Module saml

This provider is a derived work of the Terraform Provider distributed under MIT. If you encounter a bug or missing feature, first check the pulumi/pulumi-keycloak repo; however, if that doesn’t turn up anything, please consult the source mrparkers/terraform-provider-keycloak repo.

Resources

Functions

Others

Resources

Resource Client

class Client extends CustomResource

# keycloak.saml.Client

Allows for creating and managing Keycloak clients that use the SAML protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "my-realm",
});
const samlClient = new keycloak.saml.Client("samlClient", {
    clientId: "test-saml-client",
    includeAuthnStatement: true,
    realmId: realm.id,
    signAssertions: true,
    signDocuments: false,
    signingCertificate: fs.readFileSync("saml-cert.pem", "utf-8"),
    signingPrivateKey: fs.readFileSync("saml-key.pem", "utf-8"),
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm this client is attached to.
  • clientId - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.
  • name - (Optional) The display name of this client in the GUI.
  • enabled - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
  • description - (Optional) The description of this client in the GUI.
  • includeAuthnStatement - (Optional) When true, an AuthnStatement will be included in the SAML response.
  • signDocuments - (Optional) When true, the SAML document will be signed by Keycloak using the realm’s private key.
  • signAssertions - (Optional) When true, the SAML assertions will be signed by Keycloak using the realm’s private key, and embedded within the SAML XML Auth response.
  • clientSignatureRequired - (Optional) When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signingCertificate and signingPrivateKey.
  • forcePostBinding - (Optional) When true, Keycloak will always respond to an authentication request via the SAML POST Binding.
  • frontChannelLogout - (Optional) When true, this client will require a browser redirect in order to perform a logout.
  • nameIdFormat - (Optional) Sets the Name ID format for the subject.
  • rootUrl - (Optional) When specified, this value is prepended to all relative URLs.
  • validRedirectUris - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.
  • baseUrl - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client.
  • masterSamlProcessingUrl - (Optional) When specified, this URL will be used for all SAML requests.
  • signingCertificate - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature.
  • signingPrivateKey - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature.
  • idpInitiatedSsoUrlName - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO.
  • idpInitiatedSsoRelayState - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
  • assertionConsumerPostUrl - (Optional) SAML POST Binding URL for the client’s assertion consumer service (login responses).
  • assertionConsumerRedirectUrl - (Optional) SAML Redirect Binding URL for the client’s assertion consumer service (login responses).
  • logoutServicePostBindingUrl - (Optional) SAML POST Binding URL for the client’s single logout service.
  • logoutServiceRedirectBindingUrl - (Optional) SAML Redirect Binding URL for the client’s single logout service.
  • fullScopeAllowed - (Optional) - Allow to include all roles mappings in the access token

constructor

new Client(name: string, args: ClientArgs, opts?: pulumi.CustomResourceOptions)

Create a Client resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ClientState, opts?: pulumi.CustomResourceOptions): Client

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Client

Returns true if the given object is an instance of Client. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property assertionConsumerPostUrl

public assertionConsumerPostUrl: pulumi.Output<string | undefined>;

property assertionConsumerRedirectUrl

public assertionConsumerRedirectUrl: pulumi.Output<string | undefined>;

property baseUrl

public baseUrl: pulumi.Output<string | undefined>;

property clientId

public clientId: pulumi.Output<string>;

property clientSignatureRequired

public clientSignatureRequired: pulumi.Output<boolean>;

property description

public description: pulumi.Output<string | undefined>;

property enabled

public enabled: pulumi.Output<boolean | undefined>;

property forceNameIdFormat

public forceNameIdFormat: pulumi.Output<boolean>;

property forcePostBinding

public forcePostBinding: pulumi.Output<boolean>;

property frontChannelLogout

public frontChannelLogout: pulumi.Output<boolean>;

property fullScopeAllowed

public fullScopeAllowed: pulumi.Output<boolean | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property idpInitiatedSsoRelayState

public idpInitiatedSsoRelayState: pulumi.Output<string | undefined>;

property idpInitiatedSsoUrlName

public idpInitiatedSsoUrlName: pulumi.Output<string | undefined>;

property includeAuthnStatement

public includeAuthnStatement: pulumi.Output<boolean>;

property logoutServicePostBindingUrl

public logoutServicePostBindingUrl: pulumi.Output<string | undefined>;

property logoutServiceRedirectBindingUrl

public logoutServiceRedirectBindingUrl: pulumi.Output<string | undefined>;

property masterSamlProcessingUrl

public masterSamlProcessingUrl: pulumi.Output<string | undefined>;

property name

public name: pulumi.Output<string>;

property nameIdFormat

public nameIdFormat: pulumi.Output<string>;

property realmId

public realmId: pulumi.Output<string>;

property rootUrl

public rootUrl: pulumi.Output<string | undefined>;

property signAssertions

public signAssertions: pulumi.Output<boolean>;

property signDocuments

public signDocuments: pulumi.Output<boolean>;

property signingCertificate

public signingCertificate: pulumi.Output<string | undefined>;

property signingPrivateKey

public signingPrivateKey: pulumi.Output<string | undefined>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validRedirectUris

public validRedirectUris: pulumi.Output<string[] | undefined>;

Resource IdentityProvider

class IdentityProvider extends CustomResource

# keycloak.saml.IdentityProvider

Allows to create and manage SAML Identity Providers within Keycloak.

SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realmIdentityProvider = new keycloak.saml.IdentityProvider("realmIdentityProvider", {
    alias: "my-idp",
    backchannelSupported: true,
    forceAuthn: true,
    postBindingAuthnRequest: true,
    postBindingLogout: true,
    postBindingResponse: true,
    realm: "my-realm",
    singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
    singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
    storeToken: false,
    trustEmail: true,
});
Argument Reference

The following arguments are supported:

  • realm - (Required) The name of the realm. This is unique across Keycloak.
  • alias - (Optional) The uniq name of identity provider.
  • enabled - (Optional) When false, users and clients will not be able to access this realm. Defaults to true.
  • displayName - (Optional) The display name for the realm that is shown when logging in to the admin console.
  • storeToken - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to true.
  • addReadTokenRoleOnCreate - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to false.
  • trustEmail - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to false.
  • linkOnly - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider. Defaults to false.
  • hideOnLoginPage - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the ‘kc_idp_hint’ parameter.
  • firstBrokerLoginFlowAlias - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
  • postBrokerLoginFlowAlias - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
  • authenticateByDefault - (Optional) Authenticate users by default. Defaults to false.

SAML Configuration

  • singleSignOnServiceUrl - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).
  • singleLogoutServiceUrl - (Optional) The Url that must be used to send logout requests.
  • backchannelSupported - (Optional) Does the external IDP support back-channel logout ?.
  • nameIdPolicyFormat - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
  • postBindingResponse - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
  • postBindingAuthnRequest - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
  • postBindingLogout - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
  • wantAssertionsSigned - (Optional) Indicates whether this service provider expects a signed Assertion.
  • wantAssertionsEncrypted - (Optional) Indicates whether this service provider expects an encrypted Assertion.
  • forceAuthn - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
  • validateSignature - (Optional) Enable/disable signature validation of SAML responses.
  • signingCertificate - (Optional) Signing Certificate.
  • signatureAlgorithm - (Optional) Signing Algorithm. Defaults to empty.
  • xmlSignKeyInfoKeyNameTransformer - (Optional) Sign Key Transformer. Defaults to empty.

constructor

new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: pulumi.CustomResourceOptions)

Create a IdentityProvider resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: IdentityProviderState, opts?: pulumi.CustomResourceOptions): IdentityProvider

Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is IdentityProvider

Returns true if the given object is an instance of IdentityProvider. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property addReadTokenRoleOnCreate

public addReadTokenRoleOnCreate: pulumi.Output<boolean | undefined>;

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

property alias

public alias: pulumi.Output<string>;

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

property authenticateByDefault

public authenticateByDefault: pulumi.Output<boolean | undefined>;

Enable/disable authenticate users by default.

property backchannelSupported

public backchannelSupported: pulumi.Output<boolean | undefined>;

Does the external IDP support backchannel logout?

property displayName

public displayName: pulumi.Output<string | undefined>;

Friendly name for Identity Providers.

property enabled

public enabled: pulumi.Output<boolean | undefined>;

Enable/disable this identity provider.

property firstBrokerLoginFlowAlias

public firstBrokerLoginFlowAlias: pulumi.Output<string | undefined>;

Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

property forceAuthn

public forceAuthn: pulumi.Output<boolean | undefined>;

Require Force Authn.

property hideOnLoginPage

public hideOnLoginPage: pulumi.Output<boolean | undefined>;

Hide On Login Page.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property internalId

public internalId: pulumi.Output<string>;

Internal Identity Provider Id

property linkOnly

public linkOnly: pulumi.Output<boolean | undefined>;

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

property nameIdPolicyFormat

public nameIdPolicyFormat: pulumi.Output<string | undefined>;

Name ID Policy Format.

property postBindingAuthnRequest

public postBindingAuthnRequest: pulumi.Output<boolean | undefined>;

Post Binding Authn Request.

property postBindingLogout

public postBindingLogout: pulumi.Output<boolean | undefined>;

Post Binding Logout.

property postBindingResponse

public postBindingResponse: pulumi.Output<boolean | undefined>;

Post Binding Response.

property postBrokerLoginFlowAlias

public postBrokerLoginFlowAlias: pulumi.Output<string | undefined>;

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

property realm

public realm: pulumi.Output<string>;

Realm Name

property signatureAlgorithm

public signatureAlgorithm: pulumi.Output<string | undefined>;

Signing Algorithm.

property signingCertificate

public signingCertificate: pulumi.Output<string | undefined>;

Signing Certificate.

property singleLogoutServiceUrl

public singleLogoutServiceUrl: pulumi.Output<string | undefined>;

Logout URL.

property singleSignOnServiceUrl

public singleSignOnServiceUrl: pulumi.Output<string>;

SSO Logout URL.

property storeToken

public storeToken: pulumi.Output<boolean | undefined>;

Enable/disable if tokens must be stored after authenticating users.

property trustEmail

public trustEmail: pulumi.Output<boolean | undefined>;

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property validateSignature

public validateSignature: pulumi.Output<boolean | undefined>;

Enable/disable signature validation of SAML responses.

property wantAssertionsEncrypted

public wantAssertionsEncrypted: pulumi.Output<boolean | undefined>;

Want Assertions Encrypted.

property wantAssertionsSigned

public wantAssertionsSigned: pulumi.Output<boolean | undefined>;

Want Assertions Signed.

property xmlSignKeyInfoKeyNameTransformer

public xmlSignKeyInfoKeyNameTransformer: pulumi.Output<string | undefined>;

Sign Key Transformer.

Resource UserAttributeProtocolMapper

class UserAttributeProtocolMapper extends CustomResource

# keycloak.saml.UserAttributeProtocolMapper

Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak.

SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.

Example Usage (Client)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "my-realm",
});
const samlClient = new keycloak.saml.Client("samlClient", {
    clientId: "test-saml-client",
    realmId: keycloak_realm_test.id,
});
const samlUserAttributeMapper = new keycloak.saml.UserAttributeProtocolMapper("samlUserAttributeMapper", {
    clientId: samlClient.id,
    realmId: keycloak_realm_test.id,
    samlAttributeName: "displayName",
    samlAttributeNameFormat: "Unspecified",
    userAttribute: "displayName",
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm this protocol mapper exists within.
  • clientId - (Required if clientScopeId is not specified) The SAML client this protocol mapper is attached to.
  • clientScopeId - (Required if clientId is not specified) The SAML client scope this protocol mapper is attached to.
  • name - (Required) The display name of this protocol mapper in the GUI.
  • userAttribute - (Required) The custom user attribute to map.
  • friendlyName - (Optional) An optional human-friendly name for this attribute.
  • samlAttributeName - (Required) The name of the SAML attribute.
  • samlAttributeNameFormat - (Required) The SAML attribute Name Format. Can be one of Unspecified, Basic, or URI Reference.

constructor

new UserAttributeProtocolMapper(name: string, args: UserAttributeProtocolMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a UserAttributeProtocolMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserAttributeProtocolMapperState, opts?: pulumi.CustomResourceOptions): UserAttributeProtocolMapper

Get an existing UserAttributeProtocolMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserAttributeProtocolMapper

Returns true if the given object is an instance of UserAttributeProtocolMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property clientId

public clientId: pulumi.Output<string | undefined>;

property clientScopeId

public clientScopeId: pulumi.Output<string | undefined>;

property friendlyName

public friendlyName: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

property realmId

public realmId: pulumi.Output<string>;

property samlAttributeName

public samlAttributeName: pulumi.Output<string>;

property samlAttributeNameFormat

public samlAttributeNameFormat: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property userAttribute

public userAttribute: pulumi.Output<string>;

Resource UserPropertyProtocolMapper

class UserPropertyProtocolMapper extends CustomResource

# keycloak.saml.UserPropertyProtocolMapper

Allows for creating and managing user property protocol mappers for SAML clients within Keycloak.

SAML user property protocol mappers allow you to map properties of the Keycloak user model to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.

Example Usage (Client)
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "my-realm",
});
const samlClient = new keycloak.saml.Client("samlClient", {
    clientId: "test-saml-client",
    realmId: keycloak_realm_test.id,
});
const samlUserPropertyMapper = new keycloak.saml.UserPropertyProtocolMapper("samlUserPropertyMapper", {
    clientId: samlClient.id,
    realmId: keycloak_realm_test.id,
    samlAttributeName: "email",
    samlAttributeNameFormat: "Unspecified",
    userProperty: "email",
});
Argument Reference

The following arguments are supported:

  • realmId - (Required) The realm this protocol mapper exists within.
  • clientId - (Required if clientScopeId is not specified) The SAML client this protocol mapper is attached to.
  • clientScopeId - (Required if clientId is not specified) The SAML client scope this protocol mapper is attached to.
  • name - (Required) The display name of this protocol mapper in the GUI.
  • userProperty - (Required) The property of the Keycloak user model to map.
  • friendlyName - (Optional) An optional human-friendly name for this attribute.
  • samlAttributeName - (Required) The name of the SAML attribute.
  • samlAttributeNameFormat - (Required) The SAML attribute Name Format. Can be one of Unspecified, Basic, or URI Reference.

constructor

new UserPropertyProtocolMapper(name: string, args: UserPropertyProtocolMapperArgs, opts?: pulumi.CustomResourceOptions)

Create a UserPropertyProtocolMapper resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserPropertyProtocolMapperState, opts?: pulumi.CustomResourceOptions): UserPropertyProtocolMapper

Get an existing UserPropertyProtocolMapper resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserPropertyProtocolMapper

Returns true if the given object is an instance of UserPropertyProtocolMapper. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property clientId

public clientId: pulumi.Output<string | undefined>;

property clientScopeId

public clientScopeId: pulumi.Output<string | undefined>;

property friendlyName

public friendlyName: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

property realmId

public realmId: pulumi.Output<string>;

property samlAttributeName

public samlAttributeName: pulumi.Output<string>;

property samlAttributeNameFormat

public samlAttributeNameFormat: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

property userProperty

public userProperty: pulumi.Output<string>;

Functions

Function getClientInstallationProvider

getClientInstallationProvider(args: GetClientInstallationProviderArgs, opts?: pulumi.InvokeOptions): Promise<GetClientInstallationProviderResult>

Others

interface ClientArgs

interface ClientArgs

The set of arguments for constructing a Client resource.

property assertionConsumerPostUrl

assertionConsumerPostUrl?: pulumi.Input<string>;

property assertionConsumerRedirectUrl

assertionConsumerRedirectUrl?: pulumi.Input<string>;

property baseUrl

baseUrl?: pulumi.Input<string>;

property clientId

clientId: pulumi.Input<string>;

property clientSignatureRequired

clientSignatureRequired?: pulumi.Input<boolean>;

property description

description?: pulumi.Input<string>;

property enabled

enabled?: pulumi.Input<boolean>;

property forceNameIdFormat

forceNameIdFormat?: pulumi.Input<boolean>;

property forcePostBinding

forcePostBinding?: pulumi.Input<boolean>;

property frontChannelLogout

frontChannelLogout?: pulumi.Input<boolean>;

property fullScopeAllowed

fullScopeAllowed?: pulumi.Input<boolean>;

property idpInitiatedSsoRelayState

idpInitiatedSsoRelayState?: pulumi.Input<string>;

property idpInitiatedSsoUrlName

idpInitiatedSsoUrlName?: pulumi.Input<string>;

property includeAuthnStatement

includeAuthnStatement?: pulumi.Input<boolean>;

property logoutServicePostBindingUrl

logoutServicePostBindingUrl?: pulumi.Input<string>;

property logoutServiceRedirectBindingUrl

logoutServiceRedirectBindingUrl?: pulumi.Input<string>;

property masterSamlProcessingUrl

masterSamlProcessingUrl?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property nameIdFormat

nameIdFormat?: pulumi.Input<string>;

property realmId

realmId: pulumi.Input<string>;

property rootUrl

rootUrl?: pulumi.Input<string>;

property signAssertions

signAssertions?: pulumi.Input<boolean>;

property signDocuments

signDocuments?: pulumi.Input<boolean>;

property signingCertificate

signingCertificate?: pulumi.Input<string>;

property signingPrivateKey

signingPrivateKey?: pulumi.Input<string>;

property validRedirectUris

validRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;

interface ClientState

interface ClientState

Input properties used for looking up and filtering Client resources.

property assertionConsumerPostUrl

assertionConsumerPostUrl?: pulumi.Input<string>;

property assertionConsumerRedirectUrl

assertionConsumerRedirectUrl?: pulumi.Input<string>;

property baseUrl

baseUrl?: pulumi.Input<string>;

property clientId

clientId?: pulumi.Input<string>;

property clientSignatureRequired

clientSignatureRequired?: pulumi.Input<boolean>;

property description

description?: pulumi.Input<string>;

property enabled

enabled?: pulumi.Input<boolean>;

property forceNameIdFormat

forceNameIdFormat?: pulumi.Input<boolean>;

property forcePostBinding

forcePostBinding?: pulumi.Input<boolean>;

property frontChannelLogout

frontChannelLogout?: pulumi.Input<boolean>;

property fullScopeAllowed

fullScopeAllowed?: pulumi.Input<boolean>;

property idpInitiatedSsoRelayState

idpInitiatedSsoRelayState?: pulumi.Input<string>;

property idpInitiatedSsoUrlName

idpInitiatedSsoUrlName?: pulumi.Input<string>;

property includeAuthnStatement

includeAuthnStatement?: pulumi.Input<boolean>;

property logoutServicePostBindingUrl

logoutServicePostBindingUrl?: pulumi.Input<string>;

property logoutServiceRedirectBindingUrl

logoutServiceRedirectBindingUrl?: pulumi.Input<string>;

property masterSamlProcessingUrl

masterSamlProcessingUrl?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property nameIdFormat

nameIdFormat?: pulumi.Input<string>;

property realmId

realmId?: pulumi.Input<string>;

property rootUrl

rootUrl?: pulumi.Input<string>;

property signAssertions

signAssertions?: pulumi.Input<boolean>;

property signDocuments

signDocuments?: pulumi.Input<boolean>;

property signingCertificate

signingCertificate?: pulumi.Input<string>;

property signingPrivateKey

signingPrivateKey?: pulumi.Input<string>;

property validRedirectUris

validRedirectUris?: pulumi.Input<pulumi.Input<string>[]>;

interface GetClientInstallationProviderArgs

interface GetClientInstallationProviderArgs

A collection of arguments for invoking getClientInstallationProvider.

property clientId

clientId: string;

property providerId

providerId: string;

property realmId

realmId: string;

interface GetClientInstallationProviderResult

interface GetClientInstallationProviderResult

A collection of values returned by getClientInstallationProvider.

property clientId

clientId: string;

property id

id: string;

The provider-assigned unique ID for this managed resource.

property providerId

providerId: string;

property realmId

realmId: string;

property value

value: string;

interface IdentityProviderArgs

interface IdentityProviderArgs

The set of arguments for constructing a IdentityProvider resource.

property addReadTokenRoleOnCreate

addReadTokenRoleOnCreate?: pulumi.Input<boolean>;

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

property alias

alias: pulumi.Input<string>;

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

property authenticateByDefault

authenticateByDefault?: pulumi.Input<boolean>;

Enable/disable authenticate users by default.

property backchannelSupported

backchannelSupported?: pulumi.Input<boolean>;

Does the external IDP support backchannel logout?

property displayName

displayName?: pulumi.Input<string>;

Friendly name for Identity Providers.

property enabled

enabled?: pulumi.Input<boolean>;

Enable/disable this identity provider.

property firstBrokerLoginFlowAlias

firstBrokerLoginFlowAlias?: pulumi.Input<string>;

Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

property forceAuthn

forceAuthn?: pulumi.Input<boolean>;

Require Force Authn.

property hideOnLoginPage

hideOnLoginPage?: pulumi.Input<boolean>;

Hide On Login Page.

property linkOnly

linkOnly?: pulumi.Input<boolean>;

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

property nameIdPolicyFormat

nameIdPolicyFormat?: pulumi.Input<string>;

Name ID Policy Format.

property postBindingAuthnRequest

postBindingAuthnRequest?: pulumi.Input<boolean>;

Post Binding Authn Request.

property postBindingLogout

postBindingLogout?: pulumi.Input<boolean>;

Post Binding Logout.

property postBindingResponse

postBindingResponse?: pulumi.Input<boolean>;

Post Binding Response.

property postBrokerLoginFlowAlias

postBrokerLoginFlowAlias?: pulumi.Input<string>;

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

property realm

realm: pulumi.Input<string>;

Realm Name

property signatureAlgorithm

signatureAlgorithm?: pulumi.Input<string>;

Signing Algorithm.

property signingCertificate

signingCertificate?: pulumi.Input<string>;

Signing Certificate.

property singleLogoutServiceUrl

singleLogoutServiceUrl?: pulumi.Input<string>;

Logout URL.

property singleSignOnServiceUrl

singleSignOnServiceUrl: pulumi.Input<string>;

SSO Logout URL.

property storeToken

storeToken?: pulumi.Input<boolean>;

Enable/disable if tokens must be stored after authenticating users.

property trustEmail

trustEmail?: pulumi.Input<boolean>;

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

property validateSignature

validateSignature?: pulumi.Input<boolean>;

Enable/disable signature validation of SAML responses.

property wantAssertionsEncrypted

wantAssertionsEncrypted?: pulumi.Input<boolean>;

Want Assertions Encrypted.

property wantAssertionsSigned

wantAssertionsSigned?: pulumi.Input<boolean>;

Want Assertions Signed.

property xmlSignKeyInfoKeyNameTransformer

xmlSignKeyInfoKeyNameTransformer?: pulumi.Input<string>;

Sign Key Transformer.

interface IdentityProviderState

interface IdentityProviderState

Input properties used for looking up and filtering IdentityProvider resources.

property addReadTokenRoleOnCreate

addReadTokenRoleOnCreate?: pulumi.Input<boolean>;

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

property alias

alias?: pulumi.Input<string>;

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

property authenticateByDefault

authenticateByDefault?: pulumi.Input<boolean>;

Enable/disable authenticate users by default.

property backchannelSupported

backchannelSupported?: pulumi.Input<boolean>;

Does the external IDP support backchannel logout?

property displayName

displayName?: pulumi.Input<string>;

Friendly name for Identity Providers.

property enabled

enabled?: pulumi.Input<boolean>;

Enable/disable this identity provider.

property firstBrokerLoginFlowAlias

firstBrokerLoginFlowAlias?: pulumi.Input<string>;

Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

property forceAuthn

forceAuthn?: pulumi.Input<boolean>;

Require Force Authn.

property hideOnLoginPage

hideOnLoginPage?: pulumi.Input<boolean>;

Hide On Login Page.

property internalId

internalId?: pulumi.Input<string>;

Internal Identity Provider Id

property linkOnly

linkOnly?: pulumi.Input<boolean>;

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider

property nameIdPolicyFormat

nameIdPolicyFormat?: pulumi.Input<string>;

Name ID Policy Format.

property postBindingAuthnRequest

postBindingAuthnRequest?: pulumi.Input<boolean>;

Post Binding Authn Request.

property postBindingLogout

postBindingLogout?: pulumi.Input<boolean>;

Post Binding Logout.

property postBindingResponse

postBindingResponse?: pulumi.Input<boolean>;

Post Binding Response.

property postBrokerLoginFlowAlias

postBrokerLoginFlowAlias?: pulumi.Input<string>;

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

property realm

realm?: pulumi.Input<string>;

Realm Name

property signatureAlgorithm

signatureAlgorithm?: pulumi.Input<string>;

Signing Algorithm.

property signingCertificate

signingCertificate?: pulumi.Input<string>;

Signing Certificate.

property singleLogoutServiceUrl

singleLogoutServiceUrl?: pulumi.Input<string>;

Logout URL.

property singleSignOnServiceUrl

singleSignOnServiceUrl?: pulumi.Input<string>;

SSO Logout URL.

property storeToken

storeToken?: pulumi.Input<boolean>;

Enable/disable if tokens must be stored after authenticating users.

property trustEmail

trustEmail?: pulumi.Input<boolean>;

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

property validateSignature

validateSignature?: pulumi.Input<boolean>;

Enable/disable signature validation of SAML responses.

property wantAssertionsEncrypted

wantAssertionsEncrypted?: pulumi.Input<boolean>;

Want Assertions Encrypted.

property wantAssertionsSigned

wantAssertionsSigned?: pulumi.Input<boolean>;

Want Assertions Signed.

property xmlSignKeyInfoKeyNameTransformer

xmlSignKeyInfoKeyNameTransformer?: pulumi.Input<string>;

Sign Key Transformer.

interface UserAttributeProtocolMapperArgs

interface UserAttributeProtocolMapperArgs

The set of arguments for constructing a UserAttributeProtocolMapper resource.

property clientId

clientId?: pulumi.Input<string>;

property clientScopeId

clientScopeId?: pulumi.Input<string>;

property friendlyName

friendlyName?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property realmId

realmId: pulumi.Input<string>;

property samlAttributeName

samlAttributeName: pulumi.Input<string>;

property samlAttributeNameFormat

samlAttributeNameFormat: pulumi.Input<string>;

property userAttribute

userAttribute: pulumi.Input<string>;

interface UserAttributeProtocolMapperState

interface UserAttributeProtocolMapperState

Input properties used for looking up and filtering UserAttributeProtocolMapper resources.

property clientId

clientId?: pulumi.Input<string>;

property clientScopeId

clientScopeId?: pulumi.Input<string>;

property friendlyName

friendlyName?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property realmId

realmId?: pulumi.Input<string>;

property samlAttributeName

samlAttributeName?: pulumi.Input<string>;

property samlAttributeNameFormat

samlAttributeNameFormat?: pulumi.Input<string>;

property userAttribute

userAttribute?: pulumi.Input<string>;

interface UserPropertyProtocolMapperArgs

interface UserPropertyProtocolMapperArgs

The set of arguments for constructing a UserPropertyProtocolMapper resource.

property clientId

clientId?: pulumi.Input<string>;

property clientScopeId

clientScopeId?: pulumi.Input<string>;

property friendlyName

friendlyName?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property realmId

realmId: pulumi.Input<string>;

property samlAttributeName

samlAttributeName: pulumi.Input<string>;

property samlAttributeNameFormat

samlAttributeNameFormat: pulumi.Input<string>;

property userProperty

userProperty: pulumi.Input<string>;

interface UserPropertyProtocolMapperState

interface UserPropertyProtocolMapperState

Input properties used for looking up and filtering UserPropertyProtocolMapper resources.

property clientId

clientId?: pulumi.Input<string>;

property clientScopeId

clientScopeId?: pulumi.Input<string>;

property friendlyName

friendlyName?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property realmId

realmId?: pulumi.Input<string>;

property samlAttributeName

samlAttributeName?: pulumi.Input<string>;

property samlAttributeNameFormat

samlAttributeNameFormat?: pulumi.Input<string>;

property userProperty

userProperty?: pulumi.Input<string>;