Configuring an AD FS SAML v2.0 identity provider on Keycloak

Last Updated : Jun 10, 2026 |

About this task

To use the Microsoft AD FS SSO capabilities and authenticate users, you must configure a SAML v2.0 identity provider on Keycloak.

Before you begin

  • Configure an AD FS SAML application.

  • Obtain a configuration metadata file in XML format from AD FS using the following URL: https://<ADFS IP or FQDN>/FederationMetadata/2007-06/FederationMetadata.xml.

Procedure

  1. Log in to the Keycloak web administration interface.
  2. Navigate to Solution Realm > Identity Providers.
  3. Click Add provider and then select SAML v2.0.
  4. In Alias, type the name that you used when configuring an SAML application on the AD FS management console.

    For example, adfsSAML.

  5. Navigate to the Import External IDP Config section.
  6. Click Select file, navigate to the AD FS configuration metadata XML file that is stored on your computer, and then click Import.

    Keycloak imports the configuration data and populates the Single Sign-On Service URL field.

  7. From NameiD Policy Format, select Email.
  8. Click Save.