Keycloak v5.1.0, Mar 14 23

keycloak.saml.Client

Allows for creating and managing Keycloak clients that use the SAML protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage

using System.Collections.Generic;
using System.IO;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var samlClient = new Keycloak.Saml.Client("samlClient", new()
    {
        RealmId = realm.Id,
        ClientId = "saml-client",
        SignDocuments = false,
        SignAssertions = true,
        IncludeAuthnStatement = true,
        SigningCertificate = File.ReadAllText("saml-cert.pem"),
        SigningPrivateKey = File.ReadAllText("saml-key.pem"),
    });

});

package main

import (
	"os"

	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := os.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewClient(ctx, "samlClient", &saml.ClientArgs{
			RealmId:               realm.ID(),
			ClientId:              pulumi.String("saml-client"),
			SignDocuments:         pulumi.Bool(false),
			SignAssertions:        pulumi.Bool(true),
			IncludeAuthnStatement: pulumi.Bool(true),
			SigningCertificate:    readFileOrPanic("saml-cert.pem"),
			SigningPrivateKey:     readFileOrPanic("saml-key.pem"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.Client;
import com.pulumi.keycloak.saml.ClientArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()        
            .realm("my-realm")
            .enabled(true)
            .build());

        var samlClient = new Client("samlClient", ClientArgs.builder()        
            .realmId(realm.id())
            .clientId("saml-client")
            .signDocuments(false)
            .signAssertions(true)
            .includeAuthnStatement(true)
            .signingCertificate(Files.readString(Paths.get("saml-cert.pem")))
            .signingPrivateKey(Files.readString(Paths.get("saml-key.pem")))
            .build());

    }
}

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
saml_client = keycloak.saml.Client("samlClient",
    realm_id=realm.id,
    client_id="saml-client",
    sign_documents=False,
    sign_assertions=True,
    include_authn_statement=True,
    signing_certificate=(lambda path: open(path).read())("saml-cert.pem"),
    signing_private_key=(lambda path: open(path).read())("saml-key.pem"))

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const samlClient = new keycloak.saml.Client("samlClient", {
    realmId: realm.id,
    clientId: "saml-client",
    signDocuments: false,
    signAssertions: true,
    includeAuthnStatement: true,
    signingCertificate: fs.readFileSync("saml-cert.pem"),
    signingPrivateKey: fs.readFileSync("saml-key.pem"),
});

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  samlClient:
    type: keycloak:saml:Client
    properties:
      realmId: ${realm.id}
      clientId: saml-client
      signDocuments: false
      signAssertions: true
      includeAuthnStatement: true
      signingCertificate:
        fn::readFile: saml-cert.pem
      signingPrivateKey:
        fn::readFile: saml-key.pem

Create Client Resource

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);

@overload
def Client(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           assertion_consumer_post_url: Optional[str] = None,
           assertion_consumer_redirect_url: Optional[str] = None,
           authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
           base_url: Optional[str] = None,
           canonicalization_method: Optional[str] = None,
           client_id: Optional[str] = None,
           client_signature_required: Optional[bool] = None,
           description: Optional[str] = None,
           enabled: Optional[bool] = None,
           encrypt_assertions: Optional[bool] = None,
           encryption_certificate: Optional[str] = None,
           extra_config: Optional[Mapping[str, Any]] = None,
           force_name_id_format: Optional[bool] = None,
           force_post_binding: Optional[bool] = None,
           front_channel_logout: Optional[bool] = None,
           full_scope_allowed: Optional[bool] = None,
           idp_initiated_sso_relay_state: Optional[str] = None,
           idp_initiated_sso_url_name: Optional[str] = None,
           include_authn_statement: Optional[bool] = None,
           login_theme: Optional[str] = None,
           logout_service_post_binding_url: Optional[str] = None,
           logout_service_redirect_binding_url: Optional[str] = None,
           master_saml_processing_url: Optional[str] = None,
           name: Optional[str] = None,
           name_id_format: Optional[str] = None,
           realm_id: Optional[str] = None,
           root_url: Optional[str] = None,
           sign_assertions: Optional[bool] = None,
           sign_documents: Optional[bool] = None,
           signature_algorithm: Optional[str] = None,
           signature_key_name: Optional[str] = None,
           signing_certificate: Optional[str] = None,
           signing_private_key: Optional[str] = None,
           valid_redirect_uris: Optional[Sequence[str]] = None)
@overload
def Client(resource_name: str,
           args: ClientArgs,
           opts: Optional[ResourceOptions] = None)

func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)

public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)

public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)

type: keycloak:saml:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Client resource accepts the following input properties:

ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
RealmId string: The realm this client is attached to.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
ExtraConfig Dictionary<string, object>
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
ValidRedirectUris List<string>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
RealmId string: The realm this client is attached to.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
ExtraConfig map[string]interface{}
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
ValidRedirectUris []string: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId String: The realm this client is attached to.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig Map<String,Object>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId string: The realm this client is attached to.
assertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
baseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description string: The description of this client in the GUI.
enabled boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig {[key: string]: any}
forceNameIdFormat boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme string: The login theme of this client.
logoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
name string: The display name of this client in the GUI.
nameIdFormat string: Sets the Name ID format for the subject.
rootUrl string: When specified, this value is prepended to all relative URLs.
signAssertions boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris string[]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

client_id str: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realm_id str: The realm this client is attached to.
assertion_consumer_post_url str: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertion_consumer_redirect_url str: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
base_url str: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalization_method str: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
client_signature_required bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description str: The description of this client in the GUI.
enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encrypt_assertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryption_certificate str: If assertions for the client are encrypted, this certificate will be used for encryption.
extra_config Mapping[str, Any]
force_name_id_format bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
force_post_binding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
front_channel_logout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
full_scope_allowed bool: Allow to include all roles mappings in the access token
idp_initiated_sso_relay_state str: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idp_initiated_sso_url_name str: URL fragment name to reference client when you want to do IDP Initiated SSO.
include_authn_statement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
login_theme str: The login theme of this client.
logout_service_post_binding_url str: SAML POST Binding URL for the client's single logout service.
logout_service_redirect_binding_url str: SAML Redirect Binding URL for the client's single logout service.
master_saml_processing_url str: When specified, this URL will be used for all SAML requests.
name str: The display name of this client in the GUI.
name_id_format str: Sets the Name ID format for the subject.
root_url str: When specified, this value is prepended to all relative URLs.
sign_assertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
sign_documents bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signature_algorithm str: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signature_key_name str: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signing_certificate str: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signing_private_key str: If documents or assertions from the client are signed, this private key will be used to verify the signature.
valid_redirect_uris Sequence[str]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId String: The realm this client is attached to.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides Property Map: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig Map<Any>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
Id string: The provider-assigned unique ID for this managed resource.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
Id string: The provider-assigned unique ID for this managed resource.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id String: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id string: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryption_certificate_sha1 str: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id str: The provider-assigned unique ID for this managed resource.
signing_certificate_sha1 str: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signing_private_key_sha1 str: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id String: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

Look up Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        assertion_consumer_post_url: Optional[str] = None,
        assertion_consumer_redirect_url: Optional[str] = None,
        authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
        base_url: Optional[str] = None,
        canonicalization_method: Optional[str] = None,
        client_id: Optional[str] = None,
        client_signature_required: Optional[bool] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        encrypt_assertions: Optional[bool] = None,
        encryption_certificate: Optional[str] = None,
        encryption_certificate_sha1: Optional[str] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        force_name_id_format: Optional[bool] = None,
        force_post_binding: Optional[bool] = None,
        front_channel_logout: Optional[bool] = None,
        full_scope_allowed: Optional[bool] = None,
        idp_initiated_sso_relay_state: Optional[str] = None,
        idp_initiated_sso_url_name: Optional[str] = None,
        include_authn_statement: Optional[bool] = None,
        login_theme: Optional[str] = None,
        logout_service_post_binding_url: Optional[str] = None,
        logout_service_redirect_binding_url: Optional[str] = None,
        master_saml_processing_url: Optional[str] = None,
        name: Optional[str] = None,
        name_id_format: Optional[str] = None,
        realm_id: Optional[str] = None,
        root_url: Optional[str] = None,
        sign_assertions: Optional[bool] = None,
        sign_documents: Optional[bool] = None,
        signature_algorithm: Optional[str] = None,
        signature_key_name: Optional[str] = None,
        signing_certificate: Optional[str] = None,
        signing_certificate_sha1: Optional[str] = None,
        signing_private_key: Optional[str] = None,
        signing_private_key_sha1: Optional[str] = None,
        valid_redirect_uris: Optional[Sequence[str]] = None) -> Client

func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)

public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)

public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
ExtraConfig Dictionary<string, object>
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RealmId string: The realm this client is attached to.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
ValidRedirectUris List<string>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
ExtraConfig map[string]interface{}
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RealmId string: The realm this client is attached to.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
ValidRedirectUris []string: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig Map<String,Object>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
realmId String: The realm this client is attached to.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
baseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description string: The description of this client in the GUI.
enabled boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig {[key: string]: any}
forceNameIdFormat boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme string: The login theme of this client.
logoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
name string: The display name of this client in the GUI.
nameIdFormat string: Sets the Name ID format for the subject.
realmId string: The realm this client is attached to.
rootUrl string: When specified, this value is prepended to all relative URLs.
signAssertions boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris string[]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertion_consumer_post_url str: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertion_consumer_redirect_url str: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
base_url str: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalization_method str: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
client_id str: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
client_signature_required bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description str: The description of this client in the GUI.
enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encrypt_assertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryption_certificate str: If assertions for the client are encrypted, this certificate will be used for encryption.
encryption_certificate_sha1 str: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extra_config Mapping[str, Any]
force_name_id_format bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
force_post_binding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
front_channel_logout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
full_scope_allowed bool: Allow to include all roles mappings in the access token
idp_initiated_sso_relay_state str: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idp_initiated_sso_url_name str: URL fragment name to reference client when you want to do IDP Initiated SSO.
include_authn_statement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
login_theme str: The login theme of this client.
logout_service_post_binding_url str: SAML POST Binding URL for the client's single logout service.
logout_service_redirect_binding_url str: SAML Redirect Binding URL for the client's single logout service.
master_saml_processing_url str: When specified, this URL will be used for all SAML requests.
name str: The display name of this client in the GUI.
name_id_format str: Sets the Name ID format for the subject.
realm_id str: The realm this client is attached to.
root_url str: When specified, this value is prepended to all relative URLs.
sign_assertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
sign_documents bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signature_algorithm str: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signature_key_name str: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signing_certificate str: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signing_certificate_sha1 str: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signing_private_key str: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signing_private_key_sha1 str: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
valid_redirect_uris Sequence[str]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides Property Map: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig Map<Any>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
realmId String: The realm this client is attached to.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Supporting Types

ClientAuthenticationFlowBindingOverrides

BrowserId string: Browser flow id, (flow needs to exist)
DirectGrantId string: Direct grant flow id (flow needs to exist)

BrowserId string: Browser flow id, (flow needs to exist)
DirectGrantId string: Direct grant flow id (flow needs to exist)

browserId String: Browser flow id, (flow needs to exist)
directGrantId String: Direct grant flow id (flow needs to exist)

browserId string: Browser flow id, (flow needs to exist)
directGrantId string: Direct grant flow id (flow needs to exist)

browser_id str: Browser flow id, (flow needs to exist)
direct_grant_id str: Direct grant flow id (flow needs to exist)

browserId String: Browser flow id, (flow needs to exist)
directGrantId String: Direct grant flow id (flow needs to exist)

Import

Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash

 $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.