Integrating Azure Kubernetes Service (AKS) with Keycloak through Azure Active Directory (Azure AD) as an intermediary leverages Azure AD’s support for OpenID Connect (OIDC) to handle authentication and authorization. This integration enhances security, streamlines user management, and simplifies the authentication process for users accessing the AKS cluster.
The integration of AKS with Keycloak using Azure AD is highly applicable in all these industries and beyond that prioritize security, scalability, and efficient user management, making it a best practice for organizations leveraging cloud-based Kubernetes environments.
Figure 1: Similar use case architecture.
To make this integration possible and effective you should have a clear understanding of the following components, the concept of using Azure AD as an intermediary, and the pre-requisites.
Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and operating Kubernetes clusters in the cloud.
Keycloak is an open-source identity and access management solution that provides features like single sign-on (SSO), identity brokering, and user federation.
Azure Active Directory (Azure AD/Microsoft Entra ID) is Microsoft’s cloud-based identity and access management service, which helps users access external resources like Microsoft 365, the Azure portal, and thousands of other SaaS applications.
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on the authentication performed by an authorization server.
Using Azure AD as an intermediary offers several benefits:
Before starting the integration process, ensure you have:
Figure 2: Mian concept
According to the image shown in Figure 2: Main concept, the authentication processes taken place in this concept is Azure Active Directory (Azure AD/Microsoft Entra ID) at the center, and from the right Azure Kubernetes Service requested an authentication and Azure AD will perform OIDC Token Exchange to Keycloak at the left, then Keycloak will perform validation and revert back to Azure AD while, Azure AD respond back to AKS.
More technical in these steps and processes, you will find step-by-step guide for seamless Integration.
Navigate to Azure AD and create a new app registration.
Figure 3: Register Keycloak as an Application in Azure AD -1
Figure 4: Register Keycloak as an Application in Azure AD -2
Save the Client ID and Client Secret from Azure AD. This information will be needed later in Keycloak.
Navigate to "Certificates & secrets" and create a new client secret. Copy the value of the client secret as it will not be shown again.
Figure 5: Register Keycloak as an Application in Azure AD -3
Go to "API permissions" and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions.
Figure 6: Register Keycloak as an Application in Azure AD -4
Figure 7: Register Keycloak as an Application in Azure AD -5
On click Add a permission, the above similar pane will be displayed as shown and you will click on Add permission. Then, after Add permission, you will have similar configuration to the below image.
Figure 8: Register Keycloak as an Application in Azure AD -6
Figure 9: Configure Keycloak to use Azure AD
In the left menu, go to "Identity Providers".
Go to the Azure AD app registration overview and find the "OpenID Connect metadata document" URL.
Figure 10: Configure Keycloak: In Keycloak, use this URL to import the metadata automatically, which fills out most of the configuration fields.
Use the following Azure CLI command to create an AKS cluster with Azure AD integration
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster \
--node-count 1 \
--enable-aad \
--aad-admin-group-object-ids <admin-group-object-id> \
--enable-oidc-issuer \
--oidc-issuer-url "https://<keycloak-server>/auth/realms/<realm>"
Replace the placeholders with actual values:
If you already have an existing AKS cluster, use the following command to enable Azure AD integration:
az aks update \
--resource-group myResourceGroup \
--name myAKSCluster \
--enable-aad \
--aad-server-app-id <server-app-id> \
--aad-server-app-secret <server-app-secret> \
--aad-client-app-id <client-app-id> \
--aad-tenant-id <tenant-id>
The benefits of successful integration are not limited to the followings:
We saw in this article how integrating AKS with Keycloak using Azure AD as an intermediary provides a robust and secure authentication solution. In addition, to the above steps, you can use `kubectl` to log into the AKS cluster test the integration, redirecting to the Azure AD login page, and after successful authentication, you should be redirected back to Keycloak if configured correctly. Verify that users have the appropriate roles and permissions in both Azure AD and Keycloak to access the AKS cluster. For troubleshooting, ensure the Client ID, Secret, and URLs are correct, and verify all required permissions and alignment of Keycloak and Azure AD settings and use HTTPS for all communications and regularly review and update access controls and permissions for security. Maintaining the system by keeping all components updated and implementing monitoring tools to track the health and performance of the integration and also, advanced configurations include adjusting claims in Keycloak to meet specific requirements and configuring group memberships according to organizational structure which will be in the next article. By following the steps outlined in this article, you can ensure a seamless and efficient integration process to simplify and enhance app security.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.