keycloak logo
Keycloak v5.1.0, Mar 14 23

keycloak.saml.Client

Allows for creating and managing Keycloak clients that use the SAML protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage

using System.Collections.Generic;
using System.IO;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var samlClient = new Keycloak.Saml.Client("samlClient", new()
    {
        RealmId = realm.Id,
        ClientId = "saml-client",
        SignDocuments = false,
        SignAssertions = true,
        IncludeAuthnStatement = true,
        SigningCertificate = File.ReadAllText("saml-cert.pem"),
        SigningPrivateKey = File.ReadAllText("saml-key.pem"),
    });

});
package main

import (
	"os"

	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewClient(ctx, "samlClient", &saml.ClientArgs{
			RealmId:               realm.ID(),
			ClientId:              pulumi.String("saml-client"),
			SignDocuments:         pulumi.Bool(false),
			SignAssertions:        pulumi.Bool(true),
			IncludeAuthnStatement: pulumi.Bool(true),
			SigningCertificate:    readFileOrPanic("saml-cert.pem"),
			SigningPrivateKey:     readFileOrPanic("saml-key.pem"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.Client;
import com.pulumi.keycloak.saml.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var samlClient = new Client("samlClient", ClientArgs.builder()        
            .realmId(realm.id())
            .clientId("saml-client")
            .signDocuments(false)
            .signAssertions(true)
            .includeAuthnStatement(true)
            .signingCertificate(Files.readString(Paths.get("saml-cert.pem")))
            .signingPrivateKey(Files.readString(Paths.get("saml-key.pem")))
            .build());

    }
}
import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
saml_client = keycloak.saml.Client("samlClient",
    realm_id=realm.id,
    client_id="saml-client",
    sign_documents=False,
    sign_assertions=True,
    include_authn_statement=True,
    signing_certificate=(lambda path: open(path).read())("saml-cert.pem"),
    signing_private_key=(lambda path: open(path).read())("saml-key.pem"))
import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const samlClient = new keycloak.saml.Client("samlClient", {
    realmId: realm.id,
    clientId: "saml-client",
    signDocuments: false,
    signAssertions: true,
    includeAuthnStatement: true,
    signingCertificate: fs.readFileSync("saml-cert.pem"),
    signingPrivateKey: fs.readFileSync("saml-key.pem"),
});
resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  samlClient:
    type: keycloak:saml:Client
    properties:
      realmId: ${realm.id}
      clientId: saml-client
      signDocuments: false
      signAssertions: true
      includeAuthnStatement: true
      signingCertificate:
        fn::readFile: saml-cert.pem
      signingPrivateKey:
        fn::readFile: saml-key.pem

Create Client Resource

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
@overload
def Client(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           assertion_consumer_post_url: Optional[str] = None,
           assertion_consumer_redirect_url: Optional[str] = None,
           authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
           base_url: Optional[str] = None,
           canonicalization_method: Optional[str] = None,
           client_id: Optional[str] = None,
           client_signature_required: Optional[bool] = None,
           description: Optional[str] = None,
           enabled: Optional[bool] = None,
           encrypt_assertions: Optional[bool] = None,
           encryption_certificate: Optional[str] = None,
           extra_config: Optional[Mapping[str, Any]] = None,
           force_name_id_format: Optional[bool] = None,
           force_post_binding: Optional[bool] = None,
           front_channel_logout: Optional[bool] = None,
           full_scope_allowed: Optional[bool] = None,
           idp_initiated_sso_relay_state: Optional[str] = None,
           idp_initiated_sso_url_name: Optional[str] = None,
           include_authn_statement: Optional[bool] = None,
           login_theme: Optional[str] = None,
           logout_service_post_binding_url: Optional[str] = None,
           logout_service_redirect_binding_url: Optional[str] = None,
           master_saml_processing_url: Optional[str] = None,
           name: Optional[str] = None,
           name_id_format: Optional[str] = None,
           realm_id: Optional[str] = None,
           root_url: Optional[str] = None,
           sign_assertions: Optional[bool] = None,
           sign_documents: Optional[bool] = None,
           signature_algorithm: Optional[str] = None,
           signature_key_name: Optional[str] = None,
           signing_certificate: Optional[str] = None,
           signing_private_key: Optional[str] = None,
           valid_redirect_uris: Optional[Sequence[str]] = None)
@overload
def Client(resource_name: str,
           args: ClientArgs,
           opts: Optional[ResourceOptions] = None)
func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)
type: keycloak:saml:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ClientArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Client resource accepts the following input properties:

ClientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

RealmId string

The realm this client is attached to.

AssertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

AssertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

BaseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

CanonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

ClientSignatureRequired bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

Description string

The description of this client in the GUI.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

EncryptAssertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

EncryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

ExtraConfig Dictionary<string, object>
ForceNameIdFormat bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

ForcePostBinding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

FrontChannelLogout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token

IdpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

IdpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

IncludeAuthnStatement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

LoginTheme string

The login theme of this client.

LogoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

LogoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

MasterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

Name string

The display name of this client in the GUI.

NameIdFormat string

Sets the Name ID format for the subject.

RootUrl string

When specified, this value is prepended to all relative URLs.

SignAssertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

SignDocuments bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

SignatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

SignatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

SigningCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

SigningPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

ValidRedirectUris List<string>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

ClientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

RealmId string

The realm this client is attached to.

AssertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

AssertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

BaseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

CanonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

ClientSignatureRequired bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

Description string

The description of this client in the GUI.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

EncryptAssertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

EncryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

ExtraConfig map[string]interface{}
ForceNameIdFormat bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

ForcePostBinding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

FrontChannelLogout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token

IdpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

IdpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

IncludeAuthnStatement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

LoginTheme string

The login theme of this client.

LogoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

LogoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

MasterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

Name string

The display name of this client in the GUI.

NameIdFormat string

Sets the Name ID format for the subject.

RootUrl string

When specified, this value is prepended to all relative URLs.

SignAssertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

SignDocuments bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

SignatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

SignatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

SigningCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

SigningPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

ValidRedirectUris []string

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

realmId String

The realm this client is attached to.

assertionConsumerPostUrl String

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl String

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

baseUrl String

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod String

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientSignatureRequired Boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description String

The description of this client in the GUI.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions Boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate String

If assertions for the client are encrypted, this certificate will be used for encryption.

extraConfig Map<String,Object>
forceNameIdFormat Boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding Boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout Boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState String

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName String

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement Boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme String

The login theme of this client.

logoutServicePostBindingUrl String

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl String

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl String

When specified, this URL will be used for all SAML requests.

name String

The display name of this client in the GUI.

nameIdFormat String

Sets the Name ID format for the subject.

rootUrl String

When specified, this value is prepended to all relative URLs.

signAssertions Boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments Boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm String

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName String

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate String

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingPrivateKey String

If documents or assertions from the client are signed, this private key will be used to verify the signature.

validRedirectUris List<String>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

realmId string

The realm this client is attached to.

assertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

baseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientSignatureRequired boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description string

The description of this client in the GUI.

enabled boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

extraConfig {[key: string]: any}
forceNameIdFormat boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme string

The login theme of this client.

logoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

name string

The display name of this client in the GUI.

nameIdFormat string

Sets the Name ID format for the subject.

rootUrl string

When specified, this value is prepended to all relative URLs.

signAssertions boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

validRedirectUris string[]

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

client_id str

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

realm_id str

The realm this client is attached to.

assertion_consumer_post_url str

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertion_consumer_redirect_url str

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

base_url str

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalization_method str

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

client_signature_required bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description str

The description of this client in the GUI.

enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encrypt_assertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryption_certificate str

If assertions for the client are encrypted, this certificate will be used for encryption.

extra_config Mapping[str, Any]
force_name_id_format bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

force_post_binding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

front_channel_logout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

full_scope_allowed bool

Allow to include all roles mappings in the access token

idp_initiated_sso_relay_state str

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idp_initiated_sso_url_name str

URL fragment name to reference client when you want to do IDP Initiated SSO.

include_authn_statement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

login_theme str

The login theme of this client.

logout_service_post_binding_url str

SAML POST Binding URL for the client's single logout service.

logout_service_redirect_binding_url str

SAML Redirect Binding URL for the client's single logout service.

master_saml_processing_url str

When specified, this URL will be used for all SAML requests.

name str

The display name of this client in the GUI.

name_id_format str

Sets the Name ID format for the subject.

root_url str

When specified, this value is prepended to all relative URLs.

sign_assertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

sign_documents bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signature_algorithm str

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signature_key_name str

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signing_certificate str

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signing_private_key str

If documents or assertions from the client are signed, this private key will be used to verify the signature.

valid_redirect_uris Sequence[str]

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

realmId String

The realm this client is attached to.

assertionConsumerPostUrl String

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl String

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides Property Map

Override realm authentication flow bindings

baseUrl String

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod String

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientSignatureRequired Boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description String

The description of this client in the GUI.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions Boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate String

If assertions for the client are encrypted, this certificate will be used for encryption.

extraConfig Map<Any>
forceNameIdFormat Boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding Boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout Boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState String

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName String

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement Boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme String

The login theme of this client.

logoutServicePostBindingUrl String

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl String

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl String

When specified, this URL will be used for all SAML requests.

name String

The display name of this client in the GUI.

nameIdFormat String

Sets the Name ID format for the subject.

rootUrl String

When specified, this value is prepended to all relative URLs.

signAssertions Boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments Boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm String

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName String

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate String

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingPrivateKey String

If documents or assertions from the client are signed, this private key will be used to verify the signature.

validRedirectUris List<String>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

EncryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

Id string

The provider-assigned unique ID for this managed resource.

SigningCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

SigningPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

EncryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

Id string

The provider-assigned unique ID for this managed resource.

SigningCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

SigningPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

id String

The provider-assigned unique ID for this managed resource.

signingCertificateSha1 String

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKeySha1 String

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

id string

The provider-assigned unique ID for this managed resource.

signingCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryption_certificate_sha1 str

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

id str

The provider-assigned unique ID for this managed resource.

signing_certificate_sha1 str

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signing_private_key_sha1 str

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

id String

The provider-assigned unique ID for this managed resource.

signingCertificateSha1 String

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKeySha1 String

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

Look up Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        assertion_consumer_post_url: Optional[str] = None,
        assertion_consumer_redirect_url: Optional[str] = None,
        authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
        base_url: Optional[str] = None,
        canonicalization_method: Optional[str] = None,
        client_id: Optional[str] = None,
        client_signature_required: Optional[bool] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        encrypt_assertions: Optional[bool] = None,
        encryption_certificate: Optional[str] = None,
        encryption_certificate_sha1: Optional[str] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        force_name_id_format: Optional[bool] = None,
        force_post_binding: Optional[bool] = None,
        front_channel_logout: Optional[bool] = None,
        full_scope_allowed: Optional[bool] = None,
        idp_initiated_sso_relay_state: Optional[str] = None,
        idp_initiated_sso_url_name: Optional[str] = None,
        include_authn_statement: Optional[bool] = None,
        login_theme: Optional[str] = None,
        logout_service_post_binding_url: Optional[str] = None,
        logout_service_redirect_binding_url: Optional[str] = None,
        master_saml_processing_url: Optional[str] = None,
        name: Optional[str] = None,
        name_id_format: Optional[str] = None,
        realm_id: Optional[str] = None,
        root_url: Optional[str] = None,
        sign_assertions: Optional[bool] = None,
        sign_documents: Optional[bool] = None,
        signature_algorithm: Optional[str] = None,
        signature_key_name: Optional[str] = None,
        signing_certificate: Optional[str] = None,
        signing_certificate_sha1: Optional[str] = None,
        signing_private_key: Optional[str] = None,
        signing_private_key_sha1: Optional[str] = None,
        valid_redirect_uris: Optional[Sequence[str]] = None) -> Client
func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AssertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

AssertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

BaseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

CanonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

ClientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

ClientSignatureRequired bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

Description string

The description of this client in the GUI.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

EncryptAssertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

EncryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

EncryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

ExtraConfig Dictionary<string, object>
ForceNameIdFormat bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

ForcePostBinding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

FrontChannelLogout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token

IdpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

IdpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

IncludeAuthnStatement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

LoginTheme string

The login theme of this client.

LogoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

LogoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

MasterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

Name string

The display name of this client in the GUI.

NameIdFormat string

Sets the Name ID format for the subject.

RealmId string

The realm this client is attached to.

RootUrl string

When specified, this value is prepended to all relative URLs.

SignAssertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

SignDocuments bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

SignatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

SignatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

SigningCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

SigningCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

SigningPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

SigningPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

ValidRedirectUris List<string>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

AssertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

AssertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

BaseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

CanonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

ClientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

ClientSignatureRequired bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

Description string

The description of this client in the GUI.

Enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

EncryptAssertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

EncryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

EncryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

ExtraConfig map[string]interface{}
ForceNameIdFormat bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

ForcePostBinding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

FrontChannelLogout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

FullScopeAllowed bool

Allow to include all roles mappings in the access token

IdpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

IdpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

IncludeAuthnStatement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

LoginTheme string

The login theme of this client.

LogoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

LogoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

MasterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

Name string

The display name of this client in the GUI.

NameIdFormat string

Sets the Name ID format for the subject.

RealmId string

The realm this client is attached to.

RootUrl string

When specified, this value is prepended to all relative URLs.

SignAssertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

SignDocuments bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

SignatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

SignatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

SigningCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

SigningCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

SigningPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

SigningPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

ValidRedirectUris []string

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl String

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl String

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

baseUrl String

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod String

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientId String

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

clientSignatureRequired Boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description String

The description of this client in the GUI.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions Boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate String

If assertions for the client are encrypted, this certificate will be used for encryption.

encryptionCertificateSha1 String

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

extraConfig Map<String,Object>
forceNameIdFormat Boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding Boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout Boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState String

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName String

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement Boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme String

The login theme of this client.

logoutServicePostBindingUrl String

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl String

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl String

When specified, this URL will be used for all SAML requests.

name String

The display name of this client in the GUI.

nameIdFormat String

Sets the Name ID format for the subject.

realmId String

The realm this client is attached to.

rootUrl String

When specified, this value is prepended to all relative URLs.

signAssertions Boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments Boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm String

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName String

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate String

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingCertificateSha1 String

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKey String

If documents or assertions from the client are signed, this private key will be used to verify the signature.

signingPrivateKeySha1 String

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

validRedirectUris List<String>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl string

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl string

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

baseUrl string

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod string

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientId string

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

clientSignatureRequired boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description string

The description of this client in the GUI.

enabled boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate string

If assertions for the client are encrypted, this certificate will be used for encryption.

encryptionCertificateSha1 string

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

extraConfig {[key: string]: any}
forceNameIdFormat boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState string

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName string

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme string

The login theme of this client.

logoutServicePostBindingUrl string

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl string

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl string

When specified, this URL will be used for all SAML requests.

name string

The display name of this client in the GUI.

nameIdFormat string

Sets the Name ID format for the subject.

realmId string

The realm this client is attached to.

rootUrl string

When specified, this value is prepended to all relative URLs.

signAssertions boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm string

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName string

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate string

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingCertificateSha1 string

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKey string

If documents or assertions from the client are signed, this private key will be used to verify the signature.

signingPrivateKeySha1 string

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

validRedirectUris string[]

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertion_consumer_post_url str

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertion_consumer_redirect_url str

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

Override realm authentication flow bindings

base_url str

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalization_method str

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

client_id str

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

client_signature_required bool

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description str

The description of this client in the GUI.

enabled bool

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encrypt_assertions bool

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryption_certificate str

If assertions for the client are encrypted, this certificate will be used for encryption.

encryption_certificate_sha1 str

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

extra_config Mapping[str, Any]
force_name_id_format bool

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

force_post_binding bool

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

front_channel_logout bool

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

full_scope_allowed bool

Allow to include all roles mappings in the access token

idp_initiated_sso_relay_state str

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idp_initiated_sso_url_name str

URL fragment name to reference client when you want to do IDP Initiated SSO.

include_authn_statement bool

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

login_theme str

The login theme of this client.

logout_service_post_binding_url str

SAML POST Binding URL for the client's single logout service.

logout_service_redirect_binding_url str

SAML Redirect Binding URL for the client's single logout service.

master_saml_processing_url str

When specified, this URL will be used for all SAML requests.

name str

The display name of this client in the GUI.

name_id_format str

Sets the Name ID format for the subject.

realm_id str

The realm this client is attached to.

root_url str

When specified, this value is prepended to all relative URLs.

sign_assertions bool

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

sign_documents bool

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signature_algorithm str

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signature_key_name str

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signing_certificate str

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signing_certificate_sha1 str

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signing_private_key str

If documents or assertions from the client are signed, this private key will be used to verify the signature.

signing_private_key_sha1 str

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

valid_redirect_uris Sequence[str]

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl String

SAML POST Binding URL for the client's assertion consumer service (login responses).

assertionConsumerRedirectUrl String

SAML Redirect Binding URL for the client's assertion consumer service (login responses).

authenticationFlowBindingOverrides Property Map

Override realm authentication flow bindings

baseUrl String

When specified, this URL will be used whenever Keycloak needs to link to this client.

canonicalizationMethod String

The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

clientId String

The unique ID of this client, referenced in the URI during authentication and in issued tokens.

clientSignatureRequired Boolean

When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

description String

The description of this client in the GUI.

enabled Boolean

When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

encryptAssertions Boolean

When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

encryptionCertificate String

If assertions for the client are encrypted, this certificate will be used for encryption.

encryptionCertificateSha1 String

(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

extraConfig Map<Any>
forceNameIdFormat Boolean

Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

forcePostBinding Boolean

When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

frontChannelLogout Boolean

When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

fullScopeAllowed Boolean

Allow to include all roles mappings in the access token

idpInitiatedSsoRelayState String

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

idpInitiatedSsoUrlName String

URL fragment name to reference client when you want to do IDP Initiated SSO.

includeAuthnStatement Boolean

When true, an AuthnStatement will be included in the SAML response. Defaults to true.

loginTheme String

The login theme of this client.

logoutServicePostBindingUrl String

SAML POST Binding URL for the client's single logout service.

logoutServiceRedirectBindingUrl String

SAML Redirect Binding URL for the client's single logout service.

masterSamlProcessingUrl String

When specified, this URL will be used for all SAML requests.

name String

The display name of this client in the GUI.

nameIdFormat String

Sets the Name ID format for the subject.

realmId String

The realm this client is attached to.

rootUrl String

When specified, this value is prepended to all relative URLs.

signAssertions Boolean

When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

signDocuments Boolean

When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

signatureAlgorithm String

The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

signatureKeyName String

The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

signingCertificate String

If documents or assertions from the client are signed, this certificate will be used to verify the signature.

signingCertificateSha1 String

(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

signingPrivateKey String

If documents or assertions from the client are signed, this private key will be used to verify the signature.

signingPrivateKeySha1 String

(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

validRedirectUris List<String>

When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Supporting Types

ClientAuthenticationFlowBindingOverrides

BrowserId string

Browser flow id, (flow needs to exist)

DirectGrantId string

Direct grant flow id (flow needs to exist)

BrowserId string

Browser flow id, (flow needs to exist)

DirectGrantId string

Direct grant flow id (flow needs to exist)

browserId String

Browser flow id, (flow needs to exist)

directGrantId String

Direct grant flow id (flow needs to exist)

browserId string

Browser flow id, (flow needs to exist)

directGrantId string

Direct grant flow id (flow needs to exist)

browser_id str

Browser flow id, (flow needs to exist)

direct_grant_id str

Direct grant flow id (flow needs to exist)

browserId String

Browser flow id, (flow needs to exist)

directGrantId String

Direct grant flow id (flow needs to exist)

Import

Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash

 $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

Package Details

Repository
Keycloak pulumi/pulumi-keycloak
License
Apache-2.0
Notes

This Pulumi package is based on the keycloak Terraform Provider.