1. Packages
  2. Keycloak Provider
  3. API Docs
  4. saml
  5. IdentityProvider
Keycloak v5.3.5 published on Wednesday, Oct 16, 2024 by Pulumi

keycloak.saml.IdentityProvider

Explore with Pulumi AI

keycloak logo
Keycloak v5.3.5 published on Wednesday, Oct 16, 2024 by Pulumi

    # keycloak.saml.IdentityProvider

    Allows to create and manage SAML Identity Providers within Keycloak.

    SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
        realm: "my-realm",
        alias: "my-idp",
        singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
        singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
        backchannelSupported: true,
        postBindingResponse: true,
        postBindingLogout: true,
        postBindingAuthnRequest: true,
        storeToken: false,
        trustEmail: true,
        forceAuthn: true,
    });
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider",
        realm="my-realm",
        alias="my-idp",
        single_sign_on_service_url="https://domain.com/adfs/ls/",
        single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
        backchannel_supported=True,
        post_binding_response=True,
        post_binding_logout=True,
        post_binding_authn_request=True,
        store_token=False,
        trust_email=True,
        force_authn=True)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{
    			Realm:                   pulumi.String("my-realm"),
    			Alias:                   pulumi.String("my-idp"),
    			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
    			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
    			BackchannelSupported:    pulumi.Bool(true),
    			PostBindingResponse:     pulumi.Bool(true),
    			PostBindingLogout:       pulumi.Bool(true),
    			PostBindingAuthnRequest: pulumi.Bool(true),
    			StoreToken:              pulumi.Bool(false),
    			TrustEmail:              pulumi.Bool(true),
    			ForceAuthn:              pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new()
        {
            Realm = "my-realm",
            Alias = "my-idp",
            SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
            SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
            BackchannelSupported = true,
            PostBindingResponse = true,
            PostBindingLogout = true,
            PostBindingAuthnRequest = true,
            StoreToken = false,
            TrustEmail = true,
            ForceAuthn = true,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.saml.IdentityProvider;
    import com.pulumi.keycloak.saml.IdentityProviderArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
                .realm("my-realm")
                .alias("my-idp")
                .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
                .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
                .backchannelSupported(true)
                .postBindingResponse(true)
                .postBindingLogout(true)
                .postBindingAuthnRequest(true)
                .storeToken(false)
                .trustEmail(true)
                .forceAuthn(true)
                .build());
    
        }
    }
    
    resources:
      realmIdentityProvider:
        type: keycloak:saml:IdentityProvider
        name: realm_identity_provider
        properties:
          realm: my-realm
          alias: my-idp
          singleSignOnServiceUrl: https://domain.com/adfs/ls/
          singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
          backchannelSupported: true
          postBindingResponse: true
          postBindingLogout: true
          postBindingAuthnRequest: true
          storeToken: false
          trustEmail: true
          forceAuthn: true
    

    Argument Reference

    The following arguments are supported:

    • realm - (Required) The name of the realm. This is unique across Keycloak.
    • alias - (Optional) The uniq name of identity provider.
    • enabled - (Optional) When false, users and clients will not be able to access this realm. Defaults to true.
    • display_name - (Optional) The display name for the realm that is shown when logging in to the admin console.
    • store_token - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to true.
    • add_read_token_role_on_create - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to false.
    • trust_email - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to false.
    • link_only - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider. Defaults to false.
    • hide_on_login_page - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the ‘kc_idp_hint’ parameter.
    • first_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
    • post_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
    • authenticate_by_default - (Optional) Authenticate users by default. Defaults to false.

    SAML Configuration

    • single_sign_on_service_url - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).
    • single_logout_service_url - (Optional) The Url that must be used to send logout requests.
    • backchannel_supported - (Optional) Does the external IDP support back-channel logout ?.
    • name_id_policy_format - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
    • post_binding_response - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
    • post_binding_authn_request - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    • post_binding_logout - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
    • want_assertions_signed - (Optional) Indicates whether this service provider expects a signed Assertion.
    • want_assertions_encrypted - (Optional) Indicates whether this service provider expects an encrypted Assertion.
    • force_authn - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
    • validate_signature - (Optional) Enable/disable signature validation of SAML responses.
    • signing_certificate - (Optional) Signing Certificate.
    • signature_algorithm - (Optional) Signing Algorithm. Defaults to empty.
    • xml_sign_key_info_key_name_transformer - (Optional) Sign Key Transformer. Defaults to empty.

    Import

    Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

    Example:

    $ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp
    

    Create IdentityProvider Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
    @overload
    def IdentityProvider(resource_name: str,
                         args: IdentityProviderArgs,
                         opts: Optional[ResourceOptions] = None)
    
    @overload
    def IdentityProvider(resource_name: str,
                         opts: Optional[ResourceOptions] = None,
                         entity_id: Optional[str] = None,
                         alias: Optional[str] = None,
                         single_sign_on_service_url: Optional[str] = None,
                         realm: Optional[str] = None,
                         post_binding_authn_request: Optional[bool] = None,
                         post_broker_login_flow_alias: Optional[str] = None,
                         backchannel_supported: Optional[bool] = None,
                         display_name: Optional[str] = None,
                         enabled: Optional[bool] = None,
                         authn_context_comparison_type: Optional[str] = None,
                         extra_config: Optional[Mapping[str, str]] = None,
                         first_broker_login_flow_alias: Optional[str] = None,
                         force_authn: Optional[bool] = None,
                         gui_order: Optional[str] = None,
                         hide_on_login_page: Optional[bool] = None,
                         link_only: Optional[bool] = None,
                         login_hint: Optional[str] = None,
                         name_id_policy_format: Optional[str] = None,
                         add_read_token_role_on_create: Optional[bool] = None,
                         post_binding_logout: Optional[bool] = None,
                         post_binding_response: Optional[bool] = None,
                         authn_context_decl_refs: Optional[Sequence[str]] = None,
                         principal_attribute: Optional[str] = None,
                         principal_type: Optional[str] = None,
                         provider_id: Optional[str] = None,
                         authn_context_class_refs: Optional[Sequence[str]] = None,
                         signature_algorithm: Optional[str] = None,
                         signing_certificate: Optional[str] = None,
                         single_logout_service_url: Optional[str] = None,
                         authenticate_by_default: Optional[bool] = None,
                         store_token: Optional[bool] = None,
                         sync_mode: Optional[str] = None,
                         trust_email: Optional[bool] = None,
                         validate_signature: Optional[bool] = None,
                         want_assertions_encrypted: Optional[bool] = None,
                         want_assertions_signed: Optional[bool] = None,
                         xml_sign_key_info_key_name_transformer: Optional[str] = None)
    func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
    public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
    public IdentityProvider(String name, IdentityProviderArgs args)
    public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
    
    type: keycloak:saml:IdentityProvider
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args IdentityProviderArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
    {
        EntityId = "string",
        Alias = "string",
        SingleSignOnServiceUrl = "string",
        Realm = "string",
        PostBindingAuthnRequest = false,
        PostBrokerLoginFlowAlias = "string",
        BackchannelSupported = false,
        DisplayName = "string",
        Enabled = false,
        AuthnContextComparisonType = "string",
        ExtraConfig = 
        {
            { "string", "string" },
        },
        FirstBrokerLoginFlowAlias = "string",
        ForceAuthn = false,
        GuiOrder = "string",
        HideOnLoginPage = false,
        LinkOnly = false,
        LoginHint = "string",
        NameIdPolicyFormat = "string",
        AddReadTokenRoleOnCreate = false,
        PostBindingLogout = false,
        PostBindingResponse = false,
        AuthnContextDeclRefs = new[]
        {
            "string",
        },
        PrincipalAttribute = "string",
        PrincipalType = "string",
        ProviderId = "string",
        AuthnContextClassRefs = new[]
        {
            "string",
        },
        SignatureAlgorithm = "string",
        SigningCertificate = "string",
        SingleLogoutServiceUrl = "string",
        AuthenticateByDefault = false,
        StoreToken = false,
        SyncMode = "string",
        TrustEmail = false,
        ValidateSignature = false,
        WantAssertionsEncrypted = false,
        WantAssertionsSigned = false,
        XmlSignKeyInfoKeyNameTransformer = "string",
    });
    
    example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
    	EntityId:                   pulumi.String("string"),
    	Alias:                      pulumi.String("string"),
    	SingleSignOnServiceUrl:     pulumi.String("string"),
    	Realm:                      pulumi.String("string"),
    	PostBindingAuthnRequest:    pulumi.Bool(false),
    	PostBrokerLoginFlowAlias:   pulumi.String("string"),
    	BackchannelSupported:       pulumi.Bool(false),
    	DisplayName:                pulumi.String("string"),
    	Enabled:                    pulumi.Bool(false),
    	AuthnContextComparisonType: pulumi.String("string"),
    	ExtraConfig: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	FirstBrokerLoginFlowAlias: pulumi.String("string"),
    	ForceAuthn:                pulumi.Bool(false),
    	GuiOrder:                  pulumi.String("string"),
    	HideOnLoginPage:           pulumi.Bool(false),
    	LinkOnly:                  pulumi.Bool(false),
    	LoginHint:                 pulumi.String("string"),
    	NameIdPolicyFormat:        pulumi.String("string"),
    	AddReadTokenRoleOnCreate:  pulumi.Bool(false),
    	PostBindingLogout:         pulumi.Bool(false),
    	PostBindingResponse:       pulumi.Bool(false),
    	AuthnContextDeclRefs: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	PrincipalAttribute: pulumi.String("string"),
    	PrincipalType:      pulumi.String("string"),
    	ProviderId:         pulumi.String("string"),
    	AuthnContextClassRefs: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	SignatureAlgorithm:               pulumi.String("string"),
    	SigningCertificate:               pulumi.String("string"),
    	SingleLogoutServiceUrl:           pulumi.String("string"),
    	AuthenticateByDefault:            pulumi.Bool(false),
    	StoreToken:                       pulumi.Bool(false),
    	SyncMode:                         pulumi.String("string"),
    	TrustEmail:                       pulumi.Bool(false),
    	ValidateSignature:                pulumi.Bool(false),
    	WantAssertionsEncrypted:          pulumi.Bool(false),
    	WantAssertionsSigned:             pulumi.Bool(false),
    	XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
    })
    
    var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
        .entityId("string")
        .alias("string")
        .singleSignOnServiceUrl("string")
        .realm("string")
        .postBindingAuthnRequest(false)
        .postBrokerLoginFlowAlias("string")
        .backchannelSupported(false)
        .displayName("string")
        .enabled(false)
        .authnContextComparisonType("string")
        .extraConfig(Map.of("string", "string"))
        .firstBrokerLoginFlowAlias("string")
        .forceAuthn(false)
        .guiOrder("string")
        .hideOnLoginPage(false)
        .linkOnly(false)
        .loginHint("string")
        .nameIdPolicyFormat("string")
        .addReadTokenRoleOnCreate(false)
        .postBindingLogout(false)
        .postBindingResponse(false)
        .authnContextDeclRefs("string")
        .principalAttribute("string")
        .principalType("string")
        .providerId("string")
        .authnContextClassRefs("string")
        .signatureAlgorithm("string")
        .signingCertificate("string")
        .singleLogoutServiceUrl("string")
        .authenticateByDefault(false)
        .storeToken(false)
        .syncMode("string")
        .trustEmail(false)
        .validateSignature(false)
        .wantAssertionsEncrypted(false)
        .wantAssertionsSigned(false)
        .xmlSignKeyInfoKeyNameTransformer("string")
        .build());
    
    keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
        entity_id="string",
        alias="string",
        single_sign_on_service_url="string",
        realm="string",
        post_binding_authn_request=False,
        post_broker_login_flow_alias="string",
        backchannel_supported=False,
        display_name="string",
        enabled=False,
        authn_context_comparison_type="string",
        extra_config={
            "string": "string",
        },
        first_broker_login_flow_alias="string",
        force_authn=False,
        gui_order="string",
        hide_on_login_page=False,
        link_only=False,
        login_hint="string",
        name_id_policy_format="string",
        add_read_token_role_on_create=False,
        post_binding_logout=False,
        post_binding_response=False,
        authn_context_decl_refs=["string"],
        principal_attribute="string",
        principal_type="string",
        provider_id="string",
        authn_context_class_refs=["string"],
        signature_algorithm="string",
        signing_certificate="string",
        single_logout_service_url="string",
        authenticate_by_default=False,
        store_token=False,
        sync_mode="string",
        trust_email=False,
        validate_signature=False,
        want_assertions_encrypted=False,
        want_assertions_signed=False,
        xml_sign_key_info_key_name_transformer="string")
    
    const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
        entityId: "string",
        alias: "string",
        singleSignOnServiceUrl: "string",
        realm: "string",
        postBindingAuthnRequest: false,
        postBrokerLoginFlowAlias: "string",
        backchannelSupported: false,
        displayName: "string",
        enabled: false,
        authnContextComparisonType: "string",
        extraConfig: {
            string: "string",
        },
        firstBrokerLoginFlowAlias: "string",
        forceAuthn: false,
        guiOrder: "string",
        hideOnLoginPage: false,
        linkOnly: false,
        loginHint: "string",
        nameIdPolicyFormat: "string",
        addReadTokenRoleOnCreate: false,
        postBindingLogout: false,
        postBindingResponse: false,
        authnContextDeclRefs: ["string"],
        principalAttribute: "string",
        principalType: "string",
        providerId: "string",
        authnContextClassRefs: ["string"],
        signatureAlgorithm: "string",
        signingCertificate: "string",
        singleLogoutServiceUrl: "string",
        authenticateByDefault: false,
        storeToken: false,
        syncMode: "string",
        trustEmail: false,
        validateSignature: false,
        wantAssertionsEncrypted: false,
        wantAssertionsSigned: false,
        xmlSignKeyInfoKeyNameTransformer: "string",
    });
    
    type: keycloak:saml:IdentityProvider
    properties:
        addReadTokenRoleOnCreate: false
        alias: string
        authenticateByDefault: false
        authnContextClassRefs:
            - string
        authnContextComparisonType: string
        authnContextDeclRefs:
            - string
        backchannelSupported: false
        displayName: string
        enabled: false
        entityId: string
        extraConfig:
            string: string
        firstBrokerLoginFlowAlias: string
        forceAuthn: false
        guiOrder: string
        hideOnLoginPage: false
        linkOnly: false
        loginHint: string
        nameIdPolicyFormat: string
        postBindingAuthnRequest: false
        postBindingLogout: false
        postBindingResponse: false
        postBrokerLoginFlowAlias: string
        principalAttribute: string
        principalType: string
        providerId: string
        realm: string
        signatureAlgorithm: string
        signingCertificate: string
        singleLogoutServiceUrl: string
        singleSignOnServiceUrl: string
        storeToken: false
        syncMode: string
        trustEmail: false
        validateSignature: false
        wantAssertionsEncrypted: false
        wantAssertionsSigned: false
        xmlSignKeyInfoKeyNameTransformer: string
    

    IdentityProvider Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The IdentityProvider resource accepts the following input properties:

    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    Realm string
    Realm Name
    SingleSignOnServiceUrl string
    SSO Logout URL.
    AddReadTokenRoleOnCreate bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthnContextClassRefs List<string>
    AuthnContext ClassRefs
    AuthnContextComparisonType string
    AuthnContext Comparison
    AuthnContextDeclRefs List<string>
    AuthnContext DeclRefs
    BackchannelSupported bool
    Does the external IDP support backchannel logout?
    DisplayName string
    Friendly name for Identity Providers.
    Enabled bool
    Enable/disable this identity provider.
    ExtraConfig Dictionary<string, string>
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    ForceAuthn bool
    Require Force Authn.
    GuiOrder string
    GUI Order
    HideOnLoginPage bool
    Hide On Login Page.
    LinkOnly bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Name ID Policy Format.
    PostBindingAuthnRequest bool
    Post Binding Authn Request.
    PostBindingLogout bool
    Post Binding Logout.
    PostBindingResponse bool
    Post Binding Response.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    PrincipalAttribute string
    Principal Attribute
    PrincipalType string
    Principal Type
    ProviderId string
    provider id, is always saml, unless you have a custom implementation
    SignatureAlgorithm string
    Signing Algorithm.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    Logout URL.
    StoreToken bool
    Enable/disable if tokens must be stored after authenticating users.
    SyncMode string
    Sync Mode
    TrustEmail bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Want Assertions Encrypted.
    WantAssertionsSigned bool
    Want Assertions Signed.
    XmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    Realm string
    Realm Name
    SingleSignOnServiceUrl string
    SSO Logout URL.
    AddReadTokenRoleOnCreate bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthnContextClassRefs []string
    AuthnContext ClassRefs
    AuthnContextComparisonType string
    AuthnContext Comparison
    AuthnContextDeclRefs []string
    AuthnContext DeclRefs
    BackchannelSupported bool
    Does the external IDP support backchannel logout?
    DisplayName string
    Friendly name for Identity Providers.
    Enabled bool
    Enable/disable this identity provider.
    ExtraConfig map[string]string
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    ForceAuthn bool
    Require Force Authn.
    GuiOrder string
    GUI Order
    HideOnLoginPage bool
    Hide On Login Page.
    LinkOnly bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Name ID Policy Format.
    PostBindingAuthnRequest bool
    Post Binding Authn Request.
    PostBindingLogout bool
    Post Binding Logout.
    PostBindingResponse bool
    Post Binding Response.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    PrincipalAttribute string
    Principal Attribute
    PrincipalType string
    Principal Type
    ProviderId string
    provider id, is always saml, unless you have a custom implementation
    SignatureAlgorithm string
    Signing Algorithm.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    Logout URL.
    StoreToken bool
    Enable/disable if tokens must be stored after authenticating users.
    SyncMode string
    Sync Mode
    TrustEmail bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Want Assertions Encrypted.
    WantAssertionsSigned bool
    Want Assertions Signed.
    XmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm String
    Realm Name
    singleSignOnServiceUrl String
    SSO Logout URL.
    addReadTokenRoleOnCreate Boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs List<String>
    AuthnContext ClassRefs
    authnContextComparisonType String
    AuthnContext Comparison
    authnContextDeclRefs List<String>
    AuthnContext DeclRefs
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?
    displayName String
    Friendly name for Identity Providers.
    enabled Boolean
    Enable/disable this identity provider.
    extraConfig Map<String,String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn Boolean
    Require Force Authn.
    guiOrder String
    GUI Order
    hideOnLoginPage Boolean
    Hide On Login Page.
    linkOnly Boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Name ID Policy Format.
    postBindingAuthnRequest Boolean
    Post Binding Authn Request.
    postBindingLogout Boolean
    Post Binding Logout.
    postBindingResponse Boolean
    Post Binding Response.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute String
    Principal Attribute
    principalType String
    Principal Type
    providerId String
    provider id, is always saml, unless you have a custom implementation
    signatureAlgorithm String
    Signing Algorithm.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    Logout URL.
    storeToken Boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode String
    Sync Mode
    trustEmail Boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Want Assertions Encrypted.
    wantAssertionsSigned Boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer String
    Sign Key Transformer.
    alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    entityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm string
    Realm Name
    singleSignOnServiceUrl string
    SSO Logout URL.
    addReadTokenRoleOnCreate boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs string[]
    AuthnContext ClassRefs
    authnContextComparisonType string
    AuthnContext Comparison
    authnContextDeclRefs string[]
    AuthnContext DeclRefs
    backchannelSupported boolean
    Does the external IDP support backchannel logout?
    displayName string
    Friendly name for Identity Providers.
    enabled boolean
    Enable/disable this identity provider.
    extraConfig {[key: string]: string}
    firstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn boolean
    Require Force Authn.
    guiOrder string
    GUI Order
    hideOnLoginPage boolean
    Hide On Login Page.
    linkOnly boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint string
    Login Hint.
    nameIdPolicyFormat string
    Name ID Policy Format.
    postBindingAuthnRequest boolean
    Post Binding Authn Request.
    postBindingLogout boolean
    Post Binding Logout.
    postBindingResponse boolean
    Post Binding Response.
    postBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute string
    Principal Attribute
    principalType string
    Principal Type
    providerId string
    provider id, is always saml, unless you have a custom implementation
    signatureAlgorithm string
    Signing Algorithm.
    signingCertificate string
    Signing Certificate.
    singleLogoutServiceUrl string
    Logout URL.
    storeToken boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode string
    Sync Mode
    trustEmail boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted boolean
    Want Assertions Encrypted.
    wantAssertionsSigned boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    alias str
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    entity_id str
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm str
    Realm Name
    single_sign_on_service_url str
    SSO Logout URL.
    add_read_token_role_on_create bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    authn_context_class_refs Sequence[str]
    AuthnContext ClassRefs
    authn_context_comparison_type str
    AuthnContext Comparison
    authn_context_decl_refs Sequence[str]
    AuthnContext DeclRefs
    backchannel_supported bool
    Does the external IDP support backchannel logout?
    display_name str
    Friendly name for Identity Providers.
    enabled bool
    Enable/disable this identity provider.
    extra_config Mapping[str, str]
    first_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    force_authn bool
    Require Force Authn.
    gui_order str
    GUI Order
    hide_on_login_page bool
    Hide On Login Page.
    link_only bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    login_hint str
    Login Hint.
    name_id_policy_format str
    Name ID Policy Format.
    post_binding_authn_request bool
    Post Binding Authn Request.
    post_binding_logout bool
    Post Binding Logout.
    post_binding_response bool
    Post Binding Response.
    post_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principal_attribute str
    Principal Attribute
    principal_type str
    Principal Type
    provider_id str
    provider id, is always saml, unless you have a custom implementation
    signature_algorithm str
    Signing Algorithm.
    signing_certificate str
    Signing Certificate.
    single_logout_service_url str
    Logout URL.
    store_token bool
    Enable/disable if tokens must be stored after authenticating users.
    sync_mode str
    Sync Mode
    trust_email bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validate_signature bool
    Enable/disable signature validation of SAML responses.
    want_assertions_encrypted bool
    Want Assertions Encrypted.
    want_assertions_signed bool
    Want Assertions Signed.
    xml_sign_key_info_key_name_transformer str
    Sign Key Transformer.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    realm String
    Realm Name
    singleSignOnServiceUrl String
    SSO Logout URL.
    addReadTokenRoleOnCreate Boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs List<String>
    AuthnContext ClassRefs
    authnContextComparisonType String
    AuthnContext Comparison
    authnContextDeclRefs List<String>
    AuthnContext DeclRefs
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?
    displayName String
    Friendly name for Identity Providers.
    enabled Boolean
    Enable/disable this identity provider.
    extraConfig Map<String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn Boolean
    Require Force Authn.
    guiOrder String
    GUI Order
    hideOnLoginPage Boolean
    Hide On Login Page.
    linkOnly Boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Name ID Policy Format.
    postBindingAuthnRequest Boolean
    Post Binding Authn Request.
    postBindingLogout Boolean
    Post Binding Logout.
    postBindingResponse Boolean
    Post Binding Response.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute String
    Principal Attribute
    principalType String
    Principal Type
    providerId String
    provider id, is always saml, unless you have a custom implementation
    signatureAlgorithm String
    Signing Algorithm.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    Logout URL.
    storeToken Boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode String
    Sync Mode
    trustEmail Boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Want Assertions Encrypted.
    wantAssertionsSigned Boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer String
    Sign Key Transformer.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    Internal Identity Provider Id
    Id string
    The provider-assigned unique ID for this managed resource.
    InternalId string
    Internal Identity Provider Id
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    Internal Identity Provider Id
    id string
    The provider-assigned unique ID for this managed resource.
    internalId string
    Internal Identity Provider Id
    id str
    The provider-assigned unique ID for this managed resource.
    internal_id str
    Internal Identity Provider Id
    id String
    The provider-assigned unique ID for this managed resource.
    internalId String
    Internal Identity Provider Id

    Look up Existing IdentityProvider Resource

    Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            add_read_token_role_on_create: Optional[bool] = None,
            alias: Optional[str] = None,
            authenticate_by_default: Optional[bool] = None,
            authn_context_class_refs: Optional[Sequence[str]] = None,
            authn_context_comparison_type: Optional[str] = None,
            authn_context_decl_refs: Optional[Sequence[str]] = None,
            backchannel_supported: Optional[bool] = None,
            display_name: Optional[str] = None,
            enabled: Optional[bool] = None,
            entity_id: Optional[str] = None,
            extra_config: Optional[Mapping[str, str]] = None,
            first_broker_login_flow_alias: Optional[str] = None,
            force_authn: Optional[bool] = None,
            gui_order: Optional[str] = None,
            hide_on_login_page: Optional[bool] = None,
            internal_id: Optional[str] = None,
            link_only: Optional[bool] = None,
            login_hint: Optional[str] = None,
            name_id_policy_format: Optional[str] = None,
            post_binding_authn_request: Optional[bool] = None,
            post_binding_logout: Optional[bool] = None,
            post_binding_response: Optional[bool] = None,
            post_broker_login_flow_alias: Optional[str] = None,
            principal_attribute: Optional[str] = None,
            principal_type: Optional[str] = None,
            provider_id: Optional[str] = None,
            realm: Optional[str] = None,
            signature_algorithm: Optional[str] = None,
            signing_certificate: Optional[str] = None,
            single_logout_service_url: Optional[str] = None,
            single_sign_on_service_url: Optional[str] = None,
            store_token: Optional[bool] = None,
            sync_mode: Optional[str] = None,
            trust_email: Optional[bool] = None,
            validate_signature: Optional[bool] = None,
            want_assertions_encrypted: Optional[bool] = None,
            want_assertions_signed: Optional[bool] = None,
            xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider
    func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
    public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
    public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AddReadTokenRoleOnCreate bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthnContextClassRefs List<string>
    AuthnContext ClassRefs
    AuthnContextComparisonType string
    AuthnContext Comparison
    AuthnContextDeclRefs List<string>
    AuthnContext DeclRefs
    BackchannelSupported bool
    Does the external IDP support backchannel logout?
    DisplayName string
    Friendly name for Identity Providers.
    Enabled bool
    Enable/disable this identity provider.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    ExtraConfig Dictionary<string, string>
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    ForceAuthn bool
    Require Force Authn.
    GuiOrder string
    GUI Order
    HideOnLoginPage bool
    Hide On Login Page.
    InternalId string
    Internal Identity Provider Id
    LinkOnly bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Name ID Policy Format.
    PostBindingAuthnRequest bool
    Post Binding Authn Request.
    PostBindingLogout bool
    Post Binding Logout.
    PostBindingResponse bool
    Post Binding Response.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    PrincipalAttribute string
    Principal Attribute
    PrincipalType string
    Principal Type
    ProviderId string
    provider id, is always saml, unless you have a custom implementation
    Realm string
    Realm Name
    SignatureAlgorithm string
    Signing Algorithm.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    Logout URL.
    SingleSignOnServiceUrl string
    SSO Logout URL.
    StoreToken bool
    Enable/disable if tokens must be stored after authenticating users.
    SyncMode string
    Sync Mode
    TrustEmail bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Want Assertions Encrypted.
    WantAssertionsSigned bool
    Want Assertions Signed.
    XmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    AddReadTokenRoleOnCreate bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    Alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    AuthenticateByDefault bool
    Enable/disable authenticate users by default.
    AuthnContextClassRefs []string
    AuthnContext ClassRefs
    AuthnContextComparisonType string
    AuthnContext Comparison
    AuthnContextDeclRefs []string
    AuthnContext DeclRefs
    BackchannelSupported bool
    Does the external IDP support backchannel logout?
    DisplayName string
    Friendly name for Identity Providers.
    Enabled bool
    Enable/disable this identity provider.
    EntityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    ExtraConfig map[string]string
    FirstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    ForceAuthn bool
    Require Force Authn.
    GuiOrder string
    GUI Order
    HideOnLoginPage bool
    Hide On Login Page.
    InternalId string
    Internal Identity Provider Id
    LinkOnly bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    LoginHint string
    Login Hint.
    NameIdPolicyFormat string
    Name ID Policy Format.
    PostBindingAuthnRequest bool
    Post Binding Authn Request.
    PostBindingLogout bool
    Post Binding Logout.
    PostBindingResponse bool
    Post Binding Response.
    PostBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    PrincipalAttribute string
    Principal Attribute
    PrincipalType string
    Principal Type
    ProviderId string
    provider id, is always saml, unless you have a custom implementation
    Realm string
    Realm Name
    SignatureAlgorithm string
    Signing Algorithm.
    SigningCertificate string
    Signing Certificate.
    SingleLogoutServiceUrl string
    Logout URL.
    SingleSignOnServiceUrl string
    SSO Logout URL.
    StoreToken bool
    Enable/disable if tokens must be stored after authenticating users.
    SyncMode string
    Sync Mode
    TrustEmail bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    ValidateSignature bool
    Enable/disable signature validation of SAML responses.
    WantAssertionsEncrypted bool
    Want Assertions Encrypted.
    WantAssertionsSigned bool
    Want Assertions Signed.
    XmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    addReadTokenRoleOnCreate Boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs List<String>
    AuthnContext ClassRefs
    authnContextComparisonType String
    AuthnContext Comparison
    authnContextDeclRefs List<String>
    AuthnContext DeclRefs
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?
    displayName String
    Friendly name for Identity Providers.
    enabled Boolean
    Enable/disable this identity provider.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig Map<String,String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn Boolean
    Require Force Authn.
    guiOrder String
    GUI Order
    hideOnLoginPage Boolean
    Hide On Login Page.
    internalId String
    Internal Identity Provider Id
    linkOnly Boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Name ID Policy Format.
    postBindingAuthnRequest Boolean
    Post Binding Authn Request.
    postBindingLogout Boolean
    Post Binding Logout.
    postBindingResponse Boolean
    Post Binding Response.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute String
    Principal Attribute
    principalType String
    Principal Type
    providerId String
    provider id, is always saml, unless you have a custom implementation
    realm String
    Realm Name
    signatureAlgorithm String
    Signing Algorithm.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    Logout URL.
    singleSignOnServiceUrl String
    SSO Logout URL.
    storeToken Boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode String
    Sync Mode
    trustEmail Boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Want Assertions Encrypted.
    wantAssertionsSigned Boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer String
    Sign Key Transformer.
    addReadTokenRoleOnCreate boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    alias string
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs string[]
    AuthnContext ClassRefs
    authnContextComparisonType string
    AuthnContext Comparison
    authnContextDeclRefs string[]
    AuthnContext DeclRefs
    backchannelSupported boolean
    Does the external IDP support backchannel logout?
    displayName string
    Friendly name for Identity Providers.
    enabled boolean
    Enable/disable this identity provider.
    entityId string
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig {[key: string]: string}
    firstBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn boolean
    Require Force Authn.
    guiOrder string
    GUI Order
    hideOnLoginPage boolean
    Hide On Login Page.
    internalId string
    Internal Identity Provider Id
    linkOnly boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint string
    Login Hint.
    nameIdPolicyFormat string
    Name ID Policy Format.
    postBindingAuthnRequest boolean
    Post Binding Authn Request.
    postBindingLogout boolean
    Post Binding Logout.
    postBindingResponse boolean
    Post Binding Response.
    postBrokerLoginFlowAlias string
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute string
    Principal Attribute
    principalType string
    Principal Type
    providerId string
    provider id, is always saml, unless you have a custom implementation
    realm string
    Realm Name
    signatureAlgorithm string
    Signing Algorithm.
    signingCertificate string
    Signing Certificate.
    singleLogoutServiceUrl string
    Logout URL.
    singleSignOnServiceUrl string
    SSO Logout URL.
    storeToken boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode string
    Sync Mode
    trustEmail boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted boolean
    Want Assertions Encrypted.
    wantAssertionsSigned boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer string
    Sign Key Transformer.
    add_read_token_role_on_create bool
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    alias str
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticate_by_default bool
    Enable/disable authenticate users by default.
    authn_context_class_refs Sequence[str]
    AuthnContext ClassRefs
    authn_context_comparison_type str
    AuthnContext Comparison
    authn_context_decl_refs Sequence[str]
    AuthnContext DeclRefs
    backchannel_supported bool
    Does the external IDP support backchannel logout?
    display_name str
    Friendly name for Identity Providers.
    enabled bool
    Enable/disable this identity provider.
    entity_id str
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extra_config Mapping[str, str]
    first_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    force_authn bool
    Require Force Authn.
    gui_order str
    GUI Order
    hide_on_login_page bool
    Hide On Login Page.
    internal_id str
    Internal Identity Provider Id
    link_only bool
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    login_hint str
    Login Hint.
    name_id_policy_format str
    Name ID Policy Format.
    post_binding_authn_request bool
    Post Binding Authn Request.
    post_binding_logout bool
    Post Binding Logout.
    post_binding_response bool
    Post Binding Response.
    post_broker_login_flow_alias str
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principal_attribute str
    Principal Attribute
    principal_type str
    Principal Type
    provider_id str
    provider id, is always saml, unless you have a custom implementation
    realm str
    Realm Name
    signature_algorithm str
    Signing Algorithm.
    signing_certificate str
    Signing Certificate.
    single_logout_service_url str
    Logout URL.
    single_sign_on_service_url str
    SSO Logout URL.
    store_token bool
    Enable/disable if tokens must be stored after authenticating users.
    sync_mode str
    Sync Mode
    trust_email bool
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validate_signature bool
    Enable/disable signature validation of SAML responses.
    want_assertions_encrypted bool
    Want Assertions Encrypted.
    want_assertions_signed bool
    Want Assertions Signed.
    xml_sign_key_info_key_name_transformer str
    Sign Key Transformer.
    addReadTokenRoleOnCreate Boolean
    Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
    alias String
    The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
    authenticateByDefault Boolean
    Enable/disable authenticate users by default.
    authnContextClassRefs List<String>
    AuthnContext ClassRefs
    authnContextComparisonType String
    AuthnContext Comparison
    authnContextDeclRefs List<String>
    AuthnContext DeclRefs
    backchannelSupported Boolean
    Does the external IDP support backchannel logout?
    displayName String
    Friendly name for Identity Providers.
    enabled Boolean
    Enable/disable this identity provider.
    entityId String
    The Entity ID that will be used to uniquely identify this SAML Service Provider.
    extraConfig Map<String>
    firstBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
    forceAuthn Boolean
    Require Force Authn.
    guiOrder String
    GUI Order
    hideOnLoginPage Boolean
    Hide On Login Page.
    internalId String
    Internal Identity Provider Id
    linkOnly Boolean
    If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
    loginHint String
    Login Hint.
    nameIdPolicyFormat String
    Name ID Policy Format.
    postBindingAuthnRequest Boolean
    Post Binding Authn Request.
    postBindingLogout Boolean
    Post Binding Logout.
    postBindingResponse Boolean
    Post Binding Response.
    postBrokerLoginFlowAlias String
    Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
    principalAttribute String
    Principal Attribute
    principalType String
    Principal Type
    providerId String
    provider id, is always saml, unless you have a custom implementation
    realm String
    Realm Name
    signatureAlgorithm String
    Signing Algorithm.
    signingCertificate String
    Signing Certificate.
    singleLogoutServiceUrl String
    Logout URL.
    singleSignOnServiceUrl String
    SSO Logout URL.
    storeToken Boolean
    Enable/disable if tokens must be stored after authenticating users.
    syncMode String
    Sync Mode
    trustEmail Boolean
    If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
    validateSignature Boolean
    Enable/disable signature validation of SAML responses.
    wantAssertionsEncrypted Boolean
    Want Assertions Encrypted.
    wantAssertionsSigned Boolean
    Want Assertions Signed.
    xmlSignKeyInfoKeyNameTransformer String
    Sign Key Transformer.

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the keycloak Terraform Provider.
    keycloak logo
    Keycloak v5.3.5 published on Wednesday, Oct 16, 2024 by Pulumi