keycloak.saml.IdentityProvider
Explore with Pulumi AI
# keycloak.saml.IdentityProvider
Allows to create and manage SAML Identity Providers within Keycloak.
SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
realm: "my-realm",
alias: "my-idp",
singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannelSupported: true,
postBindingResponse: true,
postBindingLogout: true,
postBindingAuthnRequest: true,
storeToken: false,
trustEmail: true,
forceAuthn: true,
});
import pulumi
import pulumi_keycloak as keycloak
realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider",
realm="my-realm",
alias="my-idp",
single_sign_on_service_url="https://domain.com/adfs/ls/",
single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannel_supported=True,
post_binding_response=True,
post_binding_logout=True,
post_binding_authn_request=True,
store_token=False,
trust_email=True,
force_authn=True)
package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{
Realm: pulumi.String("my-realm"),
Alias: pulumi.String("my-idp"),
SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"),
SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
BackchannelSupported: pulumi.Bool(true),
PostBindingResponse: pulumi.Bool(true),
PostBindingLogout: pulumi.Bool(true),
PostBindingAuthnRequest: pulumi.Bool(true),
StoreToken: pulumi.Bool(false),
TrustEmail: pulumi.Bool(true),
ForceAuthn: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new()
{
Realm = "my-realm",
Alias = "my-idp",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
BackchannelSupported = true,
PostBindingResponse = true,
PostBindingLogout = true,
PostBindingAuthnRequest = true,
StoreToken = false,
TrustEmail = true,
ForceAuthn = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
.realm("my-realm")
.alias("my-idp")
.singleSignOnServiceUrl("https://domain.com/adfs/ls/")
.singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
.backchannelSupported(true)
.postBindingResponse(true)
.postBindingLogout(true)
.postBindingAuthnRequest(true)
.storeToken(false)
.trustEmail(true)
.forceAuthn(true)
.build());
}
}
resources:
realmIdentityProvider:
type: keycloak:saml:IdentityProvider
name: realm_identity_provider
properties:
realm: my-realm
alias: my-idp
singleSignOnServiceUrl: https://domain.com/adfs/ls/
singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
backchannelSupported: true
postBindingResponse: true
postBindingLogout: true
postBindingAuthnRequest: true
storeToken: false
trustEmail: true
forceAuthn: true
Argument Reference
The following arguments are supported:
realm
- (Required) The name of the realm. This is unique across Keycloak.alias
- (Optional) The uniq name of identity provider.enabled
- (Optional) When false, users and clients will not be able to access this realm. Defaults totrue
.display_name
- (Optional) The display name for the realm that is shown when logging in to the admin console.store_token
- (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults totrue
.add_read_token_role_on_create
- (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults tofalse
.trust_email
- (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults tofalse
.link_only
- (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider. Defaults tofalse
.hide_on_login_page
- (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the ‘kc_idp_hint’ parameter.first_broker_login_flow_alias
- (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults tofirst broker login
.post_broker_login_flow_alias
- (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.authenticate_by_default
- (Optional) Authenticate users by default. Defaults tofalse
.
SAML Configuration
single_sign_on_service_url
- (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).single_logout_service_url
- (Optional) The Url that must be used to send logout requests.backchannel_supported
- (Optional) Does the external IDP support back-channel logout ?.name_id_policy_format
- (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.post_binding_response
- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..post_binding_authn_request
- (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.post_binding_logout
- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.want_assertions_signed
- (Optional) Indicates whether this service provider expects a signed Assertion.want_assertions_encrypted
- (Optional) Indicates whether this service provider expects an encrypted Assertion.force_authn
- (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.validate_signature
- (Optional) Enable/disable signature validation of SAML responses.signing_certificate
- (Optional) Signing Certificate.signature_algorithm
- (Optional) Signing Algorithm. Defaults to empty.xml_sign_key_info_key_name_transformer
- (Optional) Sign Key Transformer. Defaults to empty.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}
, where idp_alias
is the identity provider alias.
Example:
$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp
Create IdentityProvider Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);
@overload
def IdentityProvider(resource_name: str,
args: IdentityProviderArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IdentityProvider(resource_name: str,
opts: Optional[ResourceOptions] = None,
entity_id: Optional[str] = None,
alias: Optional[str] = None,
single_sign_on_service_url: Optional[str] = None,
realm: Optional[str] = None,
post_binding_authn_request: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
backchannel_supported: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
authn_context_comparison_type: Optional[str] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
force_authn: Optional[bool] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
name_id_policy_format: Optional[str] = None,
add_read_token_role_on_create: Optional[bool] = None,
post_binding_logout: Optional[bool] = None,
post_binding_response: Optional[bool] = None,
authn_context_decl_refs: Optional[Sequence[str]] = None,
principal_attribute: Optional[str] = None,
principal_type: Optional[str] = None,
provider_id: Optional[str] = None,
authn_context_class_refs: Optional[Sequence[str]] = None,
signature_algorithm: Optional[str] = None,
signing_certificate: Optional[str] = None,
single_logout_service_url: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
validate_signature: Optional[bool] = None,
want_assertions_encrypted: Optional[bool] = None,
want_assertions_signed: Optional[bool] = None,
xml_sign_key_info_key_name_transformer: Optional[str] = None)
func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)
public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)
type: keycloak:saml:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
{
EntityId = "string",
Alias = "string",
SingleSignOnServiceUrl = "string",
Realm = "string",
PostBindingAuthnRequest = false,
PostBrokerLoginFlowAlias = "string",
BackchannelSupported = false,
DisplayName = "string",
Enabled = false,
AuthnContextComparisonType = "string",
ExtraConfig =
{
{ "string", "string" },
},
FirstBrokerLoginFlowAlias = "string",
ForceAuthn = false,
GuiOrder = "string",
HideOnLoginPage = false,
LinkOnly = false,
LoginHint = "string",
NameIdPolicyFormat = "string",
AddReadTokenRoleOnCreate = false,
PostBindingLogout = false,
PostBindingResponse = false,
AuthnContextDeclRefs = new[]
{
"string",
},
PrincipalAttribute = "string",
PrincipalType = "string",
ProviderId = "string",
AuthnContextClassRefs = new[]
{
"string",
},
SignatureAlgorithm = "string",
SigningCertificate = "string",
SingleLogoutServiceUrl = "string",
AuthenticateByDefault = false,
StoreToken = false,
SyncMode = "string",
TrustEmail = false,
ValidateSignature = false,
WantAssertionsEncrypted = false,
WantAssertionsSigned = false,
XmlSignKeyInfoKeyNameTransformer = "string",
});
example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
EntityId: pulumi.String("string"),
Alias: pulumi.String("string"),
SingleSignOnServiceUrl: pulumi.String("string"),
Realm: pulumi.String("string"),
PostBindingAuthnRequest: pulumi.Bool(false),
PostBrokerLoginFlowAlias: pulumi.String("string"),
BackchannelSupported: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
Enabled: pulumi.Bool(false),
AuthnContextComparisonType: pulumi.String("string"),
ExtraConfig: pulumi.StringMap{
"string": pulumi.String("string"),
},
FirstBrokerLoginFlowAlias: pulumi.String("string"),
ForceAuthn: pulumi.Bool(false),
GuiOrder: pulumi.String("string"),
HideOnLoginPage: pulumi.Bool(false),
LinkOnly: pulumi.Bool(false),
LoginHint: pulumi.String("string"),
NameIdPolicyFormat: pulumi.String("string"),
AddReadTokenRoleOnCreate: pulumi.Bool(false),
PostBindingLogout: pulumi.Bool(false),
PostBindingResponse: pulumi.Bool(false),
AuthnContextDeclRefs: pulumi.StringArray{
pulumi.String("string"),
},
PrincipalAttribute: pulumi.String("string"),
PrincipalType: pulumi.String("string"),
ProviderId: pulumi.String("string"),
AuthnContextClassRefs: pulumi.StringArray{
pulumi.String("string"),
},
SignatureAlgorithm: pulumi.String("string"),
SigningCertificate: pulumi.String("string"),
SingleLogoutServiceUrl: pulumi.String("string"),
AuthenticateByDefault: pulumi.Bool(false),
StoreToken: pulumi.Bool(false),
SyncMode: pulumi.String("string"),
TrustEmail: pulumi.Bool(false),
ValidateSignature: pulumi.Bool(false),
WantAssertionsEncrypted: pulumi.Bool(false),
WantAssertionsSigned: pulumi.Bool(false),
XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
})
var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
.entityId("string")
.alias("string")
.singleSignOnServiceUrl("string")
.realm("string")
.postBindingAuthnRequest(false)
.postBrokerLoginFlowAlias("string")
.backchannelSupported(false)
.displayName("string")
.enabled(false)
.authnContextComparisonType("string")
.extraConfig(Map.of("string", "string"))
.firstBrokerLoginFlowAlias("string")
.forceAuthn(false)
.guiOrder("string")
.hideOnLoginPage(false)
.linkOnly(false)
.loginHint("string")
.nameIdPolicyFormat("string")
.addReadTokenRoleOnCreate(false)
.postBindingLogout(false)
.postBindingResponse(false)
.authnContextDeclRefs("string")
.principalAttribute("string")
.principalType("string")
.providerId("string")
.authnContextClassRefs("string")
.signatureAlgorithm("string")
.signingCertificate("string")
.singleLogoutServiceUrl("string")
.authenticateByDefault(false)
.storeToken(false)
.syncMode("string")
.trustEmail(false)
.validateSignature(false)
.wantAssertionsEncrypted(false)
.wantAssertionsSigned(false)
.xmlSignKeyInfoKeyNameTransformer("string")
.build());
keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
entity_id="string",
alias="string",
single_sign_on_service_url="string",
realm="string",
post_binding_authn_request=False,
post_broker_login_flow_alias="string",
backchannel_supported=False,
display_name="string",
enabled=False,
authn_context_comparison_type="string",
extra_config={
"string": "string",
},
first_broker_login_flow_alias="string",
force_authn=False,
gui_order="string",
hide_on_login_page=False,
link_only=False,
login_hint="string",
name_id_policy_format="string",
add_read_token_role_on_create=False,
post_binding_logout=False,
post_binding_response=False,
authn_context_decl_refs=["string"],
principal_attribute="string",
principal_type="string",
provider_id="string",
authn_context_class_refs=["string"],
signature_algorithm="string",
signing_certificate="string",
single_logout_service_url="string",
authenticate_by_default=False,
store_token=False,
sync_mode="string",
trust_email=False,
validate_signature=False,
want_assertions_encrypted=False,
want_assertions_signed=False,
xml_sign_key_info_key_name_transformer="string")
const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
entityId: "string",
alias: "string",
singleSignOnServiceUrl: "string",
realm: "string",
postBindingAuthnRequest: false,
postBrokerLoginFlowAlias: "string",
backchannelSupported: false,
displayName: "string",
enabled: false,
authnContextComparisonType: "string",
extraConfig: {
string: "string",
},
firstBrokerLoginFlowAlias: "string",
forceAuthn: false,
guiOrder: "string",
hideOnLoginPage: false,
linkOnly: false,
loginHint: "string",
nameIdPolicyFormat: "string",
addReadTokenRoleOnCreate: false,
postBindingLogout: false,
postBindingResponse: false,
authnContextDeclRefs: ["string"],
principalAttribute: "string",
principalType: "string",
providerId: "string",
authnContextClassRefs: ["string"],
signatureAlgorithm: "string",
signingCertificate: "string",
singleLogoutServiceUrl: "string",
authenticateByDefault: false,
storeToken: false,
syncMode: "string",
trustEmail: false,
validateSignature: false,
wantAssertionsEncrypted: false,
wantAssertionsSigned: false,
xmlSignKeyInfoKeyNameTransformer: "string",
});
type: keycloak:saml:IdentityProvider
properties:
addReadTokenRoleOnCreate: false
alias: string
authenticateByDefault: false
authnContextClassRefs:
- string
authnContextComparisonType: string
authnContextDeclRefs:
- string
backchannelSupported: false
displayName: string
enabled: false
entityId: string
extraConfig:
string: string
firstBrokerLoginFlowAlias: string
forceAuthn: false
guiOrder: string
hideOnLoginPage: false
linkOnly: false
loginHint: string
nameIdPolicyFormat: string
postBindingAuthnRequest: false
postBindingLogout: false
postBindingResponse: false
postBrokerLoginFlowAlias: string
principalAttribute: string
principalType: string
providerId: string
realm: string
signatureAlgorithm: string
signingCertificate: string
singleLogoutServiceUrl: string
singleSignOnServiceUrl: string
storeToken: false
syncMode: string
trustEmail: false
validateSignature: false
wantAssertionsEncrypted: false
wantAssertionsSigned: false
xmlSignKeyInfoKeyNameTransformer: string
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IdentityProvider resource accepts the following input properties:
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Realm string
- Realm Name
- Single
Sign stringOn Service Url - SSO Logout URL.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Authn
Context List<string>Class Refs - AuthnContext ClassRefs
- Authn
Context stringComparison Type - AuthnContext Comparison
- Authn
Context List<string>Decl Refs - AuthnContext DeclRefs
- Backchannel
Supported bool - Does the external IDP support backchannel logout?
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool - Require Force Authn.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - Hide On Login Page.
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Name ID Policy Format.
- Post
Binding boolAuthn Request - Post Binding Authn Request.
- Post
Binding boolLogout - Post Binding Logout.
- Post
Binding boolResponse - Post Binding Response.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Principal
Attribute string - Principal Attribute
- Principal
Type string - Principal Type
- Provider
Id string - provider id, is always saml, unless you have a custom implementation
- Signature
Algorithm string - Signing Algorithm.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - Logout URL.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Want Assertions Encrypted.
- Want
Assertions boolSigned - Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Realm string
- Realm Name
- Single
Sign stringOn Service Url - SSO Logout URL.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Authn
Context []stringClass Refs - AuthnContext ClassRefs
- Authn
Context stringComparison Type - AuthnContext Comparison
- Authn
Context []stringDecl Refs - AuthnContext DeclRefs
- Backchannel
Supported bool - Does the external IDP support backchannel logout?
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool - Require Force Authn.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - Hide On Login Page.
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Name ID Policy Format.
- Post
Binding boolAuthn Request - Post Binding Authn Request.
- Post
Binding boolLogout - Post Binding Logout.
- Post
Binding boolResponse - Post Binding Response.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Principal
Attribute string - Principal Attribute
- Principal
Type string - Principal Type
- Provider
Id string - provider id, is always saml, unless you have a custom implementation
- Signature
Algorithm string - Signing Algorithm.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - Logout URL.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Want Assertions Encrypted.
- Want
Assertions boolSigned - Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm String
- Realm Name
- single
Sign StringOn Service Url - SSO Logout URL.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- authn
Context List<String>Class Refs - AuthnContext ClassRefs
- authn
Context StringComparison Type - AuthnContext Comparison
- authn
Context List<String>Decl Refs - AuthnContext DeclRefs
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn Boolean - Require Force Authn.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - Hide On Login Page.
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint String - Login Hint.
- name
Id StringPolicy Format - Name ID Policy Format.
- post
Binding BooleanAuthn Request - Post Binding Authn Request.
- post
Binding BooleanLogout - Post Binding Logout.
- post
Binding BooleanResponse - Post Binding Response.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute String - Principal Attribute
- principal
Type String - Principal Type
- provider
Id String - provider id, is always saml, unless you have a custom implementation
- signature
Algorithm String - Signing Algorithm.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - Logout URL.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Want Assertions Encrypted.
- want
Assertions BooleanSigned - Want Assertions Signed.
- xml
Sign StringKey Info Key Name Transformer - Sign Key Transformer.
- alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm string
- Realm Name
- single
Sign stringOn Service Url - SSO Logout URL.
- add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- authn
Context string[]Class Refs - AuthnContext ClassRefs
- authn
Context stringComparison Type - AuthnContext Comparison
- authn
Context string[]Decl Refs - AuthnContext DeclRefs
- backchannel
Supported boolean - Does the external IDP support backchannel logout?
- display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn boolean - Require Force Authn.
- gui
Order string - GUI Order
- hide
On booleanLogin Page - Hide On Login Page.
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint string - Login Hint.
- name
Id stringPolicy Format - Name ID Policy Format.
- post
Binding booleanAuthn Request - Post Binding Authn Request.
- post
Binding booleanLogout - Post Binding Logout.
- post
Binding booleanResponse - Post Binding Response.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute string - Principal Attribute
- principal
Type string - Principal Type
- provider
Id string - provider id, is always saml, unless you have a custom implementation
- signature
Algorithm string - Signing Algorithm.
- signing
Certificate string - Signing Certificate.
- single
Logout stringService Url - Logout URL.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature boolean - Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted - Want Assertions Encrypted.
- want
Assertions booleanSigned - Want Assertions Signed.
- xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- alias str
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- entity_
id str - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm str
- Realm Name
- single_
sign_ stron_ service_ url - SSO Logout URL.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- authn_
context_ Sequence[str]class_ refs - AuthnContext ClassRefs
- authn_
context_ strcomparison_ type - AuthnContext Comparison
- authn_
context_ Sequence[str]decl_ refs - AuthnContext DeclRefs
- backchannel_
supported bool - Does the external IDP support backchannel logout?
- display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force_
authn bool - Require Force Authn.
- gui_
order str - GUI Order
- hide_
on_ boollogin_ page - Hide On Login Page.
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login_
hint str - Login Hint.
- name_
id_ strpolicy_ format - Name ID Policy Format.
- post_
binding_ boolauthn_ request - Post Binding Authn Request.
- post_
binding_ boollogout - Post Binding Logout.
- post_
binding_ boolresponse - Post Binding Response.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal_
attribute str - Principal Attribute
- principal_
type str - Principal Type
- provider_
id str - provider id, is always saml, unless you have a custom implementation
- signature_
algorithm str - Signing Algorithm.
- signing_
certificate str - Signing Certificate.
- single_
logout_ strservice_ url - Logout URL.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate_
signature bool - Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted - Want Assertions Encrypted.
- want_
assertions_ boolsigned - Want Assertions Signed.
- xml_
sign_ strkey_ info_ key_ name_ transformer - Sign Key Transformer.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- realm String
- Realm Name
- single
Sign StringOn Service Url - SSO Logout URL.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- authn
Context List<String>Class Refs - AuthnContext ClassRefs
- authn
Context StringComparison Type - AuthnContext Comparison
- authn
Context List<String>Decl Refs - AuthnContext DeclRefs
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn Boolean - Require Force Authn.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - Hide On Login Page.
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint String - Login Hint.
- name
Id StringPolicy Format - Name ID Policy Format.
- post
Binding BooleanAuthn Request - Post Binding Authn Request.
- post
Binding BooleanLogout - Post Binding Logout.
- post
Binding BooleanResponse - Post Binding Response.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute String - Principal Attribute
- principal
Type String - Principal Type
- provider
Id String - provider id, is always saml, unless you have a custom implementation
- signature
Algorithm String - Signing Algorithm.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - Logout URL.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Want Assertions Encrypted.
- want
Assertions BooleanSigned - Want Assertions Signed.
- xml
Sign StringKey Info Key Name Transformer - Sign Key Transformer.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string - Internal Identity Provider Id
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string - Internal Identity Provider Id
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str - Internal Identity Provider Id
- id String
- The provider-assigned unique ID for this managed resource.
- internal
Id String - Internal Identity Provider Id
Look up Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
add_read_token_role_on_create: Optional[bool] = None,
alias: Optional[str] = None,
authenticate_by_default: Optional[bool] = None,
authn_context_class_refs: Optional[Sequence[str]] = None,
authn_context_comparison_type: Optional[str] = None,
authn_context_decl_refs: Optional[Sequence[str]] = None,
backchannel_supported: Optional[bool] = None,
display_name: Optional[str] = None,
enabled: Optional[bool] = None,
entity_id: Optional[str] = None,
extra_config: Optional[Mapping[str, str]] = None,
first_broker_login_flow_alias: Optional[str] = None,
force_authn: Optional[bool] = None,
gui_order: Optional[str] = None,
hide_on_login_page: Optional[bool] = None,
internal_id: Optional[str] = None,
link_only: Optional[bool] = None,
login_hint: Optional[str] = None,
name_id_policy_format: Optional[str] = None,
post_binding_authn_request: Optional[bool] = None,
post_binding_logout: Optional[bool] = None,
post_binding_response: Optional[bool] = None,
post_broker_login_flow_alias: Optional[str] = None,
principal_attribute: Optional[str] = None,
principal_type: Optional[str] = None,
provider_id: Optional[str] = None,
realm: Optional[str] = None,
signature_algorithm: Optional[str] = None,
signing_certificate: Optional[str] = None,
single_logout_service_url: Optional[str] = None,
single_sign_on_service_url: Optional[str] = None,
store_token: Optional[bool] = None,
sync_mode: Optional[str] = None,
trust_email: Optional[bool] = None,
validate_signature: Optional[bool] = None,
want_assertions_encrypted: Optional[bool] = None,
want_assertions_signed: Optional[bool] = None,
xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider
func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)
public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Authn
Context List<string>Class Refs - AuthnContext ClassRefs
- Authn
Context stringComparison Type - AuthnContext Comparison
- Authn
Context List<string>Decl Refs - AuthnContext DeclRefs
- Backchannel
Supported bool - Does the external IDP support backchannel logout?
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Extra
Config Dictionary<string, string> - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool - Require Force Authn.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - Hide On Login Page.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Name ID Policy Format.
- Post
Binding boolAuthn Request - Post Binding Authn Request.
- Post
Binding boolLogout - Post Binding Logout.
- Post
Binding boolResponse - Post Binding Response.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Principal
Attribute string - Principal Attribute
- Principal
Type string - Principal Type
- Provider
Id string - provider id, is always saml, unless you have a custom implementation
- Realm string
- Realm Name
- Signature
Algorithm string - Signing Algorithm.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - Logout URL.
- Single
Sign stringOn Service Url - SSO Logout URL.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Want Assertions Encrypted.
- Want
Assertions boolSigned - Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- Add
Read boolToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault - Enable/disable authenticate users by default.
- Authn
Context []stringClass Refs - AuthnContext ClassRefs
- Authn
Context stringComparison Type - AuthnContext Comparison
- Authn
Context []stringDecl Refs - AuthnContext DeclRefs
- Backchannel
Supported bool - Does the external IDP support backchannel logout?
- Display
Name string - Friendly name for Identity Providers.
- Enabled bool
- Enable/disable this identity provider.
- Entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- Extra
Config map[string]string - First
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool - Require Force Authn.
- Gui
Order string - GUI Order
- Hide
On boolLogin Page - Hide On Login Page.
- Internal
Id string - Internal Identity Provider Id
- Link
Only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- Login
Hint string - Login Hint.
- Name
Id stringPolicy Format - Name ID Policy Format.
- Post
Binding boolAuthn Request - Post Binding Authn Request.
- Post
Binding boolLogout - Post Binding Logout.
- Post
Binding boolResponse - Post Binding Response.
- Post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Principal
Attribute string - Principal Attribute
- Principal
Type string - Principal Type
- Provider
Id string - provider id, is always saml, unless you have a custom implementation
- Realm string
- Realm Name
- Signature
Algorithm string - Signing Algorithm.
- Signing
Certificate string - Signing Certificate.
- Single
Logout stringService Url - Logout URL.
- Single
Sign stringOn Service Url - SSO Logout URL.
- Store
Token bool - Enable/disable if tokens must be stored after authenticating users.
- Sync
Mode string - Sync Mode
- Trust
Email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool - Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted - Want Assertions Encrypted.
- Want
Assertions boolSigned - Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- authn
Context List<String>Class Refs - AuthnContext ClassRefs
- authn
Context StringComparison Type - AuthnContext Comparison
- authn
Context List<String>Decl Refs - AuthnContext DeclRefs
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config Map<String,String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn Boolean - Require Force Authn.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - Hide On Login Page.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint String - Login Hint.
- name
Id StringPolicy Format - Name ID Policy Format.
- post
Binding BooleanAuthn Request - Post Binding Authn Request.
- post
Binding BooleanLogout - Post Binding Logout.
- post
Binding BooleanResponse - Post Binding Response.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute String - Principal Attribute
- principal
Type String - Principal Type
- provider
Id String - provider id, is always saml, unless you have a custom implementation
- realm String
- Realm Name
- signature
Algorithm String - Signing Algorithm.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - Logout URL.
- single
Sign StringOn Service Url - SSO Logout URL.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Want Assertions Encrypted.
- want
Assertions BooleanSigned - Want Assertions Signed.
- xml
Sign StringKey Info Key Name Transformer - Sign Key Transformer.
- add
Read booleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By booleanDefault - Enable/disable authenticate users by default.
- authn
Context string[]Class Refs - AuthnContext ClassRefs
- authn
Context stringComparison Type - AuthnContext Comparison
- authn
Context string[]Decl Refs - AuthnContext DeclRefs
- backchannel
Supported boolean - Does the external IDP support backchannel logout?
- display
Name string - Friendly name for Identity Providers.
- enabled boolean
- Enable/disable this identity provider.
- entity
Id string - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config {[key: string]: string} - first
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn boolean - Require Force Authn.
- gui
Order string - GUI Order
- hide
On booleanLogin Page - Hide On Login Page.
- internal
Id string - Internal Identity Provider Id
- link
Only boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint string - Login Hint.
- name
Id stringPolicy Format - Name ID Policy Format.
- post
Binding booleanAuthn Request - Post Binding Authn Request.
- post
Binding booleanLogout - Post Binding Logout.
- post
Binding booleanResponse - Post Binding Response.
- post
Broker stringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute string - Principal Attribute
- principal
Type string - Principal Type
- provider
Id string - provider id, is always saml, unless you have a custom implementation
- realm string
- Realm Name
- signature
Algorithm string - Signing Algorithm.
- signing
Certificate string - Signing Certificate.
- single
Logout stringService Url - Logout URL.
- single
Sign stringOn Service Url - SSO Logout URL.
- store
Token boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode string - Sync Mode
- trust
Email boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature boolean - Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted - Want Assertions Encrypted.
- want
Assertions booleanSigned - Want Assertions Signed.
- xml
Sign stringKey Info Key Name Transformer - Sign Key Transformer.
- add_
read_ booltoken_ role_ on_ create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate_
by_ booldefault - Enable/disable authenticate users by default.
- authn_
context_ Sequence[str]class_ refs - AuthnContext ClassRefs
- authn_
context_ strcomparison_ type - AuthnContext Comparison
- authn_
context_ Sequence[str]decl_ refs - AuthnContext DeclRefs
- backchannel_
supported bool - Does the external IDP support backchannel logout?
- display_
name str - Friendly name for Identity Providers.
- enabled bool
- Enable/disable this identity provider.
- entity_
id str - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra_
config Mapping[str, str] - first_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force_
authn bool - Require Force Authn.
- gui_
order str - GUI Order
- hide_
on_ boollogin_ page - Hide On Login Page.
- internal_
id str - Internal Identity Provider Id
- link_
only bool - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login_
hint str - Login Hint.
- name_
id_ strpolicy_ format - Name ID Policy Format.
- post_
binding_ boolauthn_ request - Post Binding Authn Request.
- post_
binding_ boollogout - Post Binding Logout.
- post_
binding_ boolresponse - Post Binding Response.
- post_
broker_ strlogin_ flow_ alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal_
attribute str - Principal Attribute
- principal_
type str - Principal Type
- provider_
id str - provider id, is always saml, unless you have a custom implementation
- realm str
- Realm Name
- signature_
algorithm str - Signing Algorithm.
- signing_
certificate str - Signing Certificate.
- single_
logout_ strservice_ url - Logout URL.
- single_
sign_ stron_ service_ url - SSO Logout URL.
- store_
token bool - Enable/disable if tokens must be stored after authenticating users.
- sync_
mode str - Sync Mode
- trust_
email bool - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate_
signature bool - Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted - Want Assertions Encrypted.
- want_
assertions_ boolsigned - Want Assertions Signed.
- xml_
sign_ strkey_ info_ key_ name_ transformer - Sign Key Transformer.
- add
Read BooleanToken Role On Create - Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias String
- The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By BooleanDefault - Enable/disable authenticate users by default.
- authn
Context List<String>Class Refs - AuthnContext ClassRefs
- authn
Context StringComparison Type - AuthnContext Comparison
- authn
Context List<String>Decl Refs - AuthnContext DeclRefs
- backchannel
Supported Boolean - Does the external IDP support backchannel logout?
- display
Name String - Friendly name for Identity Providers.
- enabled Boolean
- Enable/disable this identity provider.
- entity
Id String - The Entity ID that will be used to uniquely identify this SAML Service Provider.
- extra
Config Map<String> - first
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn Boolean - Require Force Authn.
- gui
Order String - GUI Order
- hide
On BooleanLogin Page - Hide On Login Page.
- internal
Id String - Internal Identity Provider Id
- link
Only Boolean - If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
- login
Hint String - Login Hint.
- name
Id StringPolicy Format - Name ID Policy Format.
- post
Binding BooleanAuthn Request - Post Binding Authn Request.
- post
Binding BooleanLogout - Post Binding Logout.
- post
Binding BooleanResponse - Post Binding Response.
- post
Broker StringLogin Flow Alias - Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- principal
Attribute String - Principal Attribute
- principal
Type String - Principal Type
- provider
Id String - provider id, is always saml, unless you have a custom implementation
- realm String
- Realm Name
- signature
Algorithm String - Signing Algorithm.
- signing
Certificate String - Signing Certificate.
- single
Logout StringService Url - Logout URL.
- single
Sign StringOn Service Url - SSO Logout URL.
- store
Token Boolean - Enable/disable if tokens must be stored after authenticating users.
- sync
Mode String - Sync Mode
- trust
Email Boolean - If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature Boolean - Enable/disable signature validation of SAML responses.
- want
Assertions BooleanEncrypted - Want Assertions Encrypted.
- want
Assertions BooleanSigned - Want Assertions Signed.
- xml
Sign StringKey Info Key Name Transformer - Sign Key Transformer.
Package Details
- Repository
- Keycloak pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloak
Terraform Provider.