Documentation ¶
Index ¶
- type Client
- type ClientArgs
- type ClientDefaultScope
- type ClientDefaultScopeArgs
- type ClientDefaultScopeState
- type ClientScope
- type ClientScopeArgs
- type ClientScopeState
- type ClientState
- type GetClientInstallationProviderArgs
- type GetClientInstallationProviderResult
- type IdentityProvider
- type IdentityProviderArgs
- type IdentityProviderState
- type UserAttributeProtocolMapper
- type UserAttributeProtocolMapperArgs
- type UserAttributeProtocolMapperState
- type UserPropertyProtocolMapper
- type UserPropertyProtocolMapperArgs
- type UserPropertyProtocolMapperState
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct { pulumi.CustomResourceState AssertionConsumerPostUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerPostUrl"` AssertionConsumerRedirectUrl pulumi.StringPtrOutput `pulumi:"assertionConsumerRedirectUrl"` BaseUrl pulumi.StringPtrOutput `pulumi:"baseUrl"` ClientId pulumi.StringOutput `pulumi:"clientId"` ClientSignatureRequired pulumi.BoolOutput `pulumi:"clientSignatureRequired"` Description pulumi.StringPtrOutput `pulumi:"description"` Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` EncryptAssertions pulumi.BoolOutput `pulumi:"encryptAssertions"` EncryptionCertificate pulumi.StringPtrOutput `pulumi:"encryptionCertificate"` ForceNameIdFormat pulumi.BoolOutput `pulumi:"forceNameIdFormat"` ForcePostBinding pulumi.BoolOutput `pulumi:"forcePostBinding"` FrontChannelLogout pulumi.BoolOutput `pulumi:"frontChannelLogout"` FullScopeAllowed pulumi.BoolPtrOutput `pulumi:"fullScopeAllowed"` IdpInitiatedSsoRelayState pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoRelayState"` IdpInitiatedSsoUrlName pulumi.StringPtrOutput `pulumi:"idpInitiatedSsoUrlName"` IncludeAuthnStatement pulumi.BoolOutput `pulumi:"includeAuthnStatement"` LogoutServicePostBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServicePostBindingUrl"` LogoutServiceRedirectBindingUrl pulumi.StringPtrOutput `pulumi:"logoutServiceRedirectBindingUrl"` MasterSamlProcessingUrl pulumi.StringPtrOutput `pulumi:"masterSamlProcessingUrl"` Name pulumi.StringOutput `pulumi:"name"` NameIdFormat pulumi.StringOutput `pulumi:"nameIdFormat"` RealmId pulumi.StringOutput `pulumi:"realmId"` RootUrl pulumi.StringPtrOutput `pulumi:"rootUrl"` SignAssertions pulumi.BoolOutput `pulumi:"signAssertions"` SignDocuments pulumi.BoolOutput `pulumi:"signDocuments"` SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"` SigningCertificate pulumi.StringPtrOutput `pulumi:"signingCertificate"` SigningPrivateKey pulumi.StringPtrOutput `pulumi:"signingPrivateKey"` ValidRedirectUris pulumi.StringArrayOutput `pulumi:"validRedirectUris"` }
## # saml.Client
Allows for creating and managing Keycloak clients that use the SAML protocol.
Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.
### Argument Reference
The following arguments are supported:
- `realmId` - (Required) The realm this client is attached to. - `clientId` - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens. - `name` - (Optional) The display name of this client in the GUI. - `enabled` - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to `true`. - `description` - (Optional) The description of this client in the GUI. - `includeAuthnStatement` - (Optional) When `true`, an `AuthnStatement` will be included in the SAML response. - `signDocuments` - (Optional) When `true`, the SAML document will be signed by Keycloak using the realm's private key. - `signAssertions` - (Optional) When `true`, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. - `clientSignatureRequired` - (Optional) When `true`, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via `signingCertificate` and `signingPrivateKey`. - `forcePostBinding` - (Optional) When `true`, Keycloak will always respond to an authentication request via the SAML POST Binding. - `frontChannelLogout` - (Optional) When `true`, this client will require a browser redirect in order to perform a logout. - `nameIdFormat` - (Optional) Sets the Name ID format for the subject. - `rootUrl` - (Optional) When specified, this value is prepended to all relative URLs. - `validRedirectUris` - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request. - `baseUrl` - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client. - `masterSamlProcessingUrl` - (Optional) When specified, this URL will be used for all SAML requests. - `signingCertificate` - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature. - `signingPrivateKey` - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature. - `idpInitiatedSsoUrlName` - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO. - `idpInitiatedSsoRelayState` - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO. - `assertionConsumerPostUrl` - (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses). - `assertionConsumerRedirectUrl` - (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses). - `logoutServicePostBindingUrl` - (Optional) SAML POST Binding URL for the client's single logout service. - `logoutServiceRedirectBindingUrl` - (Optional) SAML Redirect Binding URL for the client's single logout service. - `fullScopeAllowed` - (Optional) - Allow to include all roles mappings in the access token
func GetClient ¶
func GetClient(ctx *pulumi.Context, name string, id pulumi.IDInput, state *ClientState, opts ...pulumi.ResourceOption) (*Client, error)
GetClient gets an existing Client resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewClient ¶
func NewClient(ctx *pulumi.Context, name string, args *ClientArgs, opts ...pulumi.ResourceOption) (*Client, error)
NewClient registers a new resource with the given unique name, arguments, and options.
type ClientArgs ¶
type ClientArgs struct { AssertionConsumerPostUrl pulumi.StringPtrInput AssertionConsumerRedirectUrl pulumi.StringPtrInput BaseUrl pulumi.StringPtrInput ClientId pulumi.StringInput ClientSignatureRequired pulumi.BoolPtrInput Description pulumi.StringPtrInput Enabled pulumi.BoolPtrInput EncryptAssertions pulumi.BoolPtrInput EncryptionCertificate pulumi.StringPtrInput ForceNameIdFormat pulumi.BoolPtrInput ForcePostBinding pulumi.BoolPtrInput FrontChannelLogout pulumi.BoolPtrInput FullScopeAllowed pulumi.BoolPtrInput IdpInitiatedSsoRelayState pulumi.StringPtrInput IdpInitiatedSsoUrlName pulumi.StringPtrInput IncludeAuthnStatement pulumi.BoolPtrInput LogoutServicePostBindingUrl pulumi.StringPtrInput LogoutServiceRedirectBindingUrl pulumi.StringPtrInput MasterSamlProcessingUrl pulumi.StringPtrInput Name pulumi.StringPtrInput NameIdFormat pulumi.StringPtrInput RealmId pulumi.StringInput RootUrl pulumi.StringPtrInput SignAssertions pulumi.BoolPtrInput SignDocuments pulumi.BoolPtrInput SignatureAlgorithm pulumi.StringPtrInput SigningCertificate pulumi.StringPtrInput SigningPrivateKey pulumi.StringPtrInput ValidRedirectUris pulumi.StringArrayInput }
The set of arguments for constructing a Client resource.
func (ClientArgs) ElementType ¶
func (ClientArgs) ElementType() reflect.Type
type ClientDefaultScope ¶ added in v2.4.0
type ClientDefaultScope struct { pulumi.CustomResourceState ClientId pulumi.StringOutput `pulumi:"clientId"` DefaultScopes pulumi.StringArrayOutput `pulumi:"defaultScopes"` RealmId pulumi.StringOutput `pulumi:"realmId"` }
func GetClientDefaultScope ¶ added in v2.4.0
func GetClientDefaultScope(ctx *pulumi.Context, name string, id pulumi.IDInput, state *ClientDefaultScopeState, opts ...pulumi.ResourceOption) (*ClientDefaultScope, error)
GetClientDefaultScope gets an existing ClientDefaultScope resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewClientDefaultScope ¶ added in v2.4.0
func NewClientDefaultScope(ctx *pulumi.Context, name string, args *ClientDefaultScopeArgs, opts ...pulumi.ResourceOption) (*ClientDefaultScope, error)
NewClientDefaultScope registers a new resource with the given unique name, arguments, and options.
type ClientDefaultScopeArgs ¶ added in v2.4.0
type ClientDefaultScopeArgs struct { ClientId pulumi.StringInput DefaultScopes pulumi.StringArrayInput RealmId pulumi.StringInput }
The set of arguments for constructing a ClientDefaultScope resource.
func (ClientDefaultScopeArgs) ElementType ¶ added in v2.4.0
func (ClientDefaultScopeArgs) ElementType() reflect.Type
type ClientDefaultScopeState ¶ added in v2.4.0
type ClientDefaultScopeState struct { ClientId pulumi.StringPtrInput DefaultScopes pulumi.StringArrayInput RealmId pulumi.StringPtrInput }
func (ClientDefaultScopeState) ElementType ¶ added in v2.4.0
func (ClientDefaultScopeState) ElementType() reflect.Type
type ClientScope ¶ added in v2.4.0
type ClientScope struct { pulumi.CustomResourceState ConsentScreenText pulumi.StringPtrOutput `pulumi:"consentScreenText"` Description pulumi.StringPtrOutput `pulumi:"description"` GuiOrder pulumi.IntPtrOutput `pulumi:"guiOrder"` Name pulumi.StringOutput `pulumi:"name"` RealmId pulumi.StringOutput `pulumi:"realmId"` }
func GetClientScope ¶ added in v2.4.0
func GetClientScope(ctx *pulumi.Context, name string, id pulumi.IDInput, state *ClientScopeState, opts ...pulumi.ResourceOption) (*ClientScope, error)
GetClientScope gets an existing ClientScope resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewClientScope ¶ added in v2.4.0
func NewClientScope(ctx *pulumi.Context, name string, args *ClientScopeArgs, opts ...pulumi.ResourceOption) (*ClientScope, error)
NewClientScope registers a new resource with the given unique name, arguments, and options.
type ClientScopeArgs ¶ added in v2.4.0
type ClientScopeArgs struct { ConsentScreenText pulumi.StringPtrInput Description pulumi.StringPtrInput GuiOrder pulumi.IntPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringInput }
The set of arguments for constructing a ClientScope resource.
func (ClientScopeArgs) ElementType ¶ added in v2.4.0
func (ClientScopeArgs) ElementType() reflect.Type
type ClientScopeState ¶ added in v2.4.0
type ClientScopeState struct { ConsentScreenText pulumi.StringPtrInput Description pulumi.StringPtrInput GuiOrder pulumi.IntPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringPtrInput }
func (ClientScopeState) ElementType ¶ added in v2.4.0
func (ClientScopeState) ElementType() reflect.Type
type ClientState ¶
type ClientState struct { AssertionConsumerPostUrl pulumi.StringPtrInput AssertionConsumerRedirectUrl pulumi.StringPtrInput BaseUrl pulumi.StringPtrInput ClientId pulumi.StringPtrInput ClientSignatureRequired pulumi.BoolPtrInput Description pulumi.StringPtrInput Enabled pulumi.BoolPtrInput EncryptAssertions pulumi.BoolPtrInput EncryptionCertificate pulumi.StringPtrInput ForceNameIdFormat pulumi.BoolPtrInput ForcePostBinding pulumi.BoolPtrInput FrontChannelLogout pulumi.BoolPtrInput FullScopeAllowed pulumi.BoolPtrInput IdpInitiatedSsoRelayState pulumi.StringPtrInput IdpInitiatedSsoUrlName pulumi.StringPtrInput IncludeAuthnStatement pulumi.BoolPtrInput LogoutServicePostBindingUrl pulumi.StringPtrInput LogoutServiceRedirectBindingUrl pulumi.StringPtrInput MasterSamlProcessingUrl pulumi.StringPtrInput Name pulumi.StringPtrInput NameIdFormat pulumi.StringPtrInput RealmId pulumi.StringPtrInput RootUrl pulumi.StringPtrInput SignAssertions pulumi.BoolPtrInput SignDocuments pulumi.BoolPtrInput SignatureAlgorithm pulumi.StringPtrInput SigningCertificate pulumi.StringPtrInput SigningPrivateKey pulumi.StringPtrInput ValidRedirectUris pulumi.StringArrayInput }
func (ClientState) ElementType ¶
func (ClientState) ElementType() reflect.Type
type GetClientInstallationProviderArgs ¶ added in v2.1.0
type GetClientInstallationProviderArgs struct { ClientId string `pulumi:"clientId"` ProviderId string `pulumi:"providerId"` RealmId string `pulumi:"realmId"` }
A collection of arguments for invoking getClientInstallationProvider.
type GetClientInstallationProviderResult ¶ added in v2.1.0
type GetClientInstallationProviderResult struct { ClientId string `pulumi:"clientId"` // The provider-assigned unique ID for this managed resource. Id string `pulumi:"id"` ProviderId string `pulumi:"providerId"` RealmId string `pulumi:"realmId"` Value string `pulumi:"value"` }
A collection of values returned by getClientInstallationProvider.
func GetClientInstallationProvider ¶ added in v2.1.0
func GetClientInstallationProvider(ctx *pulumi.Context, args *GetClientInstallationProviderArgs, opts ...pulumi.InvokeOption) (*GetClientInstallationProviderResult, error)
type IdentityProvider ¶
type IdentityProvider struct { pulumi.CustomResourceState // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. AddReadTokenRoleOnCreate pulumi.BoolPtrOutput `pulumi:"addReadTokenRoleOnCreate"` // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. Alias pulumi.StringOutput `pulumi:"alias"` // Enable/disable authenticate users by default. AuthenticateByDefault pulumi.BoolPtrOutput `pulumi:"authenticateByDefault"` // Does the external IDP support backchannel logout? BackchannelSupported pulumi.BoolPtrOutput `pulumi:"backchannelSupported"` // Friendly name for Identity Providers. DisplayName pulumi.StringPtrOutput `pulumi:"displayName"` // Enable/disable this identity provider. Enabled pulumi.BoolPtrOutput `pulumi:"enabled"` // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means // that there is not yet existing Keycloak account linked with the authenticated identity provider account. FirstBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"firstBrokerLoginFlowAlias"` // Require Force Authn. ForceAuthn pulumi.BoolPtrOutput `pulumi:"forceAuthn"` // Hide On Login Page. HideOnLoginPage pulumi.BoolPtrOutput `pulumi:"hideOnLoginPage"` // Internal Identity Provider Id InternalId pulumi.StringOutput `pulumi:"internalId"` // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't // want to allow login from the provider, but want to integrate with a provider LinkOnly pulumi.BoolPtrOutput `pulumi:"linkOnly"` // Name ID Policy Format. NameIdPolicyFormat pulumi.StringPtrOutput `pulumi:"nameIdPolicyFormat"` // Post Binding Authn Request. PostBindingAuthnRequest pulumi.BoolPtrOutput `pulumi:"postBindingAuthnRequest"` // Post Binding Logout. PostBindingLogout pulumi.BoolPtrOutput `pulumi:"postBindingLogout"` // Post Binding Response. PostBindingResponse pulumi.BoolPtrOutput `pulumi:"postBindingResponse"` // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. PostBrokerLoginFlowAlias pulumi.StringPtrOutput `pulumi:"postBrokerLoginFlowAlias"` // Realm Name Realm pulumi.StringOutput `pulumi:"realm"` // Signing Algorithm. SignatureAlgorithm pulumi.StringPtrOutput `pulumi:"signatureAlgorithm"` // Signing Certificate. SigningCertificate pulumi.StringPtrOutput `pulumi:"signingCertificate"` // Logout URL. SingleLogoutServiceUrl pulumi.StringPtrOutput `pulumi:"singleLogoutServiceUrl"` // SSO Logout URL. SingleSignOnServiceUrl pulumi.StringOutput `pulumi:"singleSignOnServiceUrl"` // Enable/disable if tokens must be stored after authenticating users. StoreToken pulumi.BoolPtrOutput `pulumi:"storeToken"` // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrOutput `pulumi:"trustEmail"` // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrOutput `pulumi:"validateSignature"` // Want Assertions Encrypted. WantAssertionsEncrypted pulumi.BoolPtrOutput `pulumi:"wantAssertionsEncrypted"` // Want Assertions Signed. WantAssertionsSigned pulumi.BoolPtrOutput `pulumi:"wantAssertionsSigned"` // Sign Key Transformer. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrOutput `pulumi:"xmlSignKeyInfoKeyNameTransformer"` }
## # saml.IdentityProvider
Allows to create and manage SAML Identity Providers within Keycloak.
SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.
### Example Usage
```go package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml" "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { _, err := saml.NewIdentityProvider(ctx, "realmIdentityProvider", &saml.IdentityProviderArgs{ Alias: pulumi.String("my-idp"), BackchannelSupported: pulumi.Bool(true), ForceAuthn: pulumi.Bool(true), PostBindingAuthnRequest: pulumi.Bool(true), PostBindingLogout: pulumi.Bool(true), PostBindingResponse: pulumi.Bool(true), Realm: pulumi.String("my-realm"), SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"), SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"), StoreToken: pulumi.Bool(false), TrustEmail: pulumi.Bool(true), }) if err != nil { return err } return nil }) }
```
### Argument Reference
The following arguments are supported:
- `realm` - (Required) The name of the realm. This is unique across Keycloak. - `alias` - (Optional) The uniq name of identity provider. - `enabled` - (Optional) When false, users and clients will not be able to access this realm. Defaults to `true`. - `displayName` - (Optional) The display name for the realm that is shown when logging in to the admin console. - `storeToken` - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to `true`. - `addReadTokenRoleOnCreate` - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to `false`. - `trustEmail` - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to `false`. - `linkOnly` - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to `false`. - `hideOnLoginPage` - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter. - `firstBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to `first broker login`. - `postBrokerLoginFlowAlias` - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty. - `authenticateByDefault` - (Optional) Authenticate users by default. Defaults to `false`.
#### SAML Configuration
- `singleSignOnServiceUrl` - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest). - `singleLogoutServiceUrl` - (Optional) The Url that must be used to send logout requests. - `backchannelSupported` - (Optional) Does the external IDP support back-channel logout ?. - `nameIdPolicyFormat` - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty. - `postBindingResponse` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.. - `postBindingAuthnRequest` - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - `postBindingLogout` - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. - `wantAssertionsSigned` - (Optional) Indicates whether this service provider expects a signed Assertion. - `wantAssertionsEncrypted` - (Optional) Indicates whether this service provider expects an encrypted Assertion. - `forceAuthn` - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. - `validateSignature` - (Optional) Enable/disable signature validation of SAML responses. - `signingCertificate` - (Optional) Signing Certificate. - `signatureAlgorithm` - (Optional) Signing Algorithm. Defaults to empty. - `xmlSignKeyInfoKeyNameTransformer` - (Optional) Sign Key Transformer. Defaults to empty.
func GetIdentityProvider ¶
func GetIdentityProvider(ctx *pulumi.Context, name string, id pulumi.IDInput, state *IdentityProviderState, opts ...pulumi.ResourceOption) (*IdentityProvider, error)
GetIdentityProvider gets an existing IdentityProvider resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewIdentityProvider ¶
func NewIdentityProvider(ctx *pulumi.Context, name string, args *IdentityProviderArgs, opts ...pulumi.ResourceOption) (*IdentityProvider, error)
NewIdentityProvider registers a new resource with the given unique name, arguments, and options.
type IdentityProviderArgs ¶
type IdentityProviderArgs struct { // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. AddReadTokenRoleOnCreate pulumi.BoolPtrInput // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. Alias pulumi.StringInput // Enable/disable authenticate users by default. AuthenticateByDefault pulumi.BoolPtrInput // Does the external IDP support backchannel logout? BackchannelSupported pulumi.BoolPtrInput // Friendly name for Identity Providers. DisplayName pulumi.StringPtrInput // Enable/disable this identity provider. Enabled pulumi.BoolPtrInput // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means // that there is not yet existing Keycloak account linked with the authenticated identity provider account. FirstBrokerLoginFlowAlias pulumi.StringPtrInput // Require Force Authn. ForceAuthn pulumi.BoolPtrInput // Hide On Login Page. HideOnLoginPage pulumi.BoolPtrInput // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't // want to allow login from the provider, but want to integrate with a provider LinkOnly pulumi.BoolPtrInput // Name ID Policy Format. NameIdPolicyFormat pulumi.StringPtrInput // Post Binding Authn Request. PostBindingAuthnRequest pulumi.BoolPtrInput // Post Binding Logout. PostBindingLogout pulumi.BoolPtrInput // Post Binding Response. PostBindingResponse pulumi.BoolPtrInput // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. PostBrokerLoginFlowAlias pulumi.StringPtrInput // Realm Name Realm pulumi.StringInput // Signing Algorithm. SignatureAlgorithm pulumi.StringPtrInput // Signing Certificate. SigningCertificate pulumi.StringPtrInput // Logout URL. SingleLogoutServiceUrl pulumi.StringPtrInput // SSO Logout URL. SingleSignOnServiceUrl pulumi.StringInput // Enable/disable if tokens must be stored after authenticating users. StoreToken pulumi.BoolPtrInput // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrInput // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrInput // Want Assertions Encrypted. WantAssertionsEncrypted pulumi.BoolPtrInput // Want Assertions Signed. WantAssertionsSigned pulumi.BoolPtrInput // Sign Key Transformer. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput }
The set of arguments for constructing a IdentityProvider resource.
func (IdentityProviderArgs) ElementType ¶
func (IdentityProviderArgs) ElementType() reflect.Type
type IdentityProviderState ¶
type IdentityProviderState struct { // Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. AddReadTokenRoleOnCreate pulumi.BoolPtrInput // The alias uniquely identifies an identity provider and it is also used to build the redirect uri. Alias pulumi.StringPtrInput // Enable/disable authenticate users by default. AuthenticateByDefault pulumi.BoolPtrInput // Does the external IDP support backchannel logout? BackchannelSupported pulumi.BoolPtrInput // Friendly name for Identity Providers. DisplayName pulumi.StringPtrInput // Enable/disable this identity provider. Enabled pulumi.BoolPtrInput // Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means // that there is not yet existing Keycloak account linked with the authenticated identity provider account. FirstBrokerLoginFlowAlias pulumi.StringPtrInput // Require Force Authn. ForceAuthn pulumi.BoolPtrInput // Hide On Login Page. HideOnLoginPage pulumi.BoolPtrInput // Internal Identity Provider Id InternalId pulumi.StringPtrInput // If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't // want to allow login from the provider, but want to integrate with a provider LinkOnly pulumi.BoolPtrInput // Name ID Policy Format. NameIdPolicyFormat pulumi.StringPtrInput // Post Binding Authn Request. PostBindingAuthnRequest pulumi.BoolPtrInput // Post Binding Logout. PostBindingLogout pulumi.BoolPtrInput // Post Binding Response. PostBindingResponse pulumi.BoolPtrInput // Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want // additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if // you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that // authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. PostBrokerLoginFlowAlias pulumi.StringPtrInput // Realm Name Realm pulumi.StringPtrInput // Signing Algorithm. SignatureAlgorithm pulumi.StringPtrInput // Signing Certificate. SigningCertificate pulumi.StringPtrInput // Logout URL. SingleLogoutServiceUrl pulumi.StringPtrInput // SSO Logout URL. SingleSignOnServiceUrl pulumi.StringPtrInput // Enable/disable if tokens must be stored after authenticating users. StoreToken pulumi.BoolPtrInput // If enabled then email provided by this provider is not verified even if verification is enabled for the realm. TrustEmail pulumi.BoolPtrInput // Enable/disable signature validation of SAML responses. ValidateSignature pulumi.BoolPtrInput // Want Assertions Encrypted. WantAssertionsEncrypted pulumi.BoolPtrInput // Want Assertions Signed. WantAssertionsSigned pulumi.BoolPtrInput // Sign Key Transformer. XmlSignKeyInfoKeyNameTransformer pulumi.StringPtrInput }
func (IdentityProviderState) ElementType ¶
func (IdentityProviderState) ElementType() reflect.Type
type UserAttributeProtocolMapper ¶
type UserAttributeProtocolMapper struct { pulumi.CustomResourceState ClientId pulumi.StringPtrOutput `pulumi:"clientId"` ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` Name pulumi.StringOutput `pulumi:"name"` RealmId pulumi.StringOutput `pulumi:"realmId"` SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` UserAttribute pulumi.StringOutput `pulumi:"userAttribute"` }
## # saml.UserAttributeProtocolMapper
Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak.
SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
### Example Usage (Client)
```go package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak" "github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml" "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ Enabled: pulumi.Bool(true), Realm: pulumi.String("my-realm"), }) if err != nil { return err } samlClient, err := saml.NewClient(ctx, "samlClient", &saml.ClientArgs{ ClientId: pulumi.String("test-saml-client"), RealmId: pulumi.Any(keycloak_realm.Test.Id), }) if err != nil { return err } _, err = saml.NewUserAttributeProtocolMapper(ctx, "samlUserAttributeMapper", &saml.UserAttributeProtocolMapperArgs{ ClientId: samlClient.ID(), RealmId: pulumi.Any(keycloak_realm.Test.Id), SamlAttributeName: pulumi.String("displayName"), SamlAttributeNameFormat: pulumi.String("Unspecified"), UserAttribute: pulumi.String("displayName"), }) if err != nil { return err } return nil }) }
```
### Argument Reference
The following arguments are supported:
- `realmId` - (Required) The realm this protocol mapper exists within. - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - `name` - (Required) The display name of this protocol mapper in the GUI. - `userAttribute` - (Required) The custom user attribute to map. - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - `samlAttributeName` - (Required) The name of the SAML attribute. - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.
func GetUserAttributeProtocolMapper ¶
func GetUserAttributeProtocolMapper(ctx *pulumi.Context, name string, id pulumi.IDInput, state *UserAttributeProtocolMapperState, opts ...pulumi.ResourceOption) (*UserAttributeProtocolMapper, error)
GetUserAttributeProtocolMapper gets an existing UserAttributeProtocolMapper resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewUserAttributeProtocolMapper ¶
func NewUserAttributeProtocolMapper(ctx *pulumi.Context, name string, args *UserAttributeProtocolMapperArgs, opts ...pulumi.ResourceOption) (*UserAttributeProtocolMapper, error)
NewUserAttributeProtocolMapper registers a new resource with the given unique name, arguments, and options.
type UserAttributeProtocolMapperArgs ¶
type UserAttributeProtocolMapperArgs struct { ClientId pulumi.StringPtrInput ClientScopeId pulumi.StringPtrInput FriendlyName pulumi.StringPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringInput SamlAttributeName pulumi.StringInput SamlAttributeNameFormat pulumi.StringInput UserAttribute pulumi.StringInput }
The set of arguments for constructing a UserAttributeProtocolMapper resource.
func (UserAttributeProtocolMapperArgs) ElementType ¶
func (UserAttributeProtocolMapperArgs) ElementType() reflect.Type
type UserAttributeProtocolMapperState ¶
type UserAttributeProtocolMapperState struct { ClientId pulumi.StringPtrInput ClientScopeId pulumi.StringPtrInput FriendlyName pulumi.StringPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringPtrInput SamlAttributeName pulumi.StringPtrInput SamlAttributeNameFormat pulumi.StringPtrInput UserAttribute pulumi.StringPtrInput }
func (UserAttributeProtocolMapperState) ElementType ¶
func (UserAttributeProtocolMapperState) ElementType() reflect.Type
type UserPropertyProtocolMapper ¶
type UserPropertyProtocolMapper struct { pulumi.CustomResourceState ClientId pulumi.StringPtrOutput `pulumi:"clientId"` ClientScopeId pulumi.StringPtrOutput `pulumi:"clientScopeId"` FriendlyName pulumi.StringPtrOutput `pulumi:"friendlyName"` Name pulumi.StringOutput `pulumi:"name"` RealmId pulumi.StringOutput `pulumi:"realmId"` SamlAttributeName pulumi.StringOutput `pulumi:"samlAttributeName"` SamlAttributeNameFormat pulumi.StringOutput `pulumi:"samlAttributeNameFormat"` UserProperty pulumi.StringOutput `pulumi:"userProperty"` }
## # saml.UserPropertyProtocolMapper
Allows for creating and managing user property protocol mappers for SAML clients within Keycloak.
SAML user property protocol mappers allow you to map properties of the Keycloak user model to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
### Example Usage (Client)
```go package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak" "github.com/pulumi/pulumi-keycloak/sdk/v2/go/keycloak/saml" "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)
func main() { pulumi.Run(func(ctx *pulumi.Context) error { _, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{ Enabled: pulumi.Bool(true), Realm: pulumi.String("my-realm"), }) if err != nil { return err } samlClient, err := saml.NewClient(ctx, "samlClient", &saml.ClientArgs{ ClientId: pulumi.String("test-saml-client"), RealmId: pulumi.Any(keycloak_realm.Test.Id), }) if err != nil { return err } _, err = saml.NewUserPropertyProtocolMapper(ctx, "samlUserPropertyMapper", &saml.UserPropertyProtocolMapperArgs{ ClientId: samlClient.ID(), RealmId: pulumi.Any(keycloak_realm.Test.Id), SamlAttributeName: pulumi.String("email"), SamlAttributeNameFormat: pulumi.String("Unspecified"), UserProperty: pulumi.String("email"), }) if err != nil { return err } return nil }) }
```
### Argument Reference
The following arguments are supported:
- `realmId` - (Required) The realm this protocol mapper exists within. - `clientId` - (Required if `clientScopeId` is not specified) The SAML client this protocol mapper is attached to. - `clientScopeId` - (Required if `clientId` is not specified) The SAML client scope this protocol mapper is attached to. - `name` - (Required) The display name of this protocol mapper in the GUI. - `userProperty` - (Required) The property of the Keycloak user model to map. - `friendlyName` - (Optional) An optional human-friendly name for this attribute. - `samlAttributeName` - (Required) The name of the SAML attribute. - `samlAttributeNameFormat` - (Required) The SAML attribute Name Format. Can be one of `Unspecified`, `Basic`, or `URI Reference`.
func GetUserPropertyProtocolMapper ¶
func GetUserPropertyProtocolMapper(ctx *pulumi.Context, name string, id pulumi.IDInput, state *UserPropertyProtocolMapperState, opts ...pulumi.ResourceOption) (*UserPropertyProtocolMapper, error)
GetUserPropertyProtocolMapper gets an existing UserPropertyProtocolMapper resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).
func NewUserPropertyProtocolMapper ¶
func NewUserPropertyProtocolMapper(ctx *pulumi.Context, name string, args *UserPropertyProtocolMapperArgs, opts ...pulumi.ResourceOption) (*UserPropertyProtocolMapper, error)
NewUserPropertyProtocolMapper registers a new resource with the given unique name, arguments, and options.
type UserPropertyProtocolMapperArgs ¶
type UserPropertyProtocolMapperArgs struct { ClientId pulumi.StringPtrInput ClientScopeId pulumi.StringPtrInput FriendlyName pulumi.StringPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringInput SamlAttributeName pulumi.StringInput SamlAttributeNameFormat pulumi.StringInput UserProperty pulumi.StringInput }
The set of arguments for constructing a UserPropertyProtocolMapper resource.
func (UserPropertyProtocolMapperArgs) ElementType ¶
func (UserPropertyProtocolMapperArgs) ElementType() reflect.Type
type UserPropertyProtocolMapperState ¶
type UserPropertyProtocolMapperState struct { ClientId pulumi.StringPtrInput ClientScopeId pulumi.StringPtrInput FriendlyName pulumi.StringPtrInput Name pulumi.StringPtrInput RealmId pulumi.StringPtrInput SamlAttributeName pulumi.StringPtrInput SamlAttributeNameFormat pulumi.StringPtrInput UserProperty pulumi.StringPtrInput }
func (UserPropertyProtocolMapperState) ElementType ¶
func (UserPropertyProtocolMapperState) ElementType() reflect.Type