keycloak.saml.IdentityProvider
Explore with Pulumi AI
Allows for creating and managing SAML Identity Providers within Keycloak.
SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", {
realm: realm.id,
alias: "my-saml-idp",
entityId: "https://domain.com/entity_id",
singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannelSupported: true,
postBindingResponse: true,
postBindingLogout: true,
postBindingAuthnRequest: true,
storeToken: false,
trustEmail: true,
forceAuthn: true,
});
import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider",
realm=realm.id,
alias="my-saml-idp",
entity_id="https://domain.com/entity_id",
single_sign_on_service_url="https://domain.com/adfs/ls/",
single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannel_supported=True,
post_binding_response=True,
post_binding_logout=True,
post_binding_authn_request=True,
store_token=False,
trust_email=True,
force_authn=True)
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-saml-idp"),
EntityId: pulumi.String("https://domain.com/entity_id"),
SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"),
SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
BackchannelSupported: pulumi.Bool(true),
PostBindingResponse: pulumi.Bool(true),
PostBindingLogout: pulumi.Bool(true),
PostBindingAuthnRequest: pulumi.Bool(true),
StoreToken: pulumi.Bool(false),
TrustEmail: pulumi.Bool(true),
ForceAuthn: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new()
{
Realm = realm.Id,
Alias = "my-saml-idp",
EntityId = "https://domain.com/entity_id",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
BackchannelSupported = true,
PostBindingResponse = true,
PostBindingLogout = true,
PostBindingAuthnRequest = true,
StoreToken = false,
TrustEmail = true,
ForceAuthn = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-saml-idp")
.entityId("https://domain.com/entity_id")
.singleSignOnServiceUrl("https://domain.com/adfs/ls/")
.singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
.backchannelSupported(true)
.postBindingResponse(true)
.postBindingLogout(true)
.postBindingAuthnRequest(true)
.storeToken(false)
.trustEmail(true)
.forceAuthn(true)
.build());
}
}
resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmSamlIdentityProvider:
type: keycloak:saml:IdentityProvider
name: realm_saml_identity_provider
properties:
realm: ${realm.id}
alias: my-saml-idp
entityId: https://domain.com/entity_id
singleSignOnServiceUrl: https://domain.com/adfs/ls/
singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
backchannelSupported: true
postBindingResponse: true
postBindingLogout: true
postBindingAuthnRequest: true
storeToken: false
trustEmail: true
forceAuthn: true
Create IdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
args: IdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
entity_id: Optional[str] = None,
alias: Optional[str] = None,
single_sign_on_service_url: Optional[str] = None,
realm: Optional[str] = None,
post_binding_authn_request: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
backchannel_supported: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
authn_context_comparison_type: Optional[str] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
force_authn: Optional[bool] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
name_id_policy_format: Optional[str] = None,
add_read_token_role_on_create: Optional[bool] = None,
post_binding_logout: Optional[bool] = None,
post_binding_response: Optional[bool] = None,
authn_context_decl_refs: Optional[Sequence[str]] = None,
principal_attribute: Optional[str] = None,
principal_type: Optional[str] = None,
provider_id: Optional[str] = None,
authn_context_class_refs: Optional[Sequence[str]] = None,
signature_algorithm: Optional[str] = None,
signing_certificate: Optional[str] = None,
single_logout_service_url: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
validate_signature: Optional[bool] = None,
want_assertions_encrypted: Optional[bool] = None,
want_assertions_signed: Optional[bool] = None,
xml_sign_key_info_key_name_transformer: Optional[str] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:saml:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
{
EntityId = "string",
Alias = "string",
SingleSignOnServiceUrl = "string",
Realm = "string",
PostBindingAuthnRequest = false,
PostBrokerLoginFlowAlias = "string",
BackchannelSupported = false,
DisplayName = "string",
Enabled = false,
AuthnContextComparisonType = "string",
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
ForceAuthn = false,
GuiOrder = "string",
HideOnLoginPage = false,
LinkOnly = false,
LoginHint = "string",
NameIdPolicyFormat = "string",
AddReadTokenRoleOnCreate = false,
PostBindingLogout = false,
PostBindingResponse = false,
AuthnContextDeclRefs = new[]
{
"string",
},
PrincipalAttribute = "string",
PrincipalType = "string",
ProviderId = "string",
AuthnContextClassRefs = new[]
{
"string",
},
SignatureAlgorithm = "string",
SigningCertificate = "string",
SingleLogoutServiceUrl = "string",
AuthenticateByDefault = false,
StoreToken = false,
SyncMode = "string",
TrustEmail = false,
ValidateSignature = false,
WantAssertionsEncrypted = false,
WantAssertionsSigned = false,
XmlSignKeyInfoKeyNameTransformer = "string",
});
example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
EntityId: pulumi.String("string"),
Alias: pulumi.String("string"),
SingleSignOnServiceUrl: pulumi.String("string"),
Realm: pulumi.String("string"),
PostBindingAuthnRequest: pulumi.Bool(false),
PostBrokerLoginFlowAlias: pulumi.String("string"),
BackchannelSupported: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
Enabled: pulumi.Bool(false),
AuthnContextComparisonType: pulumi.String("string"),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
ForceAuthn: pulumi.Bool(false),
GuiOrder: pulumi.String("string"),
HideOnLoginPage: pulumi.Bool(false),
LinkOnly: pulumi.Bool(false),
LoginHint: pulumi.String("string"),
NameIdPolicyFormat: pulumi.String("string"),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
PostBindingLogout: pulumi.Bool(false),
PostBindingResponse: pulumi.Bool(false),
AuthnContextDeclRefs: pulumi.StringArray{
pulumi.String("string"),
},
PrincipalAttribute: pulumi.String("string"),
PrincipalType: pulumi.String("string"),
ProviderId: pulumi.String("string"),
AuthnContextClassRefs: pulumi.StringArray{
pulumi.String("string"),
},
SignatureAlgorithm: pulumi.String("string"),
SigningCertificate: pulumi.String("string"),
SingleLogoutServiceUrl: pulumi.String("string"),
AuthenticateByDefault: pulumi.Bool(false),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
TrustEmail: pulumi.Bool(false),
ValidateSignature: pulumi.Bool(false),
WantAssertionsEncrypted: pulumi.Bool(false),
WantAssertionsSigned: pulumi.Bool(false),
XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
})
var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
.entityId("string")
.alias("string")
.singleSignOnServiceUrl("string")
.realm("string")
.postBindingAuthnRequest(false)
.postBrokerLoginFlowAlias("string")
.backchannelSupported(false)
.displayName("string")
.enabled(false)
.authnContextComparisonType("string")
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.forceAuthn(false)
.guiOrder("string")
.hideOnLoginPage(false)
.linkOnly(false)
.loginHint("string")
.nameIdPolicyFormat("string")
.addReadTokenRoleOnCreate(false)
.postBindingLogout(false)
.postBindingResponse(false)
.authnContextDeclRefs("string")
.principalAttribute("string")
.principalType("string")
.providerId("string")
.authnContextClassRefs("string")
.signatureAlgorithm("string")
.signingCertificate("string")
.singleLogoutServiceUrl("string")
.authenticateByDefault(false)
.storeToken(false)
.syncMode("string")
.trustEmail(false)
.validateSignature(false)
.wantAssertionsEncrypted(false)
.wantAssertionsSigned(false)
.xmlSignKeyInfoKeyNameTransformer("string")
.build());
keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
entity_id="string",
alias="string",
single_sign_on_service_url="string",
realm="string",
post_binding_authn_request=False,
post_broker_login_flow_alias="string",
backchannel_supported=False,
display_name="string",
enabled=False,
authn_context_comparison_type="string",
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
force_authn=False,
gui_order="string",
hide_on_login_page=False,
link_only=False,
login_hint="string",
name_id_policy_format="string",
add_read_token_role_on_create=False,
post_binding_logout=False,
post_binding_response=False,
authn_context_decl_refs=["string"],
principal_attribute="string",
principal_type="string",
provider_id="string",
authn_context_class_refs=["string"],
signature_algorithm="string",
signing_certificate="string",
single_logout_service_url="string",
authenticate_by_default=False,
store_token=False,
sync_mode="string",
trust_email=False,
validate_signature=False,
want_assertions_encrypted=False,
want_assertions_signed=False,
xml_sign_key_info_key_name_transformer="string")
const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
entityId: "string",
alias: "string",
singleSignOnServiceUrl: "string",
realm: "string",
postBindingAuthnRequest: false,
postBrokerLoginFlowAlias: "string",
backchannelSupported: false,
displayName: "string",
enabled: false,
authnContextComparisonType: "string",
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
forceAuthn: false,
guiOrder: "string",
hideOnLoginPage: false,
linkOnly: false,
loginHint: "string",
nameIdPolicyFormat: "string",
addReadTokenRoleOnCreate: false,
postBindingLogout: false,
postBindingResponse: false,
authnContextDeclRefs: ["string"],
principalAttribute: "string",
principalType: "string",
providerId: "string",
authnContextClassRefs: ["string"],
signatureAlgorithm: "string",
signingCertificate: "string",
singleLogoutServiceUrl: "string",
authenticateByDefault: false,
storeToken: false,
syncMode: "string",
trustEmail: false,
validateSignature: false,
wantAssertionsEncrypted: false,
wantAssertionsSigned: false,
xmlSignKeyInfoKeyNameTransformer: "string",
});
type: keycloak:saml:IdentityProvider
properties:
addReadTokenRoleOnCreate: false
alias: string
authenticateByDefault: false
authnContextClassRefs:
- string
authnContextComparisonType: string
authnContextDeclRefs:
- string
backchannelSupported: false
displayName: string
enabled: false
entityId: string
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
forceAuthn: false
guiOrder: string
hideOnLoginPage: false
linkOnly: false
loginHint: string
nameIdPolicyFormat: string
postBindingAuthnRequest: false
postBindingLogout: false
postBindingResponse: false
postBrokerLoginFlowAlias: string
principalAttribute: string
principalType: string
providerId: string
realm: string
signatureAlgorithm: string
signingCertificate: string
singleLogoutServiceUrl: string
singleSignOnServiceUrl: string
storeToken: false
syncMode: string
trustEmail: false
validateSignature: false
wantAssertionsEncrypted: false
wantAssertionsSigned: false
xmlSignKeyInfoKeyNameTransformer: string
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IdentityProvider resource accepts the following input properties:
- Alias string
- The unique name of identity provider.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Authenticate users by default. Defaults to
false
. - Authn
Context List<string>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- Authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- Authn
Context List<string>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- Backchannel
Supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - Force
Authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- Link
Only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- Post
Binding boolAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- Principal
Attribute string - The principal attribute.
- Principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - Provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - Signature
Algorithm string - Signing Algorithm. Defaults to empty.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - The Url that must be used to send logout requests.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- Want
Assertions boolSigned - Indicates whether this service provider expects a signed Assertion.
- Xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- Alias string
- The unique name of identity provider.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Realm string
- The name of the realm. This is unique across Keycloak.
- Single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Authenticate
By boolDefault - Authenticate users by default. Defaults to
false
. - Authn
Context []stringClass Refs - Ordered list of requested AuthnContext ClassRefs.
- Authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- Authn
Context []stringDecl Refs - Ordered list of requested AuthnContext DeclRefs.
- Backchannel
Supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - Force
Authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- Link
Only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- Post
Binding boolAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- Principal
Attribute string - The principal attribute.
- Principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - Provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - Signature
Algorithm string - Signing Algorithm. Defaults to empty.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - The Url that must be used to send logout requests.
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- Want
Assertions boolSigned - Indicates whether this service provider expects a signed Assertion.
- Xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- alias String
- The unique name of identity provider.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm String
- The name of the realm. This is unique across Keycloak.
- single
Sign StringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context List<String>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context StringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context List<String>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- enabled Boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn Boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- link
Only Boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Login Hint.
- name
Id StringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding BooleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute String - The principal attribute.
- principal
Type String - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id String - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - signature
Algorithm String - Signing Algorithm. Defaults to empty.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - The Url that must be used to send logout requests.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions BooleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign StringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- alias string
- The unique name of identity provider.
- entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm string
- The name of the realm. This is unique across Keycloak.
- single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By booleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context string[]Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context string[]Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name string - The display name for the realm that is shown when logging in to the admin console.
- enabled boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- link
Only boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint string - Login Hint.
- name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding booleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding booleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding booleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute string - The principal attribute.
- principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - signature
Algorithm string - Signing Algorithm. Defaults to empty.
- signing
Certificate string - Signing Certificate.
- single
Logout stringService Url - The Url that must be used to send logout requests.
- store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature boolean - Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions booleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- alias str
- The unique name of identity provider.
- entity_
id str - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm str
- The name of the realm. This is unique across Keycloak.
- single_
sign_ stron_ service_ url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate_
by_ booldefault - Authenticate users by default. Defaults to
false
. - authn_
context_ Sequence[str]class_ refs - Ordered list of requested AuthnContext ClassRefs.
- authn_
context_ strcomparison_ type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn_
context_ Sequence[str]decl_ refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel_
supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - display_
name str - The display name for the realm that is shown when logging in to the admin console.
- enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force_
authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- link_
only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login_
hint str - Login Hint.
- name_
id_ strpolicy_ format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post_
binding_ boolauthn_ request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
binding_ boollogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
binding_ boolresponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal_
attribute str - The principal attribute.
- principal_
type str - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider_
id str - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - signature_
algorithm str - Signing Algorithm. Defaults to empty.
- signing_
certificate str - Signing Certificate.
- single_
logout_ strservice_ url - The Url that must be used to send logout requests.
- store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate_
signature bool - Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted - Indicates whether this service provider expects an encrypted Assertion.
- want_
assertions_ boolsigned - Indicates whether this service provider expects a signed Assertion.
- xml_
sign_ strkey_ info_ key_ name_ transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- alias String
- The unique name of identity provider.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm String
- The name of the realm. This is unique across Keycloak.
- single
Sign StringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - authenticate
By BooleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context List<String>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context StringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context List<String>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- enabled Boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn Boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- link
Only Boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Login Hint.
- name
Id StringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding BooleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute String - The principal attribute.
- principal
Type String - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id String - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - signature
Algorithm String - Signing Algorithm. Defaults to empty.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - The Url that must be used to send logout requests.
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions BooleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign StringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - Internal Identity Provider Id
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - Internal Identity Provider Id
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
Look up Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
authn_context_class_refs: Optional[Sequence[str]] = None,
authn_context_comparison_type: Optional[str] = None,
authn_context_decl_refs: Optional[Sequence[str]] = None,
backchannel_supported: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_id: Optional[str] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
force_authn: Optional[bool] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
name_id_policy_format: Optional[str] = None,
post_binding_authn_request: Optional[bool] = None,
post_binding_logout: Optional[bool] = None,
post_binding_response: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
principal_attribute: Optional[str] = None,
principal_type: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
signature_algorithm: Optional[str] = None,
signing_certificate: Optional[str] = None,
single_logout_service_url: Optional[str] = None,
single_sign_on_service_url: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
validate_signature: Optional[bool] = None,
want_assertions_encrypted: Optional[bool] = None,
want_assertions_signed: Optional[bool] = None,
xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
resources: _: type: keycloak:saml:IdentityProvider get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- The unique name of identity provider.
- Authenticate
By boolDefault - Authenticate users by default. Defaults to
false
. - Authn
Context List<string>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- Authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- Authn
Context List<string>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- Backchannel
Supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - Force
Authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- Post
Binding boolAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- Principal
Attribute string - The principal attribute.
- Principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - Provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Signature
Algorithm string - Signing Algorithm. Defaults to empty.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - The Url that must be used to send logout requests.
- Single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- Want
Assertions boolSigned - Indicates whether this service provider expects a signed Assertion.
- Xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- Add
Read boolToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - Alias string
- The unique name of identity provider.
- Authenticate
By boolDefault - Authenticate users by default. Defaults to
false
. - Authn
Context []stringClass Refs - Ordered list of requested AuthnContext ClassRefs.
- Authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- Authn
Context []stringDecl Refs - Ordered list of requested AuthnContext DeclRefs.
- Backchannel
Supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - Display
Name string - The display name for the realm that is shown when logging in to the admin console.
- Enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - Force
Authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- Gui
Order string - A number defining the order of this identity provider in the GUI.
- Hide
On boolLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- Post
Binding boolAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Binding boolResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- Principal
Attribute string - The principal attribute.
- Principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - Provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - Realm string
- The name of the realm. This is unique across Keycloak.
- Signature
Algorithm string - Signing Algorithm. Defaults to empty.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - The Url that must be used to send logout requests.
- Single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- Store
Token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - Sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - Trust
Email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- Want
Assertions boolSigned - Indicates whether this service provider expects a signed Assertion.
- Xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- The unique name of identity provider.
- authenticate
By BooleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context List<String>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context StringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context List<String>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- enabled Boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn Boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Login Hint.
- name
Id StringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding BooleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute String - The principal attribute.
- principal
Type String - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id String - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- signature
Algorithm String - Signing Algorithm. Defaults to empty.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - The Url that must be used to send logout requests.
- single
Sign StringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions BooleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign StringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- add
Read booleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias string
- The unique name of identity provider.
- authenticate
By booleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context string[]Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context stringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context string[]Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name string - The display name for the realm that is shown when logging in to the admin console.
- enabled boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order string - A number defining the order of this identity provider in the GUI.
- hide
On booleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- internal
Id string - Internal Identity Provider Id
- link
Only boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint string - Login Hint.
- name
Id stringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding booleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding booleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding booleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute string - The principal attribute.
- principal
Type string - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id string - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - realm string
- The name of the realm. This is unique across Keycloak.
- signature
Algorithm string - Signing Algorithm. Defaults to empty.
- signing
Certificate string - Signing Certificate.
- single
Logout stringService Url - The Url that must be used to send logout requests.
- single
Sign stringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- store
Token boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode string - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature boolean - Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions booleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign stringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- add_
read_ booltoken_ role_ on_ create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias str
- The unique name of identity provider.
- authenticate_
by_ booldefault - Authenticate users by default. Defaults to
false
. - authn_
context_ Sequence[str]class_ refs - Ordered list of requested AuthnContext ClassRefs.
- authn_
context_ strcomparison_ type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn_
context_ Sequence[str]decl_ refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel_
supported bool - Does the external IDP support backchannel logout?. Defaults to
false
. - display_
name str - The display name for the realm that is shown when logging in to the admin console.
- enabled bool
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - entity_
id str - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force_
authn bool - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui_
order str - A number defining the order of this identity provider in the GUI.
- hide_
on_ boollogin_ page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- internal_
id str - Internal Identity Provider Id
- link_
only bool - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login_
hint str - Login Hint.
- name_
id_ strpolicy_ format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post_
binding_ boolauthn_ request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
binding_ boollogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
binding_ boolresponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal_
attribute str - The principal attribute.
- principal_
type str - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider_
id str - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - realm str
- The name of the realm. This is unique across Keycloak.
- signature_
algorithm str - Signing Algorithm. Defaults to empty.
- signing_
certificate str - Signing Certificate.
- single_
logout_ strservice_ url - The Url that must be used to send logout requests.
- single_
sign_ stron_ service_ url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- store_
token bool - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync_
mode str - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust_
email bool - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate_
signature bool - Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted - Indicates whether this service provider expects an encrypted Assertion.
- want_
assertions_ boolsigned - Indicates whether this service provider expects a signed Assertion.
- xml_
sign_ strkey_ info_ key_ name_ transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
- add
Read BooleanToken Role On Create - When
true
, new users will be able to read stored tokens. This will automatically assign thebroker.read-token
role. Defaults tofalse
. - alias String
- The unique name of identity provider.
- authenticate
By BooleanDefault - Authenticate users by default. Defaults to
false
. - authn
Context List<String>Class Refs - Ordered list of requested AuthnContext ClassRefs.
- authn
Context StringComparison Type - Specifies the comparison method used to evaluate the requested context classes or statements.
- authn
Context List<String>Decl Refs - Ordered list of requested AuthnContext DeclRefs.
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?. Defaults to
false
. - display
Name String - The display name for the realm that is shown when logging in to the admin console.
- enabled Boolean
- When
false
, users and clients will not be able to access this realm. Defaults totrue
. - entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to
first broker login
. - force
Authn Boolean - Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
- gui
Order String - A number defining the order of this identity provider in the GUI.
- hide
On BooleanLogin Page - If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - When
true
, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults tofalse
. - login
Hint String - Login Hint.
- name
Id StringPolicy Format - Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
- post
Binding BooleanAuthn Request - Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanLogout - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Binding BooleanResponse - Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
- principal
Attribute String - The principal attribute.
- principal
Type String - The principal type. Can be one of
SUBJECT
,ATTRIBUTE
orFRIENDLY_ATTRIBUTE
. - provider
Id String - The ID of the identity provider to use. Defaults to
saml
, which should be used unless you have extended Keycloak and provided your own implementation. - realm String
- The name of the realm. This is unique across Keycloak.
- signature
Algorithm String - Signing Algorithm. Defaults to empty.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - The Url that must be used to send logout requests.
- single
Sign StringOn Service Url - The Url that must be used to send authentication requests (SAML AuthnRequest).
- store
Token Boolean - When
true
, tokens will be stored after authenticating users. Defaults totrue
. - sync
Mode String - The default sync mode to use for all mappers attached to this identity provider. Can be one of
IMPORT
,FORCE
, orLEGACY
. - trust
Email Boolean - When
true
, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults tofalse
. - validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Indicates whether this service provider expects an encrypted Assertion.
- want
Assertions BooleanSigned - Indicates whether this service provider expects a signed Assertion.
- xml
Sign StringKey Info Key Name Transformer - The SAML signature key name. Can be one of
NONE
,KEY_ID
, orCERT_SUBJECT
.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}
, where idp_alias
is the identity provider alias.
Example:
bash
$ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.