saml

package
v2.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2020 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Client 

type Client struct {
	pulumi.CustomResourceState

	AssertionConsumerPostUrl        pulumi.StringPtrOutput   `pulumi:"assertionConsumerPostUrl"`
	AssertionConsumerRedirectUrl    pulumi.StringPtrOutput   `pulumi:"assertionConsumerRedirectUrl"`
	BaseUrl                         pulumi.StringPtrOutput   `pulumi:"baseUrl"`
	ClientId                        pulumi.StringOutput      `pulumi:"clientId"`
	ClientSignatureRequired         pulumi.BoolOutput        `pulumi:"clientSignatureRequired"`
	Description                     pulumi.StringPtrOutput   `pulumi:"description"`
	Enabled                         pulumi.BoolPtrOutput     `pulumi:"enabled"`
	EncryptAssertions               pulumi.BoolOutput        `pulumi:"encryptAssertions"`
	EncryptionCertificate           pulumi.StringPtrOutput   `pulumi:"encryptionCertificate"`
	ForceNameIdFormat               pulumi.BoolOutput        `pulumi:"forceNameIdFormat"`
	ForcePostBinding                pulumi.BoolOutput        `pulumi:"forcePostBinding"`
	FrontChannelLogout              pulumi.BoolOutput        `pulumi:"frontChannelLogout"`
	FullScopeAllowed                pulumi.BoolPtrOutput     `pulumi:"fullScopeAllowed"`
	IdpInitiatedSsoRelayState       pulumi.StringPtrOutput   `pulumi:"idpInitiatedSsoRelayState"`
	IdpInitiatedSsoUrlName          pulumi.StringPtrOutput   `pulumi:"idpInitiatedSsoUrlName"`
	IncludeAuthnStatement           pulumi.BoolOutput        `pulumi:"includeAuthnStatement"`
	LogoutServicePostBindingUrl     pulumi.StringPtrOutput   `pulumi:"logoutServicePostBindingUrl"`
	LogoutServiceRedirectBindingUrl pulumi.StringPtrOutput   `pulumi:"logoutServiceRedirectBindingUrl"`
	MasterSamlProcessingUrl         pulumi.StringPtrOutput   `pulumi:"masterSamlProcessingUrl"`
	Name                            pulumi.StringOutput      `pulumi:"name"`
	NameIdFormat                    pulumi.StringOutput      `pulumi:"nameIdFormat"`
	RealmId                         pulumi.StringOutput      `pulumi:"realmId"`
	RootUrl                         pulumi.StringPtrOutput   `pulumi:"rootUrl"`
	SignAssertions                  pulumi.BoolOutput        `pulumi:"signAssertions"`
	SignDocuments                   pulumi.BoolOutput        `pulumi:"signDocuments"`
	SignatureAlgorithm              pulumi.StringPtrOutput   `pulumi:"signatureAlgorithm"`
	SigningCertificate              pulumi.StringPtrOutput   `pulumi:"signingCertificate"`
	SigningPrivateKey               pulumi.StringPtrOutput   `pulumi:"signingPrivateKey"`
	ValidRedirectUris               pulumi.StringArrayOutput `pulumi:"validRedirectUris"`
}

## # saml.Client

Allows for creating and managing Keycloak clients that use the SAML protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.

### Argument Reference

The following arguments are supported:

- `realmId` - (Required) The realm this client is attached to. - `clientId` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - `name` - (Optional) The display name of this client in the GUI. - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - `description` - (Optional) The description of this client in the GUI. - `includeAuthnStatement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. - `signDocuments` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. - `signAssertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. - `clientSignatureRequired` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. - `forcePostBinding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. - `frontChannelLogout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. - `nameIdFormat` - (Optional) Sets the Name ID format for the subject. - `rootUrl` - (Optional) When specified, this value is prepended to all relative URLs. - `validRedirectUris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. - `baseUrl` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. - `masterSamlProcessingUrl` - (Optional) When specified, this URL will be used for all SAML requests. - `signingCertificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. - `signingPrivateKey` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. - `idpInitiatedSsoUrlName` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. - `idpInitiatedSsoRelayState` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. - `assertionConsumerPostUrl` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). - `assertionConsumerRedirectUrl` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). - `logoutServicePostBindingUrl` - (Optional) SAML POST Binding URL for the client's single logout service. - `logoutServiceRedirectBindingUrl` - (Optional) SAML Redirect Binding URL for the client's single logout service. - `fullScopeAllowed` - (Optional) - Allow to include all roles mappings in the access token

func GetClient 

func GetClient(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientState, opts ...pulumi.ResourceOption) (*Client, error)

GetClient gets an existing Client resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClient 

func NewClient(ctx *pulumi.Context,
	name string, args *ClientArgs, opts ...pulumi.ResourceOption) (*Client, error)

NewClient registers a new resource with the given unique name, arguments, and options.

type ClientArgs 

type ClientArgs struct {
	AssertionConsumerPostUrl        pulumi.StringPtrInput
	AssertionConsumerRedirectUrl    pulumi.StringPtrInput
	BaseUrl                         pulumi.StringPtrInput
	ClientId                        pulumi.StringInput
	ClientSignatureRequired         pulumi.BoolPtrInput
	Description                     pulumi.StringPtrInput
	Enabled                         pulumi.BoolPtrInput
	EncryptAssertions               pulumi.BoolPtrInput
	EncryptionCertificate           pulumi.StringPtrInput
	ForceNameIdFormat               pulumi.BoolPtrInput
	ForcePostBinding                pulumi.BoolPtrInput
	FrontChannelLogout              pulumi.BoolPtrInput
	FullScopeAllowed                pulumi.BoolPtrInput
	IdpInitiatedSsoRelayState       pulumi.StringPtrInput
	IdpInitiatedSsoUrlName          pulumi.StringPtrInput
	IncludeAuthnStatement           pulumi.BoolPtrInput
	LogoutServicePostBindingUrl     pulumi.StringPtrInput
	LogoutServiceRedirectBindingUrl pulumi.StringPtrInput
	MasterSamlProcessingUrl         pulumi.StringPtrInput
	Name                            pulumi.StringPtrInput
	NameIdFormat                    pulumi.StringPtrInput
	RealmId                         pulumi.StringInput
	RootUrl                         pulumi.StringPtrInput
	SignAssertions                  pulumi.BoolPtrInput
	SignDocuments                   pulumi.BoolPtrInput
	SignatureAlgorithm              pulumi.StringPtrInput
	SigningCertificate              pulumi.StringPtrInput
	SigningPrivateKey               pulumi.StringPtrInput
	ValidRedirectUris               pulumi.StringArrayInput
}

The set of arguments for constructing a Client resource.

func (ClientArgs) ElementType 

func (ClientArgs) ElementType() reflect.Type

type ClientDefaultScope added in v2.4.0 

type ClientDefaultScope struct {
	pulumi.CustomResourceState

	ClientId      pulumi.StringOutput      `pulumi:"clientId"`
	DefaultScopes pulumi.StringArrayOutput `pulumi:"defaultScopes"`
	RealmId       pulumi.StringOutput      `pulumi:"realmId"`
}

func GetClientDefaultScope added in v2.4.0 

func GetClientDefaultScope(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientDefaultScopeState, opts ...pulumi.ResourceOption) (*ClientDefaultScope, error)

GetClientDefaultScope gets an existing ClientDefaultScope resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClientDefaultScope added in v2.4.0 

func NewClientDefaultScope(ctx *pulumi.Context,
	name string, args *ClientDefaultScopeArgs, opts ...pulumi.ResourceOption) (*ClientDefaultScope, error)

NewClientDefaultScope registers a new resource with the given unique name, arguments, and options.

type ClientDefaultScopeArgs added in v2.4.0 

type ClientDefaultScopeArgs struct {
	ClientId      pulumi.StringInput
	DefaultScopes pulumi.StringArrayInput
	RealmId       pulumi.StringInput
}

The set of arguments for constructing a ClientDefaultScope resource.

func (ClientDefaultScopeArgs) ElementType added in v2.4.0 

func (ClientDefaultScopeArgs) ElementType() reflect.Type

type ClientDefaultScopeState added in v2.4.0 

type ClientDefaultScopeState struct {
	ClientId      pulumi.StringPtrInput
	DefaultScopes pulumi.StringArrayInput
	RealmId       pulumi.StringPtrInput
}

func (ClientDefaultScopeState) ElementType added in v2.4.0 

func (ClientDefaultScopeState) ElementType() reflect.Type

type ClientScope added in v2.4.0 

type ClientScope struct {
	pulumi.CustomResourceState

	ConsentScreenText pulumi.StringPtrOutput `pulumi:"consentScreenText"`
	Description       pulumi.StringPtrOutput `pulumi:"description"`
	GuiOrder          pulumi.IntPtrOutput    `pulumi:"guiOrder"`
	Name              pulumi.StringOutput    `pulumi:"name"`
	RealmId           pulumi.StringOutput    `pulumi:"realmId"`
}

func GetClientScope added in v2.4.0 

func GetClientScope(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ClientScopeState, opts ...pulumi.ResourceOption) (*ClientScope, error)

GetClientScope gets an existing ClientScope resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewClientScope added in v2.4.0 

func NewClientScope(ctx *pulumi.Context,
	name string, args *ClientScopeArgs, opts ...pulumi.ResourceOption) (*ClientScope, error)

NewClientScope registers a new resource with the given unique name, arguments, and options.

type ClientScopeArgs added in v2.4.0 

type ClientScopeArgs struct {
	ConsentScreenText pulumi.StringPtrInput
	Description       pulumi.StringPtrInput
	GuiOrder          pulumi.IntPtrInput
	Name              pulumi.StringPtrInput
	RealmId           pulumi.StringInput
}

The set of arguments for constructing a ClientScope resource.

func (ClientScopeArgs) ElementType added in v2.4.0 

func (ClientScopeArgs) ElementType() reflect.Type

type ClientScopeState added in v2.4.0 

type ClientScopeState struct {
	ConsentScreenText pulumi.StringPtrInput
	Description       pulumi.StringPtrInput
	GuiOrder          pulumi.IntPtrInput
	Name              pulumi.StringPtrInput
	RealmId           pulumi.StringPtrInput
}

func (ClientScopeState) ElementType added in v2.4.0 

func (ClientScopeState) ElementType() reflect.Type

type ClientState 

type ClientState struct {
	AssertionConsumerPostUrl        pulumi.StringPtrInput
	AssertionConsumerRedirectUrl    pulumi.StringPtrInput
	BaseUrl                         pulumi.StringPtrInput
	ClientId                        pulumi.StringPtrInput
	ClientSignatureRequired         pulumi.BoolPtrInput
	Description                     pulumi.StringPtrInput
	Enabled                         pulumi.BoolPtrInput
	EncryptAssertions               pulumi.BoolPtrInput
	EncryptionCertificate           pulumi.StringPtrInput
	ForceNameIdFormat               pulumi.BoolPtrInput
	ForcePostBinding                pulumi.BoolPtrInput
	FrontChannelLogout              pulumi.BoolPtrInput
	FullScopeAllowed                pulumi.BoolPtrInput
	IdpInitiatedSsoRelayState       pulumi.StringPtrInput
	IdpInitiatedSsoUrlName          pulumi.StringPtrInput
	IncludeAuthnStatement           pulumi.BoolPtrInput
	LogoutServicePostBindingUrl     pulumi.StringPtrInput
	LogoutServiceRedirectBindingUrl pulumi.StringPtrInput
	MasterSamlProcessingUrl         pulumi.StringPtrInput
	Name                            pulumi.StringPtrInput
	NameIdFormat                    pulumi.StringPtrInput
	RealmId                         pulumi.StringPtrInput
	RootUrl                         pulumi.StringPtrInput
	SignAssertions                  pulumi.BoolPtrInput
	SignDocuments                   pulumi.BoolPtrInput
	SignatureAlgorithm              pulumi.StringPtrInput
	SigningCertificate              pulumi.StringPtrInput
	SigningPrivateKey               pulumi.StringPtrInput
	ValidRedirectUris               pulumi.StringArrayInput
}

func (ClientState) ElementType 

func (ClientState) ElementType() reflect.Type

type GetClientInstallationProviderArgs added in v2.1.0 

type GetClientInstallationProviderArgs struct {
	ClientId   string `pulumi:"clientId"`
	ProviderId string `pulumi:"providerId"`
	RealmId    string `pulumi:"realmId"`
}

A collection of arguments for invoking getClientInstallationProvider.

type GetClientInstallationProviderResult added in v2.1.0 

type GetClientInstallationProviderResult struct {
	ClientId string `pulumi:"clientId"`
	// The provider-assigned unique ID for this managed resource.
	Id         string `pulumi:"id"`
	ProviderId string `pulumi:"providerId"`
	RealmId    string `pulumi:"realmId"`
	Value      string `pulumi:"value"`
}

A collection of values returned by getClientInstallationProvider.

func GetClientInstallationProvider added in v2.1.0 

func GetClientInstallationProvider(ctx *pulumi.Context, args *GetClientInstallationProviderArgs, opts ...pulumi.InvokeOption) (*GetClientInstallationProviderResult, error)

type IdentityProvider 

type IdentityProvider struct {
	pulumi.CustomResourceState

	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"`
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringOutput `pulumi:"alias"`
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"`
	// Does the external IDP support backchannel logout?
	BackchannelSupported pulumi.BoolPtrOutput `pulumi:"backchannelSupported"`
	// Friendly name for Identity Providers.
	DisplayName pulumi.StringPtrOutput `pulumi:"displayName"`
	// Enable/disable this identity provider.
	Enabled pulumi.BoolPtrOutput `pulumi:"enabled"`
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means
	// that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"`
	// Require Force Authn.
	ForceAuthn pulumi.BoolPtrOutput `pulumi:"forceAuthn"`
	// Hide On Login Page.
	HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"`
	// Internal Identity Provider Id
	InternalId pulumi.StringOutput `pulumi:"internalId"`
	// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't
	// want to allow login from the provider, but want to integrate with a provider
	LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"`
	// Name ID Policy Format.
	NameIdPolicyFormat pulumi.StringPtrOutput `pulumi:"nameIdPolicyFormat"`
	// Post Binding Authn Request.
	PostBindingAuthnRequest pulumi.BoolPtrOutput `pulumi:"postBindingAuthnRequest"`
	// Post Binding Logout.
	PostBindingLogout pulumi.BoolPtrOutput `pulumi:"postBindingLogout"`
	// Post Binding Response.
	PostBindingResponse pulumi.BoolPtrOutput `pulumi:"postBindingResponse"`
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want
	// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if
	// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that
	// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"`
	// Realm Name
	Realm pulumi.StringOutput `pulumi:"realm"`
	// Signing Algorithm.
	SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"`
	// Signing Certificate.
	SigningCertificate pulumi.StringPtrOutput `pulumi:"signingCertificate"`
	// Logout URL.
	SingleLogoutServiceUrl pulumi.StringPtrOutput `pulumi:"singleLogoutServiceUrl"`
	// SSO Logout URL.
	SingleSignOnServiceUrl pulumi.StringOutput `pulumi:"singleSignOnServiceUrl"`
	// Enable/disable if tokens must be stored after authenticating users.
	StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"`
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"`
	// Enable/disable signature validation of SAML responses.
	ValidateSignature pulumi.BoolPtrOutput `pulumi:"validateSignature"`
	// Want Assertions Encrypted.
	WantAssertionsEncrypted pulumi.BoolPtrOutput `pulumi:"wantAssertionsEncrypted"`
	// Want Assertions Signed.
	WantAssertionsSigned pulumi.BoolPtrOutput `pulumi:"wantAssertionsSigned"`
	// Sign Key Transformer.
	XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrOutput `pulumi:"xmlSignKeyInfoKeyNameTransformer"`
}

## # saml.IdentityProvider

Allows to create and manage SAML Identity Providers within Keycloak.

SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

### Example Usage

```go package main

import ( 

"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := saml.NewIdentityProvider(ctx, "realmIdentityProvider", &saml.IdentityProviderArgs{
			Alias:                   pulumi.String("my-idp"),
			BackchannelSupported:    pulumi.Bool(true),
			ForceAuthn:              pulumi.Bool(true),
			PostBindingAuthnRequest: pulumi.Bool(true),
			PostBindingLogout:       pulumi.Bool(true),
			PostBindingResponse:     pulumi.Bool(true),
			Realm:                   pulumi.String("my-realm"),
			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
			StoreToken:              pulumi.Bool(false),
			TrustEmail:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Argument Reference

The following arguments are supported:

- `realm` - (Required) The name of the realm. This is unique across Keycloak. - `alias` - (Optional) The uniq name of identity provider. - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - `displayName` - (Optional) The display name for the realm that is shown when logging in to the admin console. - `storeToken` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - `addReadTokenRoleOnCreate` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - `trustEmail` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - `linkOnly` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - `hideOnLoginPage` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - `firstBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - `postBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - `authenticateByDefault` - (Optional) Authenticate users by default. Defaults to `false`.

#### SAML Configuration

- `singleSignOnServiceUrl` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - `singleLogoutServiceUrl` - (Optional) The Url that must be used to send logout requests. - `backchannelSupported` - (Optional) Does the external IDP support back-channel logout ?. - `nameIdPolicyFormat` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - `postBindingResponse` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - `postBindingAuthnRequest` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - `postBindingLogout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - `wantAssertionsSigned` - (Optional) Indicates whether this service provider expects a signed Assertion. - `wantAssertionsEncrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - `forceAuthn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - `validateSignature` - (Optional) Enable/disable signature validation of SAML responses. - `signingCertificate` - (Optional) Signing Certificate. - `signatureAlgorithm` - (Optional) Signing Algorithm. Defaults to empty. - `xmlSignKeyInfoKeyNameTransformer` - (Optional) Sign Key Transformer. Defaults to empty.

func GetIdentityProvider 

func GetIdentityProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *IdentityProviderState, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

GetIdentityProvider gets an existing IdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewIdentityProvider 

func NewIdentityProvider(ctx *pulumi.Context,
	name string, args *IdentityProviderArgs, opts ...pulumi.ResourceOption) (*IdentityProvider, error)

NewIdentityProvider registers a new resource with the given unique name, arguments, and options.

type IdentityProviderArgs 

type IdentityProviderArgs struct {
	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// Does the external IDP support backchannel logout?
	BackchannelSupported pulumi.BoolPtrInput
	// Friendly name for Identity Providers.
	DisplayName pulumi.StringPtrInput
	// Enable/disable this identity provider.
	Enabled pulumi.BoolPtrInput
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means
	// that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// Require Force Authn.
	ForceAuthn pulumi.BoolPtrInput
	// Hide On Login Page.
	HideOnLoginPage pulumi.BoolPtrInput
	// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't
	// want to allow login from the provider, but want to integrate with a provider
	LinkOnly pulumi.BoolPtrInput
	// Name ID Policy Format.
	NameIdPolicyFormat pulumi.StringPtrInput
	// Post Binding Authn Request.
	PostBindingAuthnRequest pulumi.BoolPtrInput
	// Post Binding Logout.
	PostBindingLogout pulumi.BoolPtrInput
	// Post Binding Response.
	PostBindingResponse pulumi.BoolPtrInput
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want
	// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if
	// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that
	// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// Realm Name
	Realm pulumi.StringInput
	// Signing Algorithm.
	SignatureAlgorithm pulumi.StringPtrInput
	// Signing Certificate.
	SigningCertificate pulumi.StringPtrInput
	// Logout URL.
	SingleLogoutServiceUrl pulumi.StringPtrInput
	// SSO Logout URL.
	SingleSignOnServiceUrl pulumi.StringInput
	// Enable/disable if tokens must be stored after authenticating users.
	StoreToken pulumi.BoolPtrInput
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	TrustEmail pulumi.BoolPtrInput
	// Enable/disable signature validation of SAML responses.
	ValidateSignature pulumi.BoolPtrInput
	// Want Assertions Encrypted.
	WantAssertionsEncrypted pulumi.BoolPtrInput
	// Want Assertions Signed.
	WantAssertionsSigned pulumi.BoolPtrInput
	// Sign Key Transformer.
	XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput
}

The set of arguments for constructing a IdentityProvider resource.

func (IdentityProviderArgs) ElementType 

func (IdentityProviderArgs) ElementType() reflect.Type

type IdentityProviderState 

type IdentityProviderState struct {
	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	AddReadTokenRoleOnCreate pulumi.BoolPtrInput
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias pulumi.StringPtrInput
	// Enable/disable authenticate users by default.
	AuthenticateByDefault pulumi.BoolPtrInput
	// Does the external IDP support backchannel logout?
	BackchannelSupported pulumi.BoolPtrInput
	// Friendly name for Identity Providers.
	DisplayName pulumi.StringPtrInput
	// Enable/disable this identity provider.
	Enabled pulumi.BoolPtrInput
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means
	// that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	FirstBrokerLoginFlowAlias pulumi.StringPtrInput
	// Require Force Authn.
	ForceAuthn pulumi.BoolPtrInput
	// Hide On Login Page.
	HideOnLoginPage pulumi.BoolPtrInput
	// Internal Identity Provider Id
	InternalId pulumi.StringPtrInput
	// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't
	// want to allow login from the provider, but want to integrate with a provider
	LinkOnly pulumi.BoolPtrInput
	// Name ID Policy Format.
	NameIdPolicyFormat pulumi.StringPtrInput
	// Post Binding Authn Request.
	PostBindingAuthnRequest pulumi.BoolPtrInput
	// Post Binding Logout.
	PostBindingLogout pulumi.BoolPtrInput
	// Post Binding Response.
	PostBindingResponse pulumi.BoolPtrInput
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want
	// additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if
	// you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that
	// authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	PostBrokerLoginFlowAlias pulumi.StringPtrInput
	// Realm Name
	Realm pulumi.StringPtrInput
	// Signing Algorithm.
	SignatureAlgorithm pulumi.StringPtrInput
	// Signing Certificate.
	SigningCertificate pulumi.StringPtrInput
	// Logout URL.
	SingleLogoutServiceUrl pulumi.StringPtrInput
	// SSO Logout URL.
	SingleSignOnServiceUrl pulumi.StringPtrInput
	// Enable/disable if tokens must be stored after authenticating users.
	StoreToken pulumi.BoolPtrInput
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	TrustEmail pulumi.BoolPtrInput
	// Enable/disable signature validation of SAML responses.
	ValidateSignature pulumi.BoolPtrInput
	// Want Assertions Encrypted.
	WantAssertionsEncrypted pulumi.BoolPtrInput
	// Want Assertions Signed.
	WantAssertionsSigned pulumi.BoolPtrInput
	// Sign Key Transformer.
	XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput
}

func (IdentityProviderState) ElementType 

func (IdentityProviderState) ElementType() reflect.Type

type UserAttributeProtocolMapper 

type UserAttributeProtocolMapper struct {
	pulumi.CustomResourceState

	ClientId                pulumi.StringPtrOutput `pulumi:"clientId"`
	ClientScopeId           pulumi.StringPtrOutput `pulumi:"clientScopeId"`
	FriendlyName            pulumi.StringPtrOutput `pulumi:"friendlyName"`
	Name                    pulumi.StringOutput    `pulumi:"name"`
	RealmId                 pulumi.StringOutput    `pulumi:"realmId"`
	SamlAttributeName       pulumi.StringOutput    `pulumi:"samlAttributeName"`
	SamlAttributeNameFormat pulumi.StringOutput    `pulumi:"samlAttributeNameFormat"`
	UserAttribute           pulumi.StringOutput    `pulumi:"userAttribute"`
}

## # saml.UserAttributeProtocolMapper

Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak.

SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.

### Example Usage (Client)

```go package main

import ( 

"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Enabled: pulumi.Bool(true),
			Realm:   pulumi.String("my-realm"),
		})
		if err != nil {
			return err
		}
		samlClient, err := saml.NewClient(ctx, "samlClient", &saml.ClientArgs{
			ClientId: pulumi.String("test-saml-client"),
			RealmId:  pulumi.Any(keycloak_realm.Test.Id),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewUserAttributeProtocolMapper(ctx, "samlUserAttributeMapper", &saml.UserAttributeProtocolMapperArgs{
			ClientId:                samlClient.ID(),
			RealmId:                 pulumi.Any(keycloak_realm.Test.Id),
			SamlAttributeName:       pulumi.String("displayName"),
			SamlAttributeNameFormat: pulumi.String("Unspecified"),
			UserAttribute:           pulumi.String("displayName"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Argument Reference

The following arguments are supported:

- `realmId` - (Required) The realm this protocol mapper exists within. - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - `name` - (Required) The display name of this protocol mapper in the GUI. - `userAttribute` - (Required) The custom user attribute to map. - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - `samlAttributeName` - (Required) The name of the SAML attribute. - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.

func GetUserAttributeProtocolMapper 

func GetUserAttributeProtocolMapper(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *UserAttributeProtocolMapperState, opts ...pulumi.ResourceOption) (*UserAttributeProtocolMapper, error)

GetUserAttributeProtocolMapper gets an existing UserAttributeProtocolMapper resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewUserAttributeProtocolMapper 

func NewUserAttributeProtocolMapper(ctx *pulumi.Context,
	name string, args *UserAttributeProtocolMapperArgs, opts ...pulumi.ResourceOption) (*UserAttributeProtocolMapper, error)

NewUserAttributeProtocolMapper registers a new resource with the given unique name, arguments, and options.

type UserAttributeProtocolMapperArgs 

type UserAttributeProtocolMapperArgs struct {
	ClientId                pulumi.StringPtrInput
	ClientScopeId           pulumi.StringPtrInput
	FriendlyName            pulumi.StringPtrInput
	Name                    pulumi.StringPtrInput
	RealmId                 pulumi.StringInput
	SamlAttributeName       pulumi.StringInput
	SamlAttributeNameFormat pulumi.StringInput
	UserAttribute           pulumi.StringInput
}

The set of arguments for constructing a UserAttributeProtocolMapper resource.

func (UserAttributeProtocolMapperArgs) ElementType 

func (UserAttributeProtocolMapperArgs) ElementType() reflect.Type

type UserAttributeProtocolMapperState 

type UserAttributeProtocolMapperState struct {
	ClientId                pulumi.StringPtrInput
	ClientScopeId           pulumi.StringPtrInput
	FriendlyName            pulumi.StringPtrInput
	Name                    pulumi.StringPtrInput
	RealmId                 pulumi.StringPtrInput
	SamlAttributeName       pulumi.StringPtrInput
	SamlAttributeNameFormat pulumi.StringPtrInput
	UserAttribute           pulumi.StringPtrInput
}

func (UserAttributeProtocolMapperState) ElementType 

func (UserAttributeProtocolMapperState) ElementType() reflect.Type

type UserPropertyProtocolMapper 

type UserPropertyProtocolMapper struct {
	pulumi.CustomResourceState

	ClientId                pulumi.StringPtrOutput `pulumi:"clientId"`
	ClientScopeId           pulumi.StringPtrOutput `pulumi:"clientScopeId"`
	FriendlyName            pulumi.StringPtrOutput `pulumi:"friendlyName"`
	Name                    pulumi.StringOutput    `pulumi:"name"`
	RealmId                 pulumi.StringOutput    `pulumi:"realmId"`
	SamlAttributeName       pulumi.StringOutput    `pulumi:"samlAttributeName"`
	SamlAttributeNameFormat pulumi.StringOutput    `pulumi:"samlAttributeNameFormat"`
	UserProperty            pulumi.StringOutput    `pulumi:"userProperty"`
}

## # saml.UserPropertyProtocolMapper

Allows for creating and managing user property protocol mappers for SAML clients within Keycloak.

SAML user property protocol mappers allow you to map properties of the Keycloak user model to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.

### Example Usage (Client)

```go package main

import ( 

"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v2/go/pulumi"

) 

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Enabled: pulumi.Bool(true),
			Realm:   pulumi.String("my-realm"),
		})
		if err != nil {
			return err
		}
		samlClient, err := saml.NewClient(ctx, "samlClient", &saml.ClientArgs{
			ClientId: pulumi.String("test-saml-client"),
			RealmId:  pulumi.Any(keycloak_realm.Test.Id),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewUserPropertyProtocolMapper(ctx, "samlUserPropertyMapper", &saml.UserPropertyProtocolMapperArgs{
			ClientId:                samlClient.ID(),
			RealmId:                 pulumi.Any(keycloak_realm.Test.Id),
			SamlAttributeName:       pulumi.String("email"),
			SamlAttributeNameFormat: pulumi.String("Unspecified"),
			UserProperty:            pulumi.String("email"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

### Argument Reference

The following arguments are supported:

- `realmId` - (Required) The realm this protocol mapper exists within. - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - `name` - (Required) The display name of this protocol mapper in the GUI. - `userProperty` - (Required) The property of the Keycloak user model to map. - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - `samlAttributeName` - (Required) The name of the SAML attribute. - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.

func GetUserPropertyProtocolMapper 

func GetUserPropertyProtocolMapper(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *UserPropertyProtocolMapperState, opts ...pulumi.ResourceOption) (*UserPropertyProtocolMapper, error)

GetUserPropertyProtocolMapper gets an existing UserPropertyProtocolMapper resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewUserPropertyProtocolMapper 

func NewUserPropertyProtocolMapper(ctx *pulumi.Context,
	name string, args *UserPropertyProtocolMapperArgs, opts ...pulumi.ResourceOption) (*UserPropertyProtocolMapper, error)

NewUserPropertyProtocolMapper registers a new resource with the given unique name, arguments, and options.

type UserPropertyProtocolMapperArgs 

type UserPropertyProtocolMapperArgs struct {
	ClientId                pulumi.StringPtrInput
	ClientScopeId           pulumi.StringPtrInput
	FriendlyName            pulumi.StringPtrInput
	Name                    pulumi.StringPtrInput
	RealmId                 pulumi.StringInput
	SamlAttributeName       pulumi.StringInput
	SamlAttributeNameFormat pulumi.StringInput
	UserProperty            pulumi.StringInput
}

The set of arguments for constructing a UserPropertyProtocolMapper resource.

func (UserPropertyProtocolMapperArgs) ElementType 

func (UserPropertyProtocolMapperArgs) ElementType() reflect.Type

type UserPropertyProtocolMapperState 

type UserPropertyProtocolMapperState struct {
	ClientId                pulumi.StringPtrInput
	ClientScopeId           pulumi.StringPtrInput
	FriendlyName            pulumi.StringPtrInput
	Name                    pulumi.StringPtrInput
	RealmId                 pulumi.StringPtrInput
	SamlAttributeName       pulumi.StringPtrInput
	SamlAttributeNameFormat pulumi.StringPtrInput
	UserProperty            pulumi.StringPtrInput
}

func (UserPropertyProtocolMapperState) ElementType 

func (UserPropertyProtocolMapperState) ElementType() reflect.Type

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.