The necessary administration of Keycloak can be reached at: https://<SERVER_URL>/auth
Step 6 under "SETUP IDENTITY PROVIDER IN KEYCLOAK" is optional and in our case offers the possibility to map existing attributes in SAML to the three roles defined in the comments. In our case, the last field should contain either "viewer", "editor" or "admin" instead of "manager".
If you have followed the instructions, there is now another option when logging into comments:
If you now select the lower option, you can log in (if you are not already logged in) with a user from the Active Directory. When you log in for the first time, a form asks for Given-name and Surname of the user to be imported. To prevent this, additional mappers are necessary. The configuration required for this in the AD FS console looks as follows:
In Keycloak, two more mappers need to be added to the SAML Identity Provider:
After this configuration, no further data entry is necessary after an Active Directory user logs in.
Automatic login without manual selection of the new identity provider
After this configuration, a user must manually select the new identity provider from Active Directory when logging in. To skip this step, please follow the "default identity provider" step in the following instructions: https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider