Login to Kublr with Microsoft Entra ID and Auth0

Keycloak provides a feature to enable login with various identity providers, including the solution combining Microsoft Entra ID (previously known as Azure Active Directory, Azure AD) plus Auth0 bundle.



  1. KCP with admin access to Keycloak.
  2. Account on the Auth0 portal.
  3. MS Entra ID with permissions to create an app registration.

Register an application in Microsoft Entra ID

In Microsoft Entra ID:

  1. Sign in MS Azure portal.

  2. Access Microsoft Entra ID.

  3. Access App registration, click New registration.

  4. Set:

    • App name
    • Supported account types to “Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)”
    • Redirect URI to “Web”, redirect URI of your Keycloak server - should look like “https://kublr-url/auth/realms/kublr-ui/broker/oidc-okta/endpoint”

    Entra ID - adding application

  5. Register the app. Its page is displayed.

Create a client secret for the application

In Microsoft Entra ID:

  1. On your application page, access Certificates & secrets.

  2. In Client secrets, click New client secret.

  3. Set the secret description and expiration period, click Add.

  4. Copy the value of the client secret. You will need this for the Keycloak configuration.

    Entra ID - application - Client secrets

Set permissions for the application

In Microsoft Entra ID:

  1. At your application page, access API permissions.

  2. Click Add a permissionMicrosoft GraphDelegated permissions.

  3. Add the openid, profile, email, and any other required permissions.

    Entra ID - application - adding permissions

  4. Click Add permissions.

Configure Entra ID (former Azure AD) in Auth0

On the Auth0 portal:

  1. Sign in Auth0 portal.

  2. Access AuthenticationEnterpriseMicrosoft Azure AD.

  3. Click Create Connection.

  4. Set:

    • Microsoft Azure AD Domain You can find this on your Entra ID (Azure AD) directory’s overview page in the Microsoft Azure portal.
    • Client ID to the saved value of the Application (client) ID for the app you just registered in Entra ID.
    • Client Secret to the saved value of the Client secret for the app you just registered in Entra ID.
  5. Save changes.

  6. At your connection page, access the Login Experience tab, then select the Display connection as a button option and click Save.

  7. Using the left menu, access ApplicationsApplications.

  8. Click Create Application.

  9. For your application, set:

    • Name

    • Application Type to “Regular Web Applications”

    • Application Login URI to “https://kublr-url/auth/realms/kublr-ui/broker/oidc-okta/endpoint”

    • Allowed Callback URLs to “https://kublr-url/auth/realms/kublr-ui/broker/oidc-okta/endpoint”

      Auth0 - adding application

    • Allowed Logout URLs to “https://kublr-url/auth/realms/kublr-ui/broker/oidc-okta/endpoint/logout_response”

    • Allowed Web Origins to “https://kublr-url/*”

    • Select Allow Cross-Origin Authentication

  10. Save changes.

  11. Scroll down, then in Advanced Settings access the Endpoints tab.

  12. Copy and save the OpenID Configuration endpoint.

  13. At your application page, navigate to the Connections tab.

  14. Make sure that the Enterprise connection is enabled.

  15. Using the left menu, access AuthenticationAuthentication Profile.

  16. Select the Identifier First option.

    Auth0 - Identifier fist

Keycloak: configure identity provider

  1. Login to the Keycloak Admin Console at https://kublr-url/auth under admin / your admin`s password.

  2. Select the kublr-ui realm where you want to add Azure AD as an identity provider.

  3. Go to Identity Providers and click on the OpenID Connect v1.0. The Add OpenID Connect provider dialog is displayed.

  4. In the Add OpenID Connect provider dialog, set:

    • Alias

    • Display name

    • Discovery endpoint to OpenID Configuration endpoint saved from Auth0.

    • Client ID to the one from Auth0 > your application > Settings tab > Basic Information

    • Client Secret to the one from the same Basic Information.

      Keycloak - adding identity provider

  5. Click Add. Identity provider is created.

  6. Access the page of the created identity provider.

  7. Expand the Advanced section and set Scopes to “openid profile email groups”.

  8. Click Save.

Keycloak: configure user attribute mapper

To override groups in JWT token, you need to configure user attribute mapper in Keycloak:

  1. On the left menu, click Clients, access the Client list tab.

  2. In the client list, click kublr-ui. The client’s page is displayed.

  3. At the kublr-ui client page, access the Client scopes tab.

  4. In the client scope list, click kublr-ui-dedicated.

  5. On the Mappers tab, click Add mapperBy configuration. The Configure a new mapper dialog is displayed.

  6. In the Configure a new mapper dialog, click User Attribute mapper type. The User Attribute mapper dialog is displayed.

  7. In the User Attribute mapper dialog, set:

    • User Attribute to “groups”
    • Token Claim Name to “groups”
    • Unselect Add to userinfo
    • Unselect Aggregate attribute values

    Keycloak - adding user attribute mapper

  8. Save changes.

  9. Navigate back to kublr-ui client → kublr-ui-dedicated client scope → Mappers tab.

  10. Click the groups mapper, set:

    • Token Claim Name to “groups”
    • Unselect Add to userinfo
  11. Save changes.

See also