Keycloak v6.4.0, Apr 16 25

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

keycloak.saml.Client

Explore with Pulumi AI

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

Create Client Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);

@overload
def Client(resource_name: str,
           args: ClientArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Client(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           client_id: Optional[str] = None,
           realm_id: Optional[str] = None,
           description: Optional[str] = None,
           idp_initiated_sso_url_name: Optional[str] = None,
           base_url: Optional[str] = None,
           canonicalization_method: Optional[str] = None,
           assertion_consumer_redirect_url: Optional[str] = None,
           client_signature_required: Optional[bool] = None,
           consent_required: Optional[bool] = None,
           always_display_in_console: Optional[bool] = None,
           enabled: Optional[bool] = None,
           encrypt_assertions: Optional[bool] = None,
           include_authn_statement: Optional[bool] = None,
           extra_config: Optional[Mapping[str, str]] = None,
           force_name_id_format: Optional[bool] = None,
           force_post_binding: Optional[bool] = None,
           front_channel_logout: Optional[bool] = None,
           full_scope_allowed: Optional[bool] = None,
           authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
           idp_initiated_sso_relay_state: Optional[str] = None,
           encryption_certificate: Optional[str] = None,
           login_theme: Optional[str] = None,
           logout_service_post_binding_url: Optional[str] = None,
           logout_service_redirect_binding_url: Optional[str] = None,
           master_saml_processing_url: Optional[str] = None,
           name: Optional[str] = None,
           name_id_format: Optional[str] = None,
           assertion_consumer_post_url: Optional[str] = None,
           root_url: Optional[str] = None,
           sign_assertions: Optional[bool] = None,
           sign_documents: Optional[bool] = None,
           signature_algorithm: Optional[str] = None,
           signature_key_name: Optional[str] = None,
           signing_certificate: Optional[str] = None,
           signing_private_key: Optional[str] = None,
           valid_redirect_uris: Optional[Sequence[str]] = None)

func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)

public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)

public Client(String name, ClientArgs args)
public Client(String name, ClientArgs args, CustomResourceOptions options)

type: keycloak:saml:Client
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var keycloakClientResource = new Keycloak.Saml.Client("keycloakClientResource", new()
{
    ClientId = "string",
    RealmId = "string",
    Description = "string",
    IdpInitiatedSsoUrlName = "string",
    BaseUrl = "string",
    CanonicalizationMethod = "string",
    AssertionConsumerRedirectUrl = "string",
    ClientSignatureRequired = false,
    ConsentRequired = false,
    AlwaysDisplayInConsole = false,
    Enabled = false,
    EncryptAssertions = false,
    IncludeAuthnStatement = false,
    ExtraConfig = 
    {
        { "string", "string" },
    },
    ForceNameIdFormat = false,
    ForcePostBinding = false,
    FrontChannelLogout = false,
    FullScopeAllowed = false,
    AuthenticationFlowBindingOverrides = new Keycloak.Saml.Inputs.ClientAuthenticationFlowBindingOverridesArgs
    {
        BrowserId = "string",
        DirectGrantId = "string",
    },
    IdpInitiatedSsoRelayState = "string",
    EncryptionCertificate = "string",
    LoginTheme = "string",
    LogoutServicePostBindingUrl = "string",
    LogoutServiceRedirectBindingUrl = "string",
    MasterSamlProcessingUrl = "string",
    Name = "string",
    NameIdFormat = "string",
    AssertionConsumerPostUrl = "string",
    RootUrl = "string",
    SignAssertions = false,
    SignDocuments = false,
    SignatureAlgorithm = "string",
    SignatureKeyName = "string",
    SigningCertificate = "string",
    SigningPrivateKey = "string",
    ValidRedirectUris = new[]
    {
        "string",
    },
});

example, err := saml.NewClient(ctx, "keycloakClientResource", &saml.ClientArgs{
	ClientId:                     pulumi.String("string"),
	RealmId:                      pulumi.String("string"),
	Description:                  pulumi.String("string"),
	IdpInitiatedSsoUrlName:       pulumi.String("string"),
	BaseUrl:                      pulumi.String("string"),
	CanonicalizationMethod:       pulumi.String("string"),
	AssertionConsumerRedirectUrl: pulumi.String("string"),
	ClientSignatureRequired:      pulumi.Bool(false),
	ConsentRequired:              pulumi.Bool(false),
	AlwaysDisplayInConsole:       pulumi.Bool(false),
	Enabled:                      pulumi.Bool(false),
	EncryptAssertions:            pulumi.Bool(false),
	IncludeAuthnStatement:        pulumi.Bool(false),
	ExtraConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	ForceNameIdFormat:  pulumi.Bool(false),
	ForcePostBinding:   pulumi.Bool(false),
	FrontChannelLogout: pulumi.Bool(false),
	FullScopeAllowed:   pulumi.Bool(false),
	AuthenticationFlowBindingOverrides: &saml.ClientAuthenticationFlowBindingOverridesArgs{
		BrowserId:     pulumi.String("string"),
		DirectGrantId: pulumi.String("string"),
	},
	IdpInitiatedSsoRelayState:       pulumi.String("string"),
	EncryptionCertificate:           pulumi.String("string"),
	LoginTheme:                      pulumi.String("string"),
	LogoutServicePostBindingUrl:     pulumi.String("string"),
	LogoutServiceRedirectBindingUrl: pulumi.String("string"),
	MasterSamlProcessingUrl:         pulumi.String("string"),
	Name:                            pulumi.String("string"),
	NameIdFormat:                    pulumi.String("string"),
	AssertionConsumerPostUrl:        pulumi.String("string"),
	RootUrl:                         pulumi.String("string"),
	SignAssertions:                  pulumi.Bool(false),
	SignDocuments:                   pulumi.Bool(false),
	SignatureAlgorithm:              pulumi.String("string"),
	SignatureKeyName:                pulumi.String("string"),
	SigningCertificate:              pulumi.String("string"),
	SigningPrivateKey:               pulumi.String("string"),
	ValidRedirectUris: pulumi.StringArray{
		pulumi.String("string"),
	},
})

var keycloakClientResource = new com.pulumi.keycloak.saml.Client("keycloakClientResource", com.pulumi.keycloak.saml.ClientArgs.builder()
    .clientId("string")
    .realmId("string")
    .description("string")
    .idpInitiatedSsoUrlName("string")
    .baseUrl("string")
    .canonicalizationMethod("string")
    .assertionConsumerRedirectUrl("string")
    .clientSignatureRequired(false)
    .consentRequired(false)
    .alwaysDisplayInConsole(false)
    .enabled(false)
    .encryptAssertions(false)
    .includeAuthnStatement(false)
    .extraConfig(Map.of("string", "string"))
    .forceNameIdFormat(false)
    .forcePostBinding(false)
    .frontChannelLogout(false)
    .fullScopeAllowed(false)
    .authenticationFlowBindingOverrides(ClientAuthenticationFlowBindingOverridesArgs.builder()
        .browserId("string")
        .directGrantId("string")
        .build())
    .idpInitiatedSsoRelayState("string")
    .encryptionCertificate("string")
    .loginTheme("string")
    .logoutServicePostBindingUrl("string")
    .logoutServiceRedirectBindingUrl("string")
    .masterSamlProcessingUrl("string")
    .name("string")
    .nameIdFormat("string")
    .assertionConsumerPostUrl("string")
    .rootUrl("string")
    .signAssertions(false)
    .signDocuments(false)
    .signatureAlgorithm("string")
    .signatureKeyName("string")
    .signingCertificate("string")
    .signingPrivateKey("string")
    .validRedirectUris("string")
    .build());

keycloak_client_resource = keycloak.saml.Client("keycloakClientResource",
    client_id="string",
    realm_id="string",
    description="string",
    idp_initiated_sso_url_name="string",
    base_url="string",
    canonicalization_method="string",
    assertion_consumer_redirect_url="string",
    client_signature_required=False,
    consent_required=False,
    always_display_in_console=False,
    enabled=False,
    encrypt_assertions=False,
    include_authn_statement=False,
    extra_config={
        "string": "string",
    },
    force_name_id_format=False,
    force_post_binding=False,
    front_channel_logout=False,
    full_scope_allowed=False,
    authentication_flow_binding_overrides={
        "browser_id": "string",
        "direct_grant_id": "string",
    },
    idp_initiated_sso_relay_state="string",
    encryption_certificate="string",
    login_theme="string",
    logout_service_post_binding_url="string",
    logout_service_redirect_binding_url="string",
    master_saml_processing_url="string",
    name="string",
    name_id_format="string",
    assertion_consumer_post_url="string",
    root_url="string",
    sign_assertions=False,
    sign_documents=False,
    signature_algorithm="string",
    signature_key_name="string",
    signing_certificate="string",
    signing_private_key="string",
    valid_redirect_uris=["string"])

const keycloakClientResource = new keycloak.saml.Client("keycloakClientResource", {
    clientId: "string",
    realmId: "string",
    description: "string",
    idpInitiatedSsoUrlName: "string",
    baseUrl: "string",
    canonicalizationMethod: "string",
    assertionConsumerRedirectUrl: "string",
    clientSignatureRequired: false,
    consentRequired: false,
    alwaysDisplayInConsole: false,
    enabled: false,
    encryptAssertions: false,
    includeAuthnStatement: false,
    extraConfig: {
        string: "string",
    },
    forceNameIdFormat: false,
    forcePostBinding: false,
    frontChannelLogout: false,
    fullScopeAllowed: false,
    authenticationFlowBindingOverrides: {
        browserId: "string",
        directGrantId: "string",
    },
    idpInitiatedSsoRelayState: "string",
    encryptionCertificate: "string",
    loginTheme: "string",
    logoutServicePostBindingUrl: "string",
    logoutServiceRedirectBindingUrl: "string",
    masterSamlProcessingUrl: "string",
    name: "string",
    nameIdFormat: "string",
    assertionConsumerPostUrl: "string",
    rootUrl: "string",
    signAssertions: false,
    signDocuments: false,
    signatureAlgorithm: "string",
    signatureKeyName: "string",
    signingCertificate: "string",
    signingPrivateKey: "string",
    validRedirectUris: ["string"],
});

type: keycloak:saml:Client
properties:
    alwaysDisplayInConsole: false
    assertionConsumerPostUrl: string
    assertionConsumerRedirectUrl: string
    authenticationFlowBindingOverrides:
        browserId: string
        directGrantId: string
    baseUrl: string
    canonicalizationMethod: string
    clientId: string
    clientSignatureRequired: false
    consentRequired: false
    description: string
    enabled: false
    encryptAssertions: false
    encryptionCertificate: string
    extraConfig:
        string: string
    forceNameIdFormat: false
    forcePostBinding: false
    frontChannelLogout: false
    fullScopeAllowed: false
    idpInitiatedSsoRelayState: string
    idpInitiatedSsoUrlName: string
    includeAuthnStatement: false
    loginTheme: string
    logoutServicePostBindingUrl: string
    logoutServiceRedirectBindingUrl: string
    masterSamlProcessingUrl: string
    name: string
    nameIdFormat: string
    realmId: string
    rootUrl: string
    signAssertions: false
    signDocuments: false
    signatureAlgorithm: string
    signatureKeyName: string
    signingCertificate: string
    signingPrivateKey: string
    validRedirectUris:
        - string

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Client resource accepts the following input properties:

ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
RealmId string: The realm this client is attached to.
AlwaysDisplayInConsole bool: Always list this client in the Account UI, even if the user does not have an active session.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
ConsentRequired bool: When true, users have to consent to client access. Defaults to false.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
ExtraConfig Dictionary<string, string>
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
ValidRedirectUris List<string>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
RealmId string: The realm this client is attached to.
AlwaysDisplayInConsole bool: Always list this client in the Account UI, even if the user does not have an active session.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
ConsentRequired bool: When true, users have to consent to client access. Defaults to false.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
ExtraConfig map[string]string
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
ValidRedirectUris []string: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId String: The realm this client is attached to.
alwaysDisplayInConsole Boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired Boolean: When true, users have to consent to client access. Defaults to false.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig Map<String,String>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId string: The realm this client is attached to.
alwaysDisplayInConsole boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
baseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired boolean: When true, users have to consent to client access. Defaults to false.
description string: The description of this client in the GUI.
enabled boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig {[key: string]: string}
forceNameIdFormat boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme string: The login theme of this client.
logoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
name string: The display name of this client in the GUI.
nameIdFormat string: Sets the Name ID format for the subject.
rootUrl string: When specified, this value is prepended to all relative URLs.
signAssertions boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris string[]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

client_id str: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realm_id str: The realm this client is attached to.
always_display_in_console bool: Always list this client in the Account UI, even if the user does not have an active session.
assertion_consumer_post_url str: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertion_consumer_redirect_url str: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
base_url str: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalization_method str: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
client_signature_required bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consent_required bool: When true, users have to consent to client access. Defaults to false.
description str: The description of this client in the GUI.
enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encrypt_assertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryption_certificate str: If assertions for the client are encrypted, this certificate will be used for encryption.
extra_config Mapping[str, str]
force_name_id_format bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
force_post_binding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
front_channel_logout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
full_scope_allowed bool: Allow to include all roles mappings in the access token
idp_initiated_sso_relay_state str: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idp_initiated_sso_url_name str: URL fragment name to reference client when you want to do IDP Initiated SSO.
include_authn_statement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
login_theme str: The login theme of this client.
logout_service_post_binding_url str: SAML POST Binding URL for the client's single logout service.
logout_service_redirect_binding_url str: SAML Redirect Binding URL for the client's single logout service.
master_saml_processing_url str: When specified, this URL will be used for all SAML requests.
name str: The display name of this client in the GUI.
name_id_format str: Sets the Name ID format for the subject.
root_url str: When specified, this value is prepended to all relative URLs.
sign_assertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
sign_documents bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signature_algorithm str: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signature_key_name str: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signing_certificate str: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signing_private_key str: If documents or assertions from the client are signed, this private key will be used to verify the signature.
valid_redirect_uris Sequence[str]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
realmId String: The realm this client is attached to.
alwaysDisplayInConsole Boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides Property Map: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired Boolean: When true, users have to consent to client access. Defaults to false.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
extraConfig Map<String>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
Id string: The provider-assigned unique ID for this managed resource.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
Id string: The provider-assigned unique ID for this managed resource.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id String: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id string: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryption_certificate_sha1 str: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id str: The provider-assigned unique ID for this managed resource.
signing_certificate_sha1 str: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signing_private_key_sha1 str: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
id String: The provider-assigned unique ID for this managed resource.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

Look up Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        always_display_in_console: Optional[bool] = None,
        assertion_consumer_post_url: Optional[str] = None,
        assertion_consumer_redirect_url: Optional[str] = None,
        authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
        base_url: Optional[str] = None,
        canonicalization_method: Optional[str] = None,
        client_id: Optional[str] = None,
        client_signature_required: Optional[bool] = None,
        consent_required: Optional[bool] = None,
        description: Optional[str] = None,
        enabled: Optional[bool] = None,
        encrypt_assertions: Optional[bool] = None,
        encryption_certificate: Optional[str] = None,
        encryption_certificate_sha1: Optional[str] = None,
        extra_config: Optional[Mapping[str, str]] = None,
        force_name_id_format: Optional[bool] = None,
        force_post_binding: Optional[bool] = None,
        front_channel_logout: Optional[bool] = None,
        full_scope_allowed: Optional[bool] = None,
        idp_initiated_sso_relay_state: Optional[str] = None,
        idp_initiated_sso_url_name: Optional[str] = None,
        include_authn_statement: Optional[bool] = None,
        login_theme: Optional[str] = None,
        logout_service_post_binding_url: Optional[str] = None,
        logout_service_redirect_binding_url: Optional[str] = None,
        master_saml_processing_url: Optional[str] = None,
        name: Optional[str] = None,
        name_id_format: Optional[str] = None,
        realm_id: Optional[str] = None,
        root_url: Optional[str] = None,
        sign_assertions: Optional[bool] = None,
        sign_documents: Optional[bool] = None,
        signature_algorithm: Optional[str] = None,
        signature_key_name: Optional[str] = None,
        signing_certificate: Optional[str] = None,
        signing_certificate_sha1: Optional[str] = None,
        signing_private_key: Optional[str] = None,
        signing_private_key_sha1: Optional[str] = None,
        valid_redirect_uris: Optional[Sequence[str]] = None) -> Client

func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)

public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)

public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)

resources:  _:    type: keycloak:saml:Client    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AlwaysDisplayInConsole bool: Always list this client in the Account UI, even if the user does not have an active session.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
ConsentRequired bool: When true, users have to consent to client access. Defaults to false.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
ExtraConfig Dictionary<string, string>
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RealmId string: The realm this client is attached to.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
ValidRedirectUris List<string>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

AlwaysDisplayInConsole bool: Always list this client in the Account UI, even if the user does not have an active session.
AssertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
AssertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
BaseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
CanonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
ClientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
ClientSignatureRequired bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
ConsentRequired bool: When true, users have to consent to client access. Defaults to false.
Description string: The description of this client in the GUI.
Enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
EncryptAssertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
EncryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
EncryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
ExtraConfig map[string]string
ForceNameIdFormat bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
ForcePostBinding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
FrontChannelLogout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
FullScopeAllowed bool: Allow to include all roles mappings in the access token
IdpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
IdpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
IncludeAuthnStatement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
LoginTheme string: The login theme of this client.
LogoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
LogoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
MasterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
Name string: The display name of this client in the GUI.
NameIdFormat string: Sets the Name ID format for the subject.
RealmId string: The realm this client is attached to.
RootUrl string: When specified, this value is prepended to all relative URLs.
SignAssertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
SignDocuments bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
SignatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
SignatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
SigningCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
SigningCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
SigningPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
SigningPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
ValidRedirectUris []string: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

alwaysDisplayInConsole Boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired Boolean: When true, users have to consent to client access. Defaults to false.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig Map<String,String>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
realmId String: The realm this client is attached to.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

alwaysDisplayInConsole boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl string: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl string: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides: Override realm authentication flow bindings
baseUrl string: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod string: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId string: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired boolean: When true, users have to consent to client access. Defaults to false.
description string: The description of this client in the GUI.
enabled boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate string: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 string: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig {[key: string]: string}
forceNameIdFormat boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState string: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName string: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme string: The login theme of this client.
logoutServicePostBindingUrl string: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl string: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl string: When specified, this URL will be used for all SAML requests.
name string: The display name of this client in the GUI.
nameIdFormat string: Sets the Name ID format for the subject.
realmId string: The realm this client is attached to.
rootUrl string: When specified, this value is prepended to all relative URLs.
signAssertions boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm string: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName string: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate string: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 string: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey string: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 string: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris string[]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

always_display_in_console bool: Always list this client in the Account UI, even if the user does not have an active session.
assertion_consumer_post_url str: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertion_consumer_redirect_url str: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs: Override realm authentication flow bindings
base_url str: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalization_method str: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
client_id str: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
client_signature_required bool: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consent_required bool: When true, users have to consent to client access. Defaults to false.
description str: The description of this client in the GUI.
enabled bool: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encrypt_assertions bool: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryption_certificate str: If assertions for the client are encrypted, this certificate will be used for encryption.
encryption_certificate_sha1 str: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extra_config Mapping[str, str]
force_name_id_format bool: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
force_post_binding bool: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
front_channel_logout bool: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
full_scope_allowed bool: Allow to include all roles mappings in the access token
idp_initiated_sso_relay_state str: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idp_initiated_sso_url_name str: URL fragment name to reference client when you want to do IDP Initiated SSO.
include_authn_statement bool: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
login_theme str: The login theme of this client.
logout_service_post_binding_url str: SAML POST Binding URL for the client's single logout service.
logout_service_redirect_binding_url str: SAML Redirect Binding URL for the client's single logout service.
master_saml_processing_url str: When specified, this URL will be used for all SAML requests.
name str: The display name of this client in the GUI.
name_id_format str: Sets the Name ID format for the subject.
realm_id str: The realm this client is attached to.
root_url str: When specified, this value is prepended to all relative URLs.
sign_assertions bool: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
sign_documents bool: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signature_algorithm str: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signature_key_name str: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signing_certificate str: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signing_certificate_sha1 str: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signing_private_key str: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signing_private_key_sha1 str: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
valid_redirect_uris Sequence[str]: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

alwaysDisplayInConsole Boolean: Always list this client in the Account UI, even if the user does not have an active session.
assertionConsumerPostUrl String: SAML POST Binding URL for the client's assertion consumer service (login responses).
assertionConsumerRedirectUrl String: SAML Redirect Binding URL for the client's assertion consumer service (login responses).
authenticationFlowBindingOverrides Property Map: Override realm authentication flow bindings
baseUrl String: When specified, this URL will be used whenever Keycloak needs to link to this client.
canonicalizationMethod String: The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
clientId String: The unique ID of this client, referenced in the URI during authentication and in issued tokens.
clientSignatureRequired Boolean: When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
consentRequired Boolean: When true, users have to consent to client access. Defaults to false.
description String: The description of this client in the GUI.
enabled Boolean: When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
encryptAssertions Boolean: When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
encryptionCertificate String: If assertions for the client are encrypted, this certificate will be used for encryption.
encryptionCertificateSha1 String: (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
extraConfig Map<String>
forceNameIdFormat Boolean: Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
forcePostBinding Boolean: When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
frontChannelLogout Boolean: When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
fullScopeAllowed Boolean: Allow to include all roles mappings in the access token
idpInitiatedSsoRelayState String: Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
idpInitiatedSsoUrlName String: URL fragment name to reference client when you want to do IDP Initiated SSO.
includeAuthnStatement Boolean: When true, an AuthnStatement will be included in the SAML response. Defaults to true.
loginTheme String: The login theme of this client.
logoutServicePostBindingUrl String: SAML POST Binding URL for the client's single logout service.
logoutServiceRedirectBindingUrl String: SAML Redirect Binding URL for the client's single logout service.
masterSamlProcessingUrl String: When specified, this URL will be used for all SAML requests.
name String: The display name of this client in the GUI.
nameIdFormat String: Sets the Name ID format for the subject.
realmId String: The realm this client is attached to.
rootUrl String: When specified, this value is prepended to all relative URLs.
signAssertions Boolean: When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
signDocuments Boolean: When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
signatureAlgorithm String: The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
signatureKeyName String: The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
signingCertificate String: If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signingCertificateSha1 String: (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
signingPrivateKey String: If documents or assertions from the client are signed, this private key will be used to verify the signature.
signingPrivateKeySha1 String: (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
validRedirectUris List<String>: When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

Supporting Types

ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs

BrowserId string: Browser flow id, (flow needs to exist)
DirectGrantId string: Direct grant flow id (flow needs to exist)

BrowserId string: Browser flow id, (flow needs to exist)
DirectGrantId string: Direct grant flow id (flow needs to exist)

browserId String: Browser flow id, (flow needs to exist)
directGrantId String: Direct grant flow id (flow needs to exist)

browserId string: Browser flow id, (flow needs to exist)
directGrantId string: Direct grant flow id (flow needs to exist)

browser_id str: Browser flow id, (flow needs to exist)
direct_grant_id str: Direct grant flow id (flow needs to exist)

browserId String: Browser flow id, (flow needs to exist)
directGrantId String: Direct grant flow id (flow needs to exist)

Import

Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak

assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID.

Example:

bash

$ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

pulumi/pulumi-keycloak

keycloak.saml.Client

On this page

On this page

Create Client Resource

Constructor syntax

Parameters

Constructor example

Client Resource Properties

Inputs

Outputs

Look up Existing Client Resource

Supporting Types

ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs

Import

Package Details

On this page

On this page