Loading...

Using Keycloak with Azure AD to integrate AKS Cluster authentication process

Using Keycloak with Azure AD to integrate AKS Cluster authentication process

 

sasina_0-1719173123187.jpeg

Introduction

Integrating Azure Kubernetes Service (AKS) with Keycloak through Azure Active Directory (Azure AD) as an intermediary leverages Azure AD’s support for OpenID Connect (OIDC) to handle authentication and authorization. This integration enhances security, streamlines user management, and simplifies the authentication process for users accessing the AKS cluster.


Use case

The integration of AKS with Keycloak using Azure AD is highly applicable in all these industries and beyond that prioritize security, scalability, and efficient user management, making it a best practice for organizations leveraging cloud-based Kubernetes environments.

Financial Services: Securely manage and authenticate thousands of users accessing sensitive financial data and applications hosted on Kubernetes clusters.

Healthcare: Protect patient data and ensure compliance with healthcare regulations while providing medical staff secure access to applications.

E-commerce: Manage a large user base accessing e-commerce platforms and ensure secure transactions and user data protection.

Technology and Software Development: Provide developers with secure access to development environments and resources hosted on Kubernetes clusters.

Education: Manage access to educational resources and applications for students, faculty, and staff in a secure manner.

 

sasina_1-1719173123194.png

Figure 1: Similar use case architecture.

 

Concept

To make this integration possible and effective you should have a clear understanding of the following components, the concept of using Azure AD as an intermediary, and the pre-requisites.

Understanding the Key Components

What is AKS?

Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and operating Kubernetes clusters in the cloud.

 

What is Keycloak

Keycloak is an open-source identity and access management solution that provides features like single sign-on (SSO), identity brokering, and user federation.

 

What is Azure AD?

Azure Active Directory (Azure AD/Microsoft Entra ID) is Microsoft’s cloud-based identity and access management service, which helps users access external resources like Microsoft 365, the Azure portal, and thousands of other SaaS applications.

 

Overview of OIDC

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on the authentication performed by an authorization server.

Why Use Azure AD as an Intermediary?

Using Azure AD as an intermediary offers several benefits:

Enhanced Security: Leverages Azure AD’s robust security features.

Simplified Management: Centralizes authentication and authorization.

Seamless Integration: Provides easy integration with Azure services and applications.

Pre-requisites for Integration

Before starting the integration process, ensure you have:

Azure AD: Set up and configured with necessary permissions.

Keycloak: Configured with a realm ready to be integrated.

AKS Cluster: Either existing or a plan to create a new one with Azure AD integration.

 

sasina_2-1719173123196.png

Figure 2: Mian concept

 

According to the image shown in Figure 2: Main concept, the authentication processes taken place in this concept is Azure Active Directory (Azure AD/Microsoft Entra ID) at the center, and from the right Azure Kubernetes Service requested an authentication and Azure AD will perform OIDC Token Exchange to Keycloak at the left, then Keycloak will perform validation and revert back to Azure AD while, Azure AD respond back to AKS.

Hands-on (Technical Steps)

More technical in these steps and processes, you will find step-by-step guide for seamless Integration.

Register Keycloak as an Application in Azure AD.

  1. Create an App Registration in Azure AD:

   Navigate to Azure AD and create a new app registration.

 

sasina_29-1719173579174.png

Figure 3: Register Keycloak as an Application in Azure AD -1

sasina_30-1719173641195.png

Figure 4: Register Keycloak as an Application in Azure AD -2

 

Save the Client ID and Client Secret from Azure AD. This information will be needed later in Keycloak.

  1. Obtain Client ID and Client Secret
  2. After the registration is complete, go to the app's overview page and copy the "Application (client) ID". 

Navigate to "Certificates & secrets" and create a new client secret. Copy the value of the client secret as it will not be shown again.

 

sasina_31-1719173946464.png

Figure 5: Register Keycloak as an Application in Azure AD -3

 

  1. Configure API Permissions:

   Go to "API permissions" and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions.

 

sasina_32-1719174004345.png

Figure 6: Register Keycloak as an Application in Azure AD -4

 

sasina_33-1719174062102.png

Figure 7: Register Keycloak as an Application in Azure AD -5

On click Add a permission, the above similar pane will be displayed as shown and you will click on Add permission. Then, after Add permission, you will have similar configuration to the below image.

sasina_34-1719174139536.png

Figure 8: Register Keycloak as an Application in Azure AD -6

Configure Keycloak to Use Azure AD

 

  1. Set Up Keycloak:

sasina_35-1719174212915.png

Figure 9: Configure Keycloak to use Azure AD

 

  1. Add Azure AD as an Identity Provider:

  In the left menu, go to "Identity Providers".

  •    Click "Add provider" and select "OpenID Connect v1.0".
  •    Fill in the details:
  •    Alias: A friendly name for the provider (e.g., AzureAD).
  •    Display Name: A display name for the login button.
  •    Authorization URL: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize`
  •    Token URL: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token`
  •    Client ID: The Application (client) ID obtained from Azure AD.
  •    Client Secret: The client secret obtained from Azure AD.
  •    Save the configuration.
  1. Import OIDC Metadata:

   Go to the Azure AD app registration overview and find the "OpenID Connect metadata document" URL.

 

sasina_36-1719174379794.png

Figure 10: Configure Keycloak: In Keycloak, use this URL to import the metadata automatically, which fills out most of the configuration fields.

 

Integrate AKS with Azure AD

 

  1. Enable Azure AD Integration When Creating AKS Cluster:

   Use the following Azure CLI command to create an AKS cluster with Azure AD integration

 

az aks create \ --resource-group myResourceGroup \ --name myAKSCluster \ --node-count 1 \ --enable-aad \ --aad-admin-group-object-ids <admin-group-object-id> \ --enable-oidc-issuer \ --oidc-issuer-url "https://<keycloak-server>/auth/realms/<realm>"

 

   Replace the placeholders with actual values:

  •     `myResourceGroup`: The resource group name.
  •     `myAKSCluster`: The AKS cluster name.
  •     `admin-group-object-id`: The object ID of the Azure AD group that will have admin rights.
  •     `oidc-issuer-url`: The URL of the Keycloak OIDC issuer.
  1. Update Existing AKS Cluster:

   If you already have an existing AKS cluster, use the following command to enable Azure AD integration:   

 

az aks update \ --resource-group myResourceGroup \ --name myAKSCluster \ --enable-aad \ --aad-server-app-id <server-app-id> \ --aad-server-app-secret <server-app-secret> \ --aad-client-app-id <client-app-id> \ --aad-tenant-id <tenant-id>

 

Outcome

The benefits of successful integration are not limited to the followings:

  • Streamlined User Management: Centralized user management through Azure AD.
  • Enhanced Security: Leverages Azure AD’s security features to protect your AKS cluster.
  • Simplify Security: Using Azure AD’s security features and Keycloak settings to simplifies the authentication process for users

Conclusion

We saw in this article how integrating AKS with Keycloak using Azure AD as an intermediary provides a robust and secure authentication solution. In addition, to the above steps, you can use `kubectl` to log into the AKS cluster test the integration, redirecting to the Azure AD login page, and after successful authentication, you should be redirected back to Keycloak if configured correctly. Verify that users have the appropriate roles and permissions in both Azure AD and Keycloak to access the AKS cluster. For troubleshooting, ensure the Client ID, Secret, and URLs are correct, and verify all required permissions and alignment of Keycloak and Azure AD settings and use HTTPS for all communications and regularly review and update access controls and permissions for security. Maintaining the system by keeping all components updated and implementing monitoring tools to track the health and performance of the integration and also, advanced configurations include adjusting claims in Keycloak to meet specific requirements and configuring group memberships according to organizational structure which will be in the next article. By following the steps outlined in this article, you can ensure a seamless and efficient integration process to simplify and enhance app security.

 

Published on:

Learn more
Azure Developer Community Blog articles
Azure Developer Community Blog articles

Azure Developer Community Blog articles

Share post:

Related posts

Azure Fluid Relay: Leveraging Azure Blob Storage to scale Git

Learn how to leverage Git as a storage mechanism behind the globally available Azure Fluid Relay (AFR) service. The post Azure Fluid Relay: Le...

2 hours ago

Verify the integrity of Azure Confidential Ledger transactions with receipts and application claims

In today's digital landscape, the integrity and confidentiality of transactional data are paramount. Microsoft’s Azure Confidential Ledger off...

3 hours ago

HTTP Trigger Azure Function Authorization Types simplified

Here' how you can quickly understand what are the different Authorization Levels to be set while working with HTTP Azure Functions.

1 day ago

Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to ann...

3 days ago

Govern your Azure Firewall configuration with Azure Policies

Introduction:  In the rapidly evolving digital landscape, securing cloud environments is more critical than ever. Azure Firewall emerges ...

3 days ago

Azure Verified Modules - Monthly Update [June]

AVM Module Summary The AVM team are excited that our community have been busy building AVM Modules. As of June 17th, the AVM Footprint curren...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy