
      • IDPEmail → Email

    Microsoft Entra ID:

    • Issuer URL: https://{keycloak-url}/auth/realms/{realm-name}
    • Passive Login Endpoint: https://{keycloak-url}/auth/realms/{realm-name}/protocol/saml
    • Claims Mapping:
      • NameID → User Identifier
      • IDPEmail → Email

    If the issue persists after verifying the above, please contact Microsoft support team for further analysis from their end.

  4. Techhelp Volunteer 225 Reputation points
    2025-03-28T12:54:11.6633333+00:00

    Based on your description, you're encountering the AADSTS90019 error when trying to set up Keycloak as a SAML identity provider for SharePoint Online. Here's how to resolve this:

    Key Requirements for Direct Federation

    1. Tenant Identification: The error indicates Azure AD can't determine which tenant to authenticate against. You need to explicitly specify your Azure AD tenant in the authentication request.
    2. Correct Configuration: You're on the right track using the direct federation approach, but there are some missing pieces.

    Solution Steps

    1. Configure Keycloak Properly

    For your Keycloak SAML client configuration:

    • Entity ID: Must match exactly what you registered in Azure AD
    • NameID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    • Assertion Consumer Service URL: https://login.microsoftonline.com/login.srf
    • Add Required Claims:
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (maps to user email)
      • http://schemas.microsoft.com/identity/claims/tenantid (your Azure AD tenant ID)

    2. Azure AD Configuration

    You need to configure Azure AD to accept your Keycloak as a direct federation provider:

    
# PowerShell example to configure direct federation

New-MgDomainFederationConfiguration -DomainId yourdomain.com -ActiveSignInUri "https://your-keycloak/auth/realms/your-realm/protocol/saml" -IssuerUri "https://your-keycloak/auth/realms/your-realm" -MetadataExchangeUri "https://your-keycloak/auth/realms/your-realm/protocol/saml/descriptor" -SigningCertificate "YourBase64EncodedCertificate"

    3. Required Attributes

    Ensure your SAML response includes:

    • IDPEmail (must match user's UPN in Azure AD)
    • Tenant identifier (either as tenantid claim or in the Issuer URL)

    While direct federation should work, registering an enterprise application in Azure AD can provide better control:

    1. Go to Azure AD > Enterprise Applications
    2. Create a new SAML-based application
    3. Configure the SAML settings to point to your Keycloak instance

    Troubleshooting Tips

    1. Verify your Azure AD tenant ID is correctly included in requests
    2. Check the Issuer URL in your SAML response matches what's configured in Azure AD
    3. Use SAML tracer to examine the exact SAML response being sent
    4. Ensure clock synchronization between Keycloak and Azure AD

    Alternative Approach

    If you continue having issues, consider using:

    1. Azure AD B2B with Keycloak as an external identity provider
    2. SAML/WS-Fed identity provider federation through Azure AD External Identities

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.