1. Packages
  2. Keycloak
  3. API Docs
  4. saml
  5. Client
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

keycloak.saml.Client

Explore with Pulumi AI

keycloak logo
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

    Allows for creating and managing Keycloak clients that use the SAML protocol.

    Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

    Example Usage

    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var samlClient = new Keycloak.Saml.Client("samlClient", new()
        {
            RealmId = realm.Id,
            ClientId = "saml-client",
            SignDocuments = false,
            SignAssertions = true,
            IncludeAuthnStatement = true,
            SigningCertificate = File.ReadAllText("saml-cert.pem"),
            SigningPrivateKey = File.ReadAllText("saml-key.pem"),
        });
    
    });
    
    package main
    
    import (
    	"os"
    
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = saml.NewClient(ctx, "samlClient", &saml.ClientArgs{
    			RealmId:               realm.ID(),
    			ClientId:              pulumi.String("saml-client"),
    			SignDocuments:         pulumi.Bool(false),
    			SignAssertions:        pulumi.Bool(true),
    			IncludeAuthnStatement: pulumi.Bool(true),
    			SigningCertificate:    readFileOrPanic("saml-cert.pem"),
    			SigningPrivateKey:     readFileOrPanic("saml-key.pem"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.saml.Client;
    import com.pulumi.keycloak.saml.ClientArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var samlClient = new Client("samlClient", ClientArgs.builder()        
                .realmId(realm.id())
                .clientId("saml-client")
                .signDocuments(false)
                .signAssertions(true)
                .includeAuthnStatement(true)
                .signingCertificate(Files.readString(Paths.get("saml-cert.pem")))
                .signingPrivateKey(Files.readString(Paths.get("saml-key.pem")))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    saml_client = keycloak.saml.Client("samlClient",
        realm_id=realm.id,
        client_id="saml-client",
        sign_documents=False,
        sign_assertions=True,
        include_authn_statement=True,
        signing_certificate=(lambda path: open(path).read())("saml-cert.pem"),
        signing_private_key=(lambda path: open(path).read())("saml-key.pem"))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as fs from "fs";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const samlClient = new keycloak.saml.Client("samlClient", {
        realmId: realm.id,
        clientId: "saml-client",
        signDocuments: false,
        signAssertions: true,
        includeAuthnStatement: true,
        signingCertificate: fs.readFileSync("saml-cert.pem"),
        signingPrivateKey: fs.readFileSync("saml-key.pem"),
    });
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      samlClient:
        type: keycloak:saml:Client
        properties:
          realmId: ${realm.id}
          clientId: saml-client
          signDocuments: false
          signAssertions: true
          includeAuthnStatement: true
          signingCertificate:
            fn::readFile: saml-cert.pem
          signingPrivateKey:
            fn::readFile: saml-key.pem
    

    Create Client Resource

    new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);
    @overload
    def Client(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               assertion_consumer_post_url: Optional[str] = None,
               assertion_consumer_redirect_url: Optional[str] = None,
               authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
               base_url: Optional[str] = None,
               canonicalization_method: Optional[str] = None,
               client_id: Optional[str] = None,
               client_signature_required: Optional[bool] = None,
               description: Optional[str] = None,
               enabled: Optional[bool] = None,
               encrypt_assertions: Optional[bool] = None,
               encryption_certificate: Optional[str] = None,
               extra_config: Optional[Mapping[str, Any]] = None,
               force_name_id_format: Optional[bool] = None,
               force_post_binding: Optional[bool] = None,
               front_channel_logout: Optional[bool] = None,
               full_scope_allowed: Optional[bool] = None,
               idp_initiated_sso_relay_state: Optional[str] = None,
               idp_initiated_sso_url_name: Optional[str] = None,
               include_authn_statement: Optional[bool] = None,
               login_theme: Optional[str] = None,
               logout_service_post_binding_url: Optional[str] = None,
               logout_service_redirect_binding_url: Optional[str] = None,
               master_saml_processing_url: Optional[str] = None,
               name: Optional[str] = None,
               name_id_format: Optional[str] = None,
               realm_id: Optional[str] = None,
               root_url: Optional[str] = None,
               sign_assertions: Optional[bool] = None,
               sign_documents: Optional[bool] = None,
               signature_algorithm: Optional[str] = None,
               signature_key_name: Optional[str] = None,
               signing_certificate: Optional[str] = None,
               signing_private_key: Optional[str] = None,
               valid_redirect_uris: Optional[Sequence[str]] = None)
    @overload
    def Client(resource_name: str,
               args: ClientArgs,
               opts: Optional[ResourceOptions] = None)
    func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)
    public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)
    public Client(String name, ClientArgs args)
    public Client(String name, ClientArgs args, CustomResourceOptions options)
    
    type: keycloak:saml:Client
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ClientArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Client Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Client resource accepts the following input properties:

    ClientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    RealmId string

    The realm this client is attached to.

    AssertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    AssertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    BaseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    CanonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    ClientSignatureRequired bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    Description string

    The description of this client in the GUI.

    Enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    EncryptAssertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    EncryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    ExtraConfig Dictionary<string, object>
    ForceNameIdFormat bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    ForcePostBinding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    FrontChannelLogout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    FullScopeAllowed bool

    Allow to include all roles mappings in the access token

    IdpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    IdpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    IncludeAuthnStatement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    LoginTheme string

    The login theme of this client.

    LogoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    LogoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    MasterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    Name string

    The display name of this client in the GUI.

    NameIdFormat string

    Sets the Name ID format for the subject.

    RootUrl string

    When specified, this value is prepended to all relative URLs.

    SignAssertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    SignDocuments bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    SignatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    SignatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    SigningCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    SigningPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    ValidRedirectUris List<string>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    ClientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    RealmId string

    The realm this client is attached to.

    AssertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    AssertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

    Override realm authentication flow bindings

    BaseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    CanonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    ClientSignatureRequired bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    Description string

    The description of this client in the GUI.

    Enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    EncryptAssertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    EncryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    ExtraConfig map[string]interface{}
    ForceNameIdFormat bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    ForcePostBinding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    FrontChannelLogout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    FullScopeAllowed bool

    Allow to include all roles mappings in the access token

    IdpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    IdpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    IncludeAuthnStatement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    LoginTheme string

    The login theme of this client.

    LogoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    LogoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    MasterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    Name string

    The display name of this client in the GUI.

    NameIdFormat string

    Sets the Name ID format for the subject.

    RootUrl string

    When specified, this value is prepended to all relative URLs.

    SignAssertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    SignDocuments bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    SignatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    SignatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    SigningCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    SigningPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    ValidRedirectUris []string

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    clientId String

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    realmId String

    The realm this client is attached to.

    assertionConsumerPostUrl String

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl String

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    baseUrl String

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod String

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientSignatureRequired Boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description String

    The description of this client in the GUI.

    enabled Boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions Boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate String

    If assertions for the client are encrypted, this certificate will be used for encryption.

    extraConfig Map<String,Object>
    forceNameIdFormat Boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding Boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout Boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed Boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState String

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName String

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement Boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme String

    The login theme of this client.

    logoutServicePostBindingUrl String

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl String

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl String

    When specified, this URL will be used for all SAML requests.

    name String

    The display name of this client in the GUI.

    nameIdFormat String

    Sets the Name ID format for the subject.

    rootUrl String

    When specified, this value is prepended to all relative URLs.

    signAssertions Boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments Boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm String

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName String

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate String

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingPrivateKey String

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    validRedirectUris List<String>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    clientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    realmId string

    The realm this client is attached to.

    assertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    baseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientSignatureRequired boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description string

    The description of this client in the GUI.

    enabled boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    extraConfig {[key: string]: any}
    forceNameIdFormat boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme string

    The login theme of this client.

    logoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    name string

    The display name of this client in the GUI.

    nameIdFormat string

    Sets the Name ID format for the subject.

    rootUrl string

    When specified, this value is prepended to all relative URLs.

    signAssertions boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    validRedirectUris string[]

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    client_id str

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    realm_id str

    The realm this client is attached to.

    assertion_consumer_post_url str

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertion_consumer_redirect_url str

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

    Override realm authentication flow bindings

    base_url str

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalization_method str

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    client_signature_required bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description str

    The description of this client in the GUI.

    enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encrypt_assertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryption_certificate str

    If assertions for the client are encrypted, this certificate will be used for encryption.

    extra_config Mapping[str, Any]
    force_name_id_format bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    force_post_binding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    front_channel_logout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    full_scope_allowed bool

    Allow to include all roles mappings in the access token

    idp_initiated_sso_relay_state str

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idp_initiated_sso_url_name str

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    include_authn_statement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    login_theme str

    The login theme of this client.

    logout_service_post_binding_url str

    SAML POST Binding URL for the client's single logout service.

    logout_service_redirect_binding_url str

    SAML Redirect Binding URL for the client's single logout service.

    master_saml_processing_url str

    When specified, this URL will be used for all SAML requests.

    name str

    The display name of this client in the GUI.

    name_id_format str

    Sets the Name ID format for the subject.

    root_url str

    When specified, this value is prepended to all relative URLs.

    sign_assertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    sign_documents bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signature_algorithm str

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signature_key_name str

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signing_certificate str

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signing_private_key str

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    valid_redirect_uris Sequence[str]

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    clientId String

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    realmId String

    The realm this client is attached to.

    assertionConsumerPostUrl String

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl String

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides Property Map

    Override realm authentication flow bindings

    baseUrl String

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod String

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientSignatureRequired Boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description String

    The description of this client in the GUI.

    enabled Boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions Boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate String

    If assertions for the client are encrypted, this certificate will be used for encryption.

    extraConfig Map<Any>
    forceNameIdFormat Boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding Boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout Boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed Boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState String

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName String

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement Boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme String

    The login theme of this client.

    logoutServicePostBindingUrl String

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl String

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl String

    When specified, this URL will be used for all SAML requests.

    name String

    The display name of this client in the GUI.

    nameIdFormat String

    Sets the Name ID format for the subject.

    rootUrl String

    When specified, this value is prepended to all relative URLs.

    signAssertions Boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments Boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm String

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName String

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate String

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingPrivateKey String

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    validRedirectUris List<String>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

    EncryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    Id string

    The provider-assigned unique ID for this managed resource.

    SigningCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    SigningPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    EncryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    Id string

    The provider-assigned unique ID for this managed resource.

    SigningCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    SigningPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    encryptionCertificateSha1 String

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    id String

    The provider-assigned unique ID for this managed resource.

    signingCertificateSha1 String

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKeySha1 String

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    encryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    id string

    The provider-assigned unique ID for this managed resource.

    signingCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    encryption_certificate_sha1 str

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    id str

    The provider-assigned unique ID for this managed resource.

    signing_certificate_sha1 str

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signing_private_key_sha1 str

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    encryptionCertificateSha1 String

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    id String

    The provider-assigned unique ID for this managed resource.

    signingCertificateSha1 String

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKeySha1 String

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    Look up Existing Client Resource

    Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            assertion_consumer_post_url: Optional[str] = None,
            assertion_consumer_redirect_url: Optional[str] = None,
            authentication_flow_binding_overrides: Optional[ClientAuthenticationFlowBindingOverridesArgs] = None,
            base_url: Optional[str] = None,
            canonicalization_method: Optional[str] = None,
            client_id: Optional[str] = None,
            client_signature_required: Optional[bool] = None,
            description: Optional[str] = None,
            enabled: Optional[bool] = None,
            encrypt_assertions: Optional[bool] = None,
            encryption_certificate: Optional[str] = None,
            encryption_certificate_sha1: Optional[str] = None,
            extra_config: Optional[Mapping[str, Any]] = None,
            force_name_id_format: Optional[bool] = None,
            force_post_binding: Optional[bool] = None,
            front_channel_logout: Optional[bool] = None,
            full_scope_allowed: Optional[bool] = None,
            idp_initiated_sso_relay_state: Optional[str] = None,
            idp_initiated_sso_url_name: Optional[str] = None,
            include_authn_statement: Optional[bool] = None,
            login_theme: Optional[str] = None,
            logout_service_post_binding_url: Optional[str] = None,
            logout_service_redirect_binding_url: Optional[str] = None,
            master_saml_processing_url: Optional[str] = None,
            name: Optional[str] = None,
            name_id_format: Optional[str] = None,
            realm_id: Optional[str] = None,
            root_url: Optional[str] = None,
            sign_assertions: Optional[bool] = None,
            sign_documents: Optional[bool] = None,
            signature_algorithm: Optional[str] = None,
            signature_key_name: Optional[str] = None,
            signing_certificate: Optional[str] = None,
            signing_certificate_sha1: Optional[str] = None,
            signing_private_key: Optional[str] = None,
            signing_private_key_sha1: Optional[str] = None,
            valid_redirect_uris: Optional[Sequence[str]] = None) -> Client
    func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)
    public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)
    public static Client get(String name, Output<String> id, ClientState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AssertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    AssertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    BaseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    CanonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    ClientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    ClientSignatureRequired bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    Description string

    The description of this client in the GUI.

    Enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    EncryptAssertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    EncryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    EncryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    ExtraConfig Dictionary<string, object>
    ForceNameIdFormat bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    ForcePostBinding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    FrontChannelLogout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    FullScopeAllowed bool

    Allow to include all roles mappings in the access token

    IdpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    IdpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    IncludeAuthnStatement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    LoginTheme string

    The login theme of this client.

    LogoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    LogoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    MasterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    Name string

    The display name of this client in the GUI.

    NameIdFormat string

    Sets the Name ID format for the subject.

    RealmId string

    The realm this client is attached to.

    RootUrl string

    When specified, this value is prepended to all relative URLs.

    SignAssertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    SignDocuments bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    SignatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    SignatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    SigningCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    SigningCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    SigningPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    SigningPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    ValidRedirectUris List<string>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    AssertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    AssertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    AuthenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverridesArgs

    Override realm authentication flow bindings

    BaseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    CanonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    ClientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    ClientSignatureRequired bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    Description string

    The description of this client in the GUI.

    Enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    EncryptAssertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    EncryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    EncryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    ExtraConfig map[string]interface{}
    ForceNameIdFormat bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    ForcePostBinding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    FrontChannelLogout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    FullScopeAllowed bool

    Allow to include all roles mappings in the access token

    IdpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    IdpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    IncludeAuthnStatement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    LoginTheme string

    The login theme of this client.

    LogoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    LogoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    MasterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    Name string

    The display name of this client in the GUI.

    NameIdFormat string

    Sets the Name ID format for the subject.

    RealmId string

    The realm this client is attached to.

    RootUrl string

    When specified, this value is prepended to all relative URLs.

    SignAssertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    SignDocuments bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    SignatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    SignatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    SigningCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    SigningCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    SigningPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    SigningPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    ValidRedirectUris []string

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    assertionConsumerPostUrl String

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl String

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    baseUrl String

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod String

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientId String

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    clientSignatureRequired Boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description String

    The description of this client in the GUI.

    enabled Boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions Boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate String

    If assertions for the client are encrypted, this certificate will be used for encryption.

    encryptionCertificateSha1 String

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    extraConfig Map<String,Object>
    forceNameIdFormat Boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding Boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout Boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed Boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState String

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName String

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement Boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme String

    The login theme of this client.

    logoutServicePostBindingUrl String

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl String

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl String

    When specified, this URL will be used for all SAML requests.

    name String

    The display name of this client in the GUI.

    nameIdFormat String

    Sets the Name ID format for the subject.

    realmId String

    The realm this client is attached to.

    rootUrl String

    When specified, this value is prepended to all relative URLs.

    signAssertions Boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments Boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm String

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName String

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate String

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingCertificateSha1 String

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKey String

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    signingPrivateKeySha1 String

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    validRedirectUris List<String>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    assertionConsumerPostUrl string

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl string

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides ClientAuthenticationFlowBindingOverrides

    Override realm authentication flow bindings

    baseUrl string

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod string

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientId string

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    clientSignatureRequired boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description string

    The description of this client in the GUI.

    enabled boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate string

    If assertions for the client are encrypted, this certificate will be used for encryption.

    encryptionCertificateSha1 string

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    extraConfig {[key: string]: any}
    forceNameIdFormat boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState string

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName string

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme string

    The login theme of this client.

    logoutServicePostBindingUrl string

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl string

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl string

    When specified, this URL will be used for all SAML requests.

    name string

    The display name of this client in the GUI.

    nameIdFormat string

    Sets the Name ID format for the subject.

    realmId string

    The realm this client is attached to.

    rootUrl string

    When specified, this value is prepended to all relative URLs.

    signAssertions boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm string

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName string

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate string

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingCertificateSha1 string

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKey string

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    signingPrivateKeySha1 string

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    validRedirectUris string[]

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    assertion_consumer_post_url str

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertion_consumer_redirect_url str

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authentication_flow_binding_overrides ClientAuthenticationFlowBindingOverridesArgs

    Override realm authentication flow bindings

    base_url str

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalization_method str

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    client_id str

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    client_signature_required bool

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description str

    The description of this client in the GUI.

    enabled bool

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encrypt_assertions bool

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryption_certificate str

    If assertions for the client are encrypted, this certificate will be used for encryption.

    encryption_certificate_sha1 str

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    extra_config Mapping[str, Any]
    force_name_id_format bool

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    force_post_binding bool

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    front_channel_logout bool

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    full_scope_allowed bool

    Allow to include all roles mappings in the access token

    idp_initiated_sso_relay_state str

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idp_initiated_sso_url_name str

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    include_authn_statement bool

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    login_theme str

    The login theme of this client.

    logout_service_post_binding_url str

    SAML POST Binding URL for the client's single logout service.

    logout_service_redirect_binding_url str

    SAML Redirect Binding URL for the client's single logout service.

    master_saml_processing_url str

    When specified, this URL will be used for all SAML requests.

    name str

    The display name of this client in the GUI.

    name_id_format str

    Sets the Name ID format for the subject.

    realm_id str

    The realm this client is attached to.

    root_url str

    When specified, this value is prepended to all relative URLs.

    sign_assertions bool

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    sign_documents bool

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signature_algorithm str

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signature_key_name str

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signing_certificate str

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signing_certificate_sha1 str

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signing_private_key str

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    signing_private_key_sha1 str

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    valid_redirect_uris Sequence[str]

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    assertionConsumerPostUrl String

    SAML POST Binding URL for the client's assertion consumer service (login responses).

    assertionConsumerRedirectUrl String

    SAML Redirect Binding URL for the client's assertion consumer service (login responses).

    authenticationFlowBindingOverrides Property Map

    Override realm authentication flow bindings

    baseUrl String

    When specified, this URL will be used whenever Keycloak needs to link to this client.

    canonicalizationMethod String

    The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".

    clientId String

    The unique ID of this client, referenced in the URI during authentication and in issued tokens.

    clientSignatureRequired Boolean

    When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.

    description String

    The description of this client in the GUI.

    enabled Boolean

    When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.

    encryptAssertions Boolean

    When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.

    encryptionCertificate String

    If assertions for the client are encrypted, this certificate will be used for encryption.

    encryptionCertificateSha1 String

    (Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.

    extraConfig Map<Any>
    forceNameIdFormat Boolean

    Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.

    forcePostBinding Boolean

    When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.

    frontChannelLogout Boolean

    When true, this client will require a browser redirect in order to perform a logout. Defaults to true.

    fullScopeAllowed Boolean

    Allow to include all roles mappings in the access token

    idpInitiatedSsoRelayState String

    Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

    idpInitiatedSsoUrlName String

    URL fragment name to reference client when you want to do IDP Initiated SSO.

    includeAuthnStatement Boolean

    When true, an AuthnStatement will be included in the SAML response. Defaults to true.

    loginTheme String

    The login theme of this client.

    logoutServicePostBindingUrl String

    SAML POST Binding URL for the client's single logout service.

    logoutServiceRedirectBindingUrl String

    SAML Redirect Binding URL for the client's single logout service.

    masterSamlProcessingUrl String

    When specified, this URL will be used for all SAML requests.

    name String

    The display name of this client in the GUI.

    nameIdFormat String

    Sets the Name ID format for the subject.

    realmId String

    The realm this client is attached to.

    rootUrl String

    When specified, this value is prepended to all relative URLs.

    signAssertions Boolean

    When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.

    signDocuments Boolean

    When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.

    signatureAlgorithm String

    The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".

    signatureKeyName String

    The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".

    signingCertificate String

    If documents or assertions from the client are signed, this certificate will be used to verify the signature.

    signingCertificateSha1 String

    (Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.

    signingPrivateKey String

    If documents or assertions from the client are signed, this private key will be used to verify the signature.

    signingPrivateKeySha1 String

    (Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.

    validRedirectUris List<String>

    When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.

    Supporting Types

    ClientAuthenticationFlowBindingOverrides, ClientAuthenticationFlowBindingOverridesArgs

    BrowserId string

    Browser flow id, (flow needs to exist)

    DirectGrantId string

    Direct grant flow id (flow needs to exist)

    BrowserId string

    Browser flow id, (flow needs to exist)

    DirectGrantId string

    Direct grant flow id (flow needs to exist)

    browserId String

    Browser flow id, (flow needs to exist)

    directGrantId String

    Direct grant flow id (flow needs to exist)

    browserId string

    Browser flow id, (flow needs to exist)

    directGrantId string

    Direct grant flow id (flow needs to exist)

    browser_id str

    Browser flow id, (flow needs to exist)

    direct_grant_id str

    Direct grant flow id (flow needs to exist)

    browserId String

    Browser flow id, (flow needs to exist)

    directGrantId String

    Direct grant flow id (flow needs to exist)

    Import

    Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Examplebash

     $ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352
    

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the keycloak Terraform Provider.

    keycloak logo
    Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi