1. Packages
  2. Keycloak Provider
  3. API Docs
  4. saml
  5. IdentityProvider
Keycloak v6.1.0 published on Friday, Jan 17, 2025 by Pulumi

keycloak.saml.IdentityProvider

Explore with Pulumi AI

keycloak logo
Keycloak v6.1.0 published on Friday, Jan 17, 2025 by Pulumi

    Allows for creating and managing SAML Identity Providers within Keycloak.

    SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        realm: "my-realm",
        enabled: true,
    });
    const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", {
        realm: realm.id,
        alias: "my-saml-idp",
        entityId: "https://domain.com/entity_id",
        singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
        singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
        backchannelSupported: true,
        postBindingResponse: true,
        postBindingLogout: true,
        postBindingAuthnRequest: true,
        storeToken: false,
        trustEmail: true,
        forceAuthn: true,
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        realm="my-realm",
        enabled=True)
    realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider",
        realm=realm.id,
        alias="my-saml-idp",
        entity_id="https://domain.com/entity_id",
        single_sign_on_service_url="https://domain.com/adfs/ls/",
        single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
        backchannel_supported=True,
        post_binding_response=True,
        post_binding_logout=True,
        post_binding_authn_request=True,
        store_token=False,
        trust_email=True,
        force_authn=True)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
    	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/saml"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			Realm:   pulumi.String("my-realm"),
    			Enabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{
    			Realm:                   realm.ID(),
    			Alias:                   pulumi.String("my-saml-idp"),
    			EntityId:                pulumi.String("https://domain.com/entity_id"),
    			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
    			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
    			BackchannelSupported:    pulumi.Bool(true),
    			PostBindingResponse:     pulumi.Bool(true),
    			PostBindingLogout:       pulumi.Bool(true),
    			PostBindingAuthnRequest: pulumi.Bool(true),
    			StoreToken:              pulumi.Bool(false),
    			TrustEmail:              pulumi.Bool(true),
    			ForceAuthn:              pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            RealmName = "my-realm",
            Enabled = true,
        });
    
        var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new()
        {
            Realm = realm.Id,
            Alias = "my-saml-idp",
            EntityId = "https://domain.com/entity_id",
            SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
            SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
            BackchannelSupported = true,
            PostBindingResponse = true,
            PostBindingLogout = true,
            PostBindingAuthnRequest = true,
            StoreToken = false,
            TrustEmail = true,
            ForceAuthn = true,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.saml.IdentityProvider;
    import com.pulumi.keycloak.saml.IdentityProviderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()
                .realm("my-realm")
                .enabled(true)
                .build());
    
            var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
                .realm(realm.id())
                .alias("my-saml-idp")
                .entityId("https://domain.com/entity_id")
                .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
                .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
                .backchannelSupported(true)
                .postBindingResponse(true)
                .postBindingLogout(true)
                .postBindingAuthnRequest(true)
                .storeToken(false)
                .trustEmail(true)
                .forceAuthn(true)
                .build());
    
        }
    }
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          realm: my-realm
          enabled: true
      realmSamlIdentityProvider:
        type: keycloak:saml:IdentityProvider
        name: realm_saml_identity_provider
        properties:
          realm: ${realm.id}
          alias: my-saml-idp
          entityId: https://domain.com/entity_id
          singleSignOnServiceUrl: https://domain.com/adfs/ls/
          singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
          backchannelSupported: true
          postBindingResponse: true
          postBindingLogout: true
          postBindingAuthnRequest: true
          storeToken: false
          trustEmail: true
          forceAuthn: true
    

    Create IdentityProvider Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
    @overload
    def IdentityProvider(resource_name: str,
                         args: IdentityProviderArgs,
                         opts: Optional[ResourceOptions] = None)
    
    @overload
    def IdentityProvider(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         entity_id: Optional[str] = None,
                         alias: Optional[str] = None,
                         single_sign_on_service_url: Optional[str] = None,
                         realm: Optional[str] = None,
                         post_binding_authn_request: Optional[bool] = None,
                         post_broker_login_flow_alias: Optional[str] = None,
                         backchannel_supported: Optional[bool] = None,
                         display_name: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         authn_context_comparison_type: Optional[str] = None,
                         extra_config: Optional[Mapping[str, str]] = None,
                         first_broker_login_flow_alias: Optional[str] = None,
                         force_authn: Optional[bool] = None,
                         gui_order: Optional[str] = None,
                         hide_on_login_page: Optional[bool] = None,
                         link_only: Optional[bool] = None,
                         login_hint: Optional[str] = None,
                         name_id_policy_format: Optional[str] = None,
                         add_read_token_role_on_create: Optional[bool] = None,
                         post_binding_logout: Optional[bool] = None,
                         post_binding_response: Optional[bool] = None,
                         authn_context_decl_refs: Optional[Sequence[str]] = None,
                         principal_attribute: Optional[str] = None,
                         principal_type: Optional[str] = None,
                         provider_id: Optional[str] = None,
                         authn_context_class_refs: Optional[Sequence[str]] = None,
                         signature_algorithm: Optional[str] = None,
                         signing_certificate: Optional[str] = None,
                         single_logout_service_url: Optional[str] = None,
                         authenticate_by_default: Optional[bool] = None,
                         store_token: Optional[bool] = None,
                         sync_mode: Optional[str] = None,
                         trust_email: Optional[bool] = None,
                         validate_signature: Optional[bool] = None,
                         want_assertions_encrypted: Optional[bool] = None,
                         want_assertions_signed: Optional[bool] = None,
                         xml_sign_key_info_key_name_transformer: Optional[str] = None)
    func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
    public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
    public IdentityProvider(String name, IdentityProviderArgs args)
    public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
    
    type: keycloak:saml:IdentityProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
    {
        EntityId = "string",
        Alias = "string",
        SingleSignOnServiceUrl = "string",
        Realm = "string",
        PostBindingAuthnRequest = false,
        PostBrokerLoginFlowAlias = "string",
        BackchannelSupported = false,
        DisplayName = "string",
        Enabled = false,
        AuthnContextComparisonType = "string",
        ExtraConfig = 
        {
            { "string", "string" },
        },
        FirstBrokerLoginFlowAlias = "string",
        ForceAuthn = false,
        GuiOrder = "string",
        HideOnLoginPage = false,
        LinkOnly = false,
        LoginHint = "string",
        NameIdPolicyFormat = "string",
        AddReadTokenRoleOnCreate = false,
        PostBindingLogout = false,
        PostBindingResponse = false,
        AuthnContextDeclRefs = new[]
        {
            "string",
        },
        PrincipalAttribute = "string",
        PrincipalType = "string",
        ProviderId = "string",
        AuthnContextClassRefs = new[]
        {
            "string",
        },
        SignatureAlgorithm = "string",
        SigningCertificate = "string",
        SingleLogoutServiceUrl = "string",
        AuthenticateByDefault = false,
        StoreToken = false,
        SyncMode = "string",
        TrustEmail = false,
        ValidateSignature = false,
        WantAssertionsEncrypted = false,
        WantAssertionsSigned = false,
        XmlSignKeyInfoKeyNameTransformer = "string",
    });
    
    example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
    	EntityId:                   pulumi.String("string"),
    	Alias:                      pulumi.String("string"),
    	SingleSignOnServiceUrl:     pulumi.String("string"),
    	Realm:                      pulumi.String("string"),
    	PostBindingAuthnRequest:    pulumi.Bool(false),
    	PostBrokerLoginFlowAlias:   pulumi.String("string"),
    	BackchannelSupported:       pulumi.Bool(false),
    	DisplayName:                pulumi.String("string"),
    	Enabled:                    pulumi.Bool(false),
    	AuthnContextComparisonType: pulumi.String("string"),
    	ExtraConfig: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	FirstBrokerLoginFlowAlias: pulumi.String("string"),
    	ForceAuthn:                pulumi.Bool(false),
    	GuiOrder:                  pulumi.String("string"),
    	HideOnLoginPage:           pulumi.Bool(false),
    	LinkOnly:                  pulumi.Bool(false),
    	LoginHint:                 pulumi.String("string"),
    	NameIdPolicyFormat:        pulumi.String("string"),
    	AddReadTokenRoleOnCreate:  pulumi.Bool(false),
    	PostBindingLogout:         pulumi.Bool(false),
    	PostBindingResponse:       pulumi.Bool(false),
    	AuthnContextDeclRefs: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	PrincipalAttribute: pulumi.String("string"),
    	PrincipalType:      pulumi.String("string"),
    	ProviderId:         pulumi.String("string"),
    	AuthnContextClassRefs: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SignatureAlgorithm:               pulumi.String("string"),
    	SigningCertificate:               pulumi.String("string"),
    	SingleLogoutServiceUrl:           pulumi.String("string"),
    	AuthenticateByDefault:            pulumi.Bool(false),
    	StoreToken:                       pulumi.Bool(false),
    	SyncMode:                         pulumi.String("string"),
    	TrustEmail:                       pulumi.Bool(false),
    	ValidateSignature:                pulumi.Bool(false),
    	WantAssertionsEncrypted:          pulumi.Bool(false),
    	WantAssertionsSigned:             pulumi.Bool(false),
    	XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
    })
    
    var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
        .entityId("string")
        .alias("string")
        .singleSignOnServiceUrl("string")
        .realm("string")
        .postBindingAuthnRequest(false)
        .postBrokerLoginFlowAlias("string")
        .backchannelSupported(false)
        .displayName("string")
        .enabled(false)
        .authnContextComparisonType("string")
        .extraConfig(Map.of("string", "string"))
        .firstBrokerLoginFlowAlias("string")
        .forceAuthn(false)
        .guiOrder("string")
        .hideOnLoginPage(false)
        .linkOnly(false)
        .loginHint("string")
        .nameIdPolicyFormat("string")
        .addReadTokenRoleOnCreate(false)
        .postBindingLogout(false)
        .postBindingResponse(false)
        .authnContextDeclRefs("string")
        .principalAttribute("string")
        .principalType("string")
        .providerId("string")
        .authnContextClassRefs("string")
        .signatureAlgorithm("string")
        .signingCertificate("string")
        .singleLogoutServiceUrl("string")
        .authenticateByDefault(false)
        .storeToken(false)
        .syncMode("string")
        .trustEmail(false)
        .validateSignature(false)
        .wantAssertionsEncrypted(false)
        .wantAssertionsSigned(false)
        .xmlSignKeyInfoKeyNameTransformer("string")
        .build());
    
    keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
        entity_id="string",
        alias="string",
        single_sign_on_service_url="string",
        realm="string",
        post_binding_authn_request=False,
        post_broker_login_flow_alias="string",
        backchannel_supported=False,
        display_name="string",
        enabled=False,
        authn_context_comparison_type="string",
        extra_config={
            "string": "string",
        },
        first_broker_login_flow_alias="string",
        force_authn=False,
        gui_order="string",
        hide_on_login_page=False,
        link_only=False,
        login_hint="string",
        name_id_policy_format="string",
        add_read_token_role_on_create=False,
        post_binding_logout=False,
        post_binding_response=False,
        authn_context_decl_refs=["string"],
        principal_attribute="string",
        principal_type="string",
        provider_id="string",
        authn_context_class_refs=["string"],
        signature_algorithm="string",
        signing_certificate="string",
        single_logout_service_url="string",
        authenticate_by_default=False,
        store_token=False,
        sync_mode="string",
        trust_email=False,
        validate_signature=False,
        want_assertions_encrypted=False,
        want_assertions_signed=False,
        xml_sign_key_info_key_name_transformer="string")
    
    const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
        entityId: "string",
        alias: "string",
        singleSignOnServiceUrl: "string",
        realm: "string",
        postBindingAuthnRequest: false,
        postBrokerLoginFlowAlias: "string",
        backchannelSupported: false,
        displayName: "string",
        enabled: false,
        authnContextComparisonType: "string",
        extraConfig: {
            string: "string",
        },
        firstBrokerLoginFlowAlias: "string",
        forceAuthn: false,
        guiOrder: "string",
        hideOnLoginPage: false,
        linkOnly: false,
        loginHint: "string",
        nameIdPolicyFormat: "string",
        addReadTokenRoleOnCreate: false,
        postBindingLogout: false,
        postBindingResponse: false,
        authnContextDeclRefs: ["string"],
        principalAttribute: "string",
        principalType: "string",
        providerId: "string",
        authnContextClassRefs: ["string"],
        signatureAlgorithm: "string",
        signingCertificate: "string",
        singleLogoutServiceUrl: "string",
        authenticateByDefault: false,
        storeToken: false,
        syncMode: "string",
        trustEmail: false,
        validateSignature: false,
        wantAssertionsEncrypted: false,
        wantAssertionsSigned: false,
        xmlSignKeyInfoKeyNameTransformer: "string",
    });
    
    type: keycloak:saml:IdentityProvider
    properties:
        addReadTokenRoleOnCreate: false
        alias: string
        authenticateByDefault: false
        authnContextClassRefs:
            - string
        authnContextComparisonType: string
        authnContextDeclRefs:
            - string
        backchannelSupported: false
        displayName: string
        enabled: false
        entityId: string
        extraConfig:
            string: string
        firstBrokerLoginFlowAlias: string
        forceAuthn: false
        guiOrder: string
        hideOnLoginPage: false
        linkOnly: false
        loginHint: string
        nameIdPolicyFormat: string
        postBindingAuthnRequest: false
        postBindingLogout: false
        postBindingResponse: false
        postBrokerLoginFlowAlias: string
        principalAttribute: string
        principalType: string
        providerId: string
        realm: string
        signatureAlgorithm: string
        signingCertificate: string
        singleLogoutServiceUrl: string
        singleSignOnServiceUrl: string
        storeToken: false
        syncMode: string
        trustEmail: false
        validateSignature: false
        wantAssertionsEncrypted: false
        wantAssertionsSigned: false
        xmlSignKeyInfoKeyNameTransformer: string
    

    IdentityProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The IdentityProvider resource accepts the following input properties:

    Alias string
    The unique name of identity provider.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    Realm string
    The name of the realm. This is unique across Keycloak.
    SingleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Authenticate users by default. Defaults to false.
    AuthnContextClassRefs List<string>
    Ordered list of requested AuthnContext ClassRefs.
    AuthnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    AuthnContextDeclRefs List<string>
    Ordered list of requested AuthnContext DeclRefs.
    BackchannelSupported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    DisplayName string
    The display name for the realm that is shown when logging in to the admin console.
    Enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    ExtraConfig Dictionary<string, string>
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    ForceAuthn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    LinkOnly bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    PostBindingAuthnRequest bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingLogout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingResponse bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    PrincipalAttribute string
    The principal attribute.
    PrincipalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    ProviderId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    SignatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    WantAssertionsSigned bool
    Indicates whether this service provider expects a signed Assertion.
    XmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    Alias string
    The unique name of identity provider.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    Realm string
    The name of the realm. This is unique across Keycloak.
    SingleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    AuthenticateByDefault bool
    Authenticate users by default. Defaults to false.
    AuthnContextClassRefs []string
    Ordered list of requested AuthnContext ClassRefs.
    AuthnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    AuthnContextDeclRefs []string
    Ordered list of requested AuthnContext DeclRefs.
    BackchannelSupported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    DisplayName string
    The display name for the realm that is shown when logging in to the admin console.
    Enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    ExtraConfig map[string]string
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    ForceAuthn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    LinkOnly bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    PostBindingAuthnRequest bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingLogout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingResponse bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    PrincipalAttribute string
    The principal attribute.
    PrincipalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    ProviderId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    SignatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    WantAssertionsSigned bool
    Indicates whether this service provider expects a signed Assertion.
    XmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    alias String
    The unique name of identity provider.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm String
    The name of the realm. This is unique across Keycloak.
    singleSignOnServiceUrl String
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs List<String>
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType String
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs List<String>
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName String
    The display name for the realm that is shown when logging in to the admin console.
    enabled Boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    extraConfig Map<String,String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn Boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    linkOnly Boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest Boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute String
    The principal attribute.
    principalType String
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId String
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    signatureAlgorithm String
    Signing Algorithm. Defaults to empty.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    The Url that must be used to send logout requests.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned Boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer String
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    alias string
    The unique name of identity provider.
    entityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm string
    The name of the realm. This is unique across Keycloak.
    singleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs string[]
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs string[]
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName string
    The display name for the realm that is shown when logging in to the admin console.
    enabled boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    extraConfig {[key: string]: string}
    firstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    linkOnly boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint string
    Login Hint.
    nameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute string
    The principal attribute.
    principalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    signatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    signingCertificate string
    Signing Certificate.
    singleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    alias str
    The unique name of identity provider.
    entity_id str
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm str
    The name of the realm. This is unique across Keycloak.
    single_sign_on_service_url str
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticate_by_default bool
    Authenticate users by default. Defaults to false.
    authn_context_class_refs Sequence[str]
    Ordered list of requested AuthnContext ClassRefs.
    authn_context_comparison_type str
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authn_context_decl_refs Sequence[str]
    Ordered list of requested AuthnContext DeclRefs.
    backchannel_supported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    display_name str
    The display name for the realm that is shown when logging in to the admin console.
    enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    extra_config Mapping[str, str]
    first_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    force_authn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    link_only bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    login_hint str
    Login Hint.
    name_id_policy_format str
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    post_binding_authn_request bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_binding_logout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_binding_response bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principal_attribute str
    The principal attribute.
    principal_type str
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    provider_id str
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    signature_algorithm str
    Signing Algorithm. Defaults to empty.
    signing_certificate str
    Signing Certificate.
    single_logout_service_url str
    The Url that must be used to send logout requests.
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validate_signature bool
    Enable/disable signature validation of SAML responses.
    want_assertions_encrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    want_assertions_signed bool
    Indicates whether this service provider expects a signed Assertion.
    xml_sign_key_info_key_name_transformer str
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    alias String
    The unique name of identity provider.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm String
    The name of the realm. This is unique across Keycloak.
    singleSignOnServiceUrl String
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    authenticateByDefault Boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs List<String>
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType String
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs List<String>
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName String
    The display name for the realm that is shown when logging in to the admin console.
    enabled Boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    extraConfig Map<String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn Boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    linkOnly Boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest Boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute String
    The principal attribute.
    principalType String
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId String
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    signatureAlgorithm String
    Signing Algorithm. Defaults to empty.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    The Url that must be used to send logout requests.
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned Boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer String
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    Internal Identity Provider Id
    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    Internal Identity Provider Id
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    Internal Identity Provider Id
    id string
    The provider-assigned unique ID for this managed resource.
    internalId string
    Internal Identity Provider Id
    id str
    The provider-assigned unique ID for this managed resource.
    internal_id str
    Internal Identity Provider Id
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    Internal Identity Provider Id

    Look up Existing IdentityProvider Resource

    Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            add_read_token_role_on_create: Optional[bool] = None,
            alias: Optional[str] = None,
            authenticate_by_default: Optional[bool] = None,
            authn_context_class_refs: Optional[Sequence[str]] = None,
            authn_context_comparison_type: Optional[str] = None,
            authn_context_decl_refs: Optional[Sequence[str]] = None,
            backchannel_supported: Optional[bool] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_id: Optional[str] = None,
            extra_config: Optional[Mapping[str, str]] = None,
            first_broker_login_flow_alias: Optional[str] = None,
            force_authn: Optional[bool] = None,
            gui_order: Optional[str] = None,
            hide_on_login_page: Optional[bool] = None,
            internal_id: Optional[str] = None,
            link_only: Optional[bool] = None,
            login_hint: Optional[str] = None,
            name_id_policy_format: Optional[str] = None,
            post_binding_authn_request: Optional[bool] = None,
            post_binding_logout: Optional[bool] = None,
            post_binding_response: Optional[bool] = None,
            post_broker_login_flow_alias: Optional[str] = None,
            principal_attribute: Optional[str] = None,
            principal_type: Optional[str] = None,
            provider_id: Optional[str] = None,
            realm: Optional[str] = None,
            signature_algorithm: Optional[str] = None,
            signing_certificate: Optional[str] = None,
            single_logout_service_url: Optional[str] = None,
            single_sign_on_service_url: Optional[str] = None,
            store_token: Optional[bool] = None,
            sync_mode: Optional[str] = None,
            trust_email: Optional[bool] = None,
            validate_signature: Optional[bool] = None,
            want_assertions_encrypted: Optional[bool] = None,
            want_assertions_signed: Optional[bool] = None,
            xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider
    func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
    public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
    public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
    resources:  _:    type: keycloak:saml:IdentityProvider    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    The unique name of identity provider.
    AuthenticateByDefault bool
    Authenticate users by default. Defaults to false.
    AuthnContextClassRefs List<string>
    Ordered list of requested AuthnContext ClassRefs.
    AuthnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    AuthnContextDeclRefs List<string>
    Ordered list of requested AuthnContext DeclRefs.
    BackchannelSupported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    DisplayName string
    The display name for the realm that is shown when logging in to the admin console.
    Enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    ExtraConfig Dictionary<string, string>
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    ForceAuthn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    InternalId string
    Internal Identity Provider Id
    LinkOnly bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    PostBindingAuthnRequest bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingLogout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingResponse bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    PrincipalAttribute string
    The principal attribute.
    PrincipalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    ProviderId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    SignatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    SingleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    WantAssertionsSigned bool
    Indicates whether this service provider expects a signed Assertion.
    XmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    AddReadTokenRoleOnCreate bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    Alias string
    The unique name of identity provider.
    AuthenticateByDefault bool
    Authenticate users by default. Defaults to false.
    AuthnContextClassRefs []string
    Ordered list of requested AuthnContext ClassRefs.
    AuthnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    AuthnContextDeclRefs []string
    Ordered list of requested AuthnContext DeclRefs.
    BackchannelSupported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    DisplayName string
    The display name for the realm that is shown when logging in to the admin console.
    Enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    ExtraConfig map[string]string
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    ForceAuthn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    GuiOrder string
    A number defining the order of this identity provider in the GUI.
    HideOnLoginPage bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    InternalId string
    Internal Identity Provider Id
    LinkOnly bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    PostBindingAuthnRequest bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingLogout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBindingResponse bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    PrincipalAttribute string
    The principal attribute.
    PrincipalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    ProviderId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    Realm string
    The name of the realm. This is unique across Keycloak.
    SignatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    SingleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    StoreToken bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    SyncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    TrustEmail bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    WantAssertionsSigned bool
    Indicates whether this service provider expects a signed Assertion.
    XmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    The unique name of identity provider.
    authenticateByDefault Boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs List<String>
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType String
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs List<String>
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName String
    The display name for the realm that is shown when logging in to the admin console.
    enabled Boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig Map<String,String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn Boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    internalId String
    Internal Identity Provider Id
    linkOnly Boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest Boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute String
    The principal attribute.
    principalType String
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId String
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    signatureAlgorithm String
    Signing Algorithm. Defaults to empty.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    The Url that must be used to send logout requests.
    singleSignOnServiceUrl String
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned Boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer String
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    addReadTokenRoleOnCreate boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias string
    The unique name of identity provider.
    authenticateByDefault boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs string[]
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType string
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs string[]
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName string
    The display name for the realm that is shown when logging in to the admin console.
    enabled boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    entityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig {[key: string]: string}
    firstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder string
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    internalId string
    Internal Identity Provider Id
    linkOnly boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint string
    Login Hint.
    nameIdPolicyFormat string
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute string
    The principal attribute.
    principalType string
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId string
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    realm string
    The name of the realm. This is unique across Keycloak.
    signatureAlgorithm string
    Signing Algorithm. Defaults to empty.
    signingCertificate string
    Signing Certificate.
    singleLogoutServiceUrl string
    The Url that must be used to send logout requests.
    singleSignOnServiceUrl string
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    storeToken boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode string
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer string
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    add_read_token_role_on_create bool
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias str
    The unique name of identity provider.
    authenticate_by_default bool
    Authenticate users by default. Defaults to false.
    authn_context_class_refs Sequence[str]
    Ordered list of requested AuthnContext ClassRefs.
    authn_context_comparison_type str
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authn_context_decl_refs Sequence[str]
    Ordered list of requested AuthnContext DeclRefs.
    backchannel_supported bool
    Does the external IDP support backchannel logout?. Defaults to false.
    display_name str
    The display name for the realm that is shown when logging in to the admin console.
    enabled bool
    When false, users and clients will not be able to access this realm. Defaults to true.
    entity_id str
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extra_config Mapping[str, str]
    first_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    force_authn bool
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    gui_order str
    A number defining the order of this identity provider in the GUI.
    hide_on_login_page bool
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    internal_id str
    Internal Identity Provider Id
    link_only bool
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    login_hint str
    Login Hint.
    name_id_policy_format str
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    post_binding_authn_request bool
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_binding_logout bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_binding_response bool
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    post_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principal_attribute str
    The principal attribute.
    principal_type str
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    provider_id str
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    realm str
    The name of the realm. This is unique across Keycloak.
    signature_algorithm str
    Signing Algorithm. Defaults to empty.
    signing_certificate str
    Signing Certificate.
    single_logout_service_url str
    The Url that must be used to send logout requests.
    single_sign_on_service_url str
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    store_token bool
    When true, tokens will be stored after authenticating users. Defaults to true.
    sync_mode str
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trust_email bool
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validate_signature bool
    Enable/disable signature validation of SAML responses.
    want_assertions_encrypted bool
    Indicates whether this service provider expects an encrypted Assertion.
    want_assertions_signed bool
    Indicates whether this service provider expects a signed Assertion.
    xml_sign_key_info_key_name_transformer str
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
    addReadTokenRoleOnCreate Boolean
    When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
    alias String
    The unique name of identity provider.
    authenticateByDefault Boolean
    Authenticate users by default. Defaults to false.
    authnContextClassRefs List<String>
    Ordered list of requested AuthnContext ClassRefs.
    authnContextComparisonType String
    Specifies the comparison method used to evaluate the requested context classes or statements.
    authnContextDeclRefs List<String>
    Ordered list of requested AuthnContext DeclRefs.
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?. Defaults to false.
    displayName String
    The display name for the realm that is shown when logging in to the admin console.
    enabled Boolean
    When false, users and clients will not be able to access this realm. Defaults to true.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig Map<String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    forceAuthn Boolean
    Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    guiOrder String
    A number defining the order of this identity provider in the GUI.
    hideOnLoginPage Boolean
    If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
    internalId String
    Internal Identity Provider Id
    linkOnly Boolean
    When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    postBindingAuthnRequest Boolean
    Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingLogout Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBindingResponse Boolean
    Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    principalAttribute String
    The principal attribute.
    principalType String
    The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
    providerId String
    The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
    realm String
    The name of the realm. This is unique across Keycloak.
    signatureAlgorithm String
    Signing Algorithm. Defaults to empty.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    The Url that must be used to send logout requests.
    singleSignOnServiceUrl String
    The Url that must be used to send authentication requests (SAML AuthnRequest).
    storeToken Boolean
    When true, tokens will be stored after authenticating users. Defaults to true.
    syncMode String
    The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
    trustEmail Boolean
    When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Indicates whether this service provider expects an encrypted Assertion.
    wantAssertionsSigned Boolean
    Indicates whether this service provider expects a signed Assertion.
    xmlSignKeyInfoKeyNameTransformer String
    The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

    Import

    Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

    Example:

    bash

    $ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v6.1.0 published on Friday, Jan 17, 2025 by Pulumi