SSO with Azure AD in Foreman 3.7

Hi All,

Anyone tried integrating Azure AD with Foreman for SSO. We have steps for Keycloak in foreman documents: Foreman :: Manual (
After following steps defined in document, set below parameters in foreman:
OIDC Algorithm: RS256
OIDC Audience: (client ID of app registration in AzureAD)
OIDC Issuer: tenant ID)/v2.0
OIDC JWKs URL: tenant ID)/discovery/v2.0/keys

Not able to get option to login with SSO.

Expected outcome:
Should be able to enable SSO to Foreman using azure AD.

Steps are not clear enough to integrate azure AD with foreman SSO.
Could anyone help to get exact steps to integrate foreman 3.7 with Azure AD.

Can anyone please help here…

@foreman_help Can anyone help here.

Hey there,

I kind of tried that for once now/looked up if anyone else has already achieved it.

Doesn’t look like anyone already got it working. (I tried but didn’t go far enough in the troubleshooting until now)
The thing is only configuring the parameters in Foremans settings is not enough, you need the local auth endpoint, which sends the requests to the remote OIDC/SAML2 endpoint. The current documented way just only works with Keycloak, as it uses keycloak-httpd-client-install to configure the local auth endpoint /users/extlogin (and also /users/extlogout)

So if someone wants to sacrifice their time, it would most likely help to setup a Keycloak, configure the system with it, get the httpd config which gets generated by keycloak-httpd-client-install and manually mimic it for Azure AD.

I think the currently “headache free” ways to integrate Azure AD might be either having a Keycloak inbetween or using the ADDS service with LDAPS.

Btw these docs are also already part of the new docs:

There was also this discussion previously here:


I was trying to register foreman in keycloak, getting below error:

keycloak-httpd-client-install --app-name foreman-oidc --keycloak-server-url “” --keycloak-admin-username “admin” --keycloak-realm “foreman-keycloak” --keycloak-admin-realm master --keycloak-auth-role root-admin -t openidc -l /users/extlogin --force
enter admin password:
[Step 1] Assure HTTP config directory is present
[Step 2] Assure HTTP federation directory is present
[Step 3] Set up template environment
[Step 4] Build OIDC httpd config file
[Step 5] Build Keycloak OIDC clientRepresentation
[Step 6] Connect to Keycloak Server as admin
CommunicationError: Unable to open connection to “” as admin: (missing_token) Missing access token parameter.

@foreman_help can anyone please help here.

I currently don’t have a suitable environment, but I will see if I have the time the next days to set something up. But there are sure people who know that stuff better than me.

Btw, foreman_help is a single user, not a group which gets checked by any of the dev teams, they might just happen to see the thread though.

Found the issue… if you are running Kleycloak later version 18 (I think, tried it on 22), this will affect you:

So… I manually patched the /usr/lib/python3.6/site-packages/keycloak_httpd_client/ and /usr/share/keycloak-httpd-client-install/templates/oidc_httpd.conf like this:

With more time it’s going to be a PR back to the project, but not in this state, needs to be compatible to both.

@docs Is this something that should get documented, because I’m not sure if such a change would ever make it into EL 8’s packages.

Okay more has to be changed, also the Keycloak UI changed

@priya But that also gives me hope that it won’t be too hard to set that up for AzureAD (uh… right it’s Entra ID now) with OIDC, will take a look at that as soon as I figured out what the docs mean for the new Keycloak UI and get it working.

If you want your users to authenticate to Foreman using the Foreman web UI, from the Access Type list, select confidential.

Means this switch has to be turned on:

And the mappers configuration means now to go to “Client scopes”, open the “-dedicated” client scope, and add the new mappers there (add mapper → by configuration → Audience/Group Membership):

  • Audience: select both “Add to ID token” and “Add to access token”
  • Group membership: Write “groups” into Token Claim Name, unselect everything beside “Add to ID token” and “Add to access token”

Rest is the same as in the guide.

Will see if I can come up with an PR for the guide artifacts, just not sure about the code change.

And okay 2 things to mention about most likely unability to get it working with AzureAD:

  • I was not able to get any other identifiers working beside sub, which is a random character identifier (adding claims to the token did not work and name has a space in the name)
  • For whatever on earths reason the issuer is not<tanent-id>/v2.0, like mentioned in the openid-configuration, but<tanent-id>/
    especially the / at the end of the weird suddenly different issuer breaks everything