Using Keycloak with Azure AD to integrate AKS Cluster authentication process
Introduction
Integrating Azure Kubernetes Service (AKS) with Keycloak through Azure Active Directory (Azure AD) as an intermediary leverages Azure AD’s support for OpenID Connect (OIDC) to handle authentication and authorization. This integration enhances security, streamlines user management, and simplifies the authentication process for users accessing the AKS cluster.
Use case
The integration of AKS with Keycloak using Azure AD is highly applicable in all these industries and beyond that prioritize security, scalability, and efficient user management, making it a best practice for organizations leveraging cloud-based Kubernetes environments.
Financial Services: Securely manage and authenticate thousands of users accessing sensitive financial data and applications hosted on Kubernetes clusters.
Healthcare: Protect patient data and ensure compliance with healthcare regulations while providing medical staff secure access to applications.
E-commerce: Manage a large user base accessing e-commerce platforms and ensure secure transactions and user data protection.
Technology and Software Development: Provide developers with secure access to development environments and resources hosted on Kubernetes clusters.
Education: Manage access to educational resources and applications for students, faculty, and staff in a secure manner.
Figure 1: Similar use case architecture.
Concept
To make this integration possible and effective you should have a clear understanding of the following components, the concept of using Azure AD as an intermediary, and the pre-requisites.
Understanding the Key Components
What is AKS?
Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and operating Kubernetes clusters in the cloud.
What is Keycloak
Keycloak is an open-source identity and access management solution that provides features like single sign-on (SSO), identity brokering, and user federation.
What is Azure AD?
Azure Active Directory (Azure AD/Microsoft Entra ID) is Microsoft’s cloud-based identity and access management service, which helps users access external resources like Microsoft 365, the Azure portal, and thousands of other SaaS applications.
Overview of OIDC
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on the authentication performed by an authorization server.
Why Use Azure AD as an Intermediary?
Using Azure AD as an intermediary offers several benefits:
Enhanced Security: Leverages Azure AD’s robust security features.
Simplified Management: Centralizes authentication and authorization.
Seamless Integration: Provides easy integration with Azure services and applications.
Pre-requisites for Integration
Before starting the integration process, ensure you have:
Azure AD: Set up and configured with necessary permissions.
Keycloak: Configured with a realm ready to be integrated.
AKS Cluster: Either existing or a plan to create a new one with Azure AD integration.
Figure 2: Mian concept
According to the image shown in Figure 2: Main concept, the authentication processes taken place in this concept is Azure Active Directory (Azure AD/Microsoft Entra ID) at the center, and from the right Azure Kubernetes Service requested an authentication and Azure AD will perform OIDC Token Exchange to Keycloak at the left, then Keycloak will perform validation and revert back to Azure AD while, Azure AD respond back to AKS.
Hands-on (Technical Steps)
More technical in these steps and processes, you will find step-by-step guide for seamless Integration.
Register Keycloak as an Application in Azure AD.
Create an App Registration in Azure AD:
Navigate to Azure AD and create a new app registration.
Figure 3: Register Keycloak as an Application in Azure AD -1
Figure 4: Register Keycloak as an Application in Azure AD -2
Save the Client ID and Client Secret from Azure AD. This information will be needed later in Keycloak.
Obtain Client ID and Client Secret
After the registration is complete, go to the app’s overview page and copy the “Application (client) ID”.
Navigate to “Certificates & secrets” and create a new client secret. Copy the value of the client secret as it will not be shown again.
Figure 5: Register Keycloak as an Application in Azure AD -3
Configure API Permissions:
Go to “API permissions” and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions.
Figure 6: Register Keycloak as an Application in Azure AD -4
Figure 7: Register Keycloak as an Application in Azure AD -5
On click Add a permission, the above similar pane will be displayed as shown and you will click on Add permission. Then, after Add permission, you will have similar configuration to the below image.
Figure 8: Register Keycloak as an Application in Azure AD -6
Configure Keycloak to Use Azure AD
Set Up Keycloak:
https://www.keycloak.org/downloads
https://quay.io/repository/keycloak/keycloak
Log in to the Keycloak admin console.
Select the realm you want to configure or create a new realm.
Figure 9: Configure Keycloak to use Azure AD
Add Azure AD as an Identity Provider:
In the left menu, go to “Identity Providers”.
Click “Add provider” and select “OpenID Connect v1.0”.
Fill in the details:
Alias: A friendly name for the provider (e.g., AzureAD).
Display Name: A display name for the login button.
Authorization URL: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize`
Token URL: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token`
Client ID: The Application (client) ID obtained from Azure AD.
Client Secret: The client secret obtained from Azure AD.
Save the configuration.
Import OIDC Metadata:
Go to the Azure AD app registration overview and find the “OpenID Connect metadata document” URL.
Figure 10: Configure Keycloak: In Keycloak, use this URL to import the metadata automatically, which fills out most of the configuration fields.
Integrate AKS with Azure AD
Enable Azure AD Integration When Creating AKS Cluster:
Use the following Azure CLI command to create an AKS cluster with Azure AD integration
az aks create
–resource-group myResourceGroup
–name myAKSCluster
–node-count 1
–enable-aad
–aad-admin-group-object-ids <admin-group-object-id>
–enable-oidc-issuer
–oidc-issuer-url “https://<keycloak-server>/auth/realms/<realm>”
Replace the placeholders with actual values:
`myResourceGroup`: The resource group name.
`myAKSCluster`: The AKS cluster name.
`admin-group-object-id`: The object ID of the Azure AD group that will have admin rights.
`oidc-issuer-url`: The URL of the Keycloak OIDC issuer.
Update Existing AKS Cluster:
If you already have an existing AKS cluster, use the following command to enable Azure AD integration:
az aks update
–resource-group myResourceGroup
–name myAKSCluster
–enable-aad
–aad-server-app-id <server-app-id>
–aad-server-app-secret <server-app-secret>
–aad-client-app-id <client-app-id>
–aad-tenant-id <tenant-id>
Outcome
The benefits of successful integration are not limited to the followings:
Streamlined User Management: Centralized user management through Azure AD.
Enhanced Security: Leverages Azure AD’s security features to protect your AKS cluster.
Simplify Security: Using Azure AD’s security features and Keycloak settings to simplifies the authentication process for users
Conclusion
We saw in this article how integrating AKS with Keycloak using Azure AD as an intermediary provides a robust and secure authentication solution. In addition, to the above steps, you can use `kubectl` to log into the AKS cluster test the integration, redirecting to the Azure AD login page, and after successful authentication, you should be redirected back to Keycloak if configured correctly. Verify that users have the appropriate roles and permissions in both Azure AD and Keycloak to access the AKS cluster. For troubleshooting, ensure the Client ID, Secret, and URLs are correct, and verify all required permissions and alignment of Keycloak and Azure AD settings and use HTTPS for all communications and regularly review and update access controls and permissions for security. Maintaining the system by keeping all components updated and implementing monitoring tools to track the health and performance of the integration and also, advanced configurations include adjusting claims in Keycloak to meet specific requirements and configuring group memberships according to organizational structure which will be in the next article. By following the steps outlined in this article, you can ensure a seamless and efficient integration process to simplify and enhance app security.
Microsoft Tech Community – Latest Blogs –Read More