Configure Microsoft Entra ID (formerly Azure AD) as a Keycloak Identity Provider

This section outlines the steps to configure a Microsoft Entra ID connector app for DSPM federated access. This setup allows users to access the Forcepoint DSPM UI using Microsoft authentication through Entra ID.

1. Log in to Entra ID (https://portal.azure.com) as an administrator that has permissions to create an App Registration in Entra ID.
2. Navigate to Azure Services > App Registrations. The App Registration page opens.

   

   

3. Locate and click New registration from on the top left of the App registrations page.
   
4. On the Register an application page:
   1. Provide a name for the application for later identification. For example, DSPM Azure Ad AuthN.
   2. For Supported account types, choose Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant).
   3. Leave all other settings as default and click Register.
      
5. Obtain the application Client ID by navigating to the application’s Overview page. Locate and copy the Application (client) ID value and save it for a later step.
   
6. Configure the application OAuth client secret to authorize DSPM with Entra ID:
   1. From the application registration page for the application created in step 4c, navigate to Manage > Certificates & secrets.
      
   2. From the Client secrets tab, click + New Client Secret.
      
   3. Enter a client secret description and configure the expiration period or leave as the recommended default of 180 days (6 months).

      

      Click Add.

   4. Copy the newly generated client secret Value and place in a safe location for a later step.

      

      Note: A new client secret can be generated if needed.
7. Configure Entra ID as a Keycloak Identity Provider (IdP):
   1. Sign in to Keycloak Access Management as an administrator and navigate to Identity Providers from the left menu.
   2. On the identity Providers page, locate Social > Microsoft.
      
   3. From the Keycloak Add Microsoft provider page, copy and paste the Client ID and Client Secret created in step 5 and step 6d respectively.
   4. Locate and copy the Redirect URI from the Keycloak Add Microsoft provider page.
      
   5. Return to the Entra ID App registration Overview page and locate the Redirect URI > Add a Redirect URI link.
      
   6. Under Platform configurations, locate the Web Redirect URIs section and click Add URI. Paste the Redirect URI obtained in step 7d.

      

      Click Save.

8. Test the functionality:
   1. Open a new browser session such as a Private or Incognito mode and browse to the DSPM UI login page.

      A new sign in option is now available under the Username and Password login fields:

      

   2. Click the Or sign in with Microsoft tile. The browser redirects to the Microsoft login page.

      

      • Upon first successful authentication with Entra ID credentials, Keycloak will automatically link an existing Keycloak user identity upon successful attribute match (most commonly userPrincipalName).
      • If a Keycloak user identity is not matched, Keycloak will create the user identity automatically.