Documentation
¶
Overview ¶
+kubebuilder:object:generate=true +groupName=saml.keycloak.crossplane.io +versionName=v1alpha1
Index ¶
- Constants
- Variables
- type IdentityProvider
- func (in *IdentityProvider) DeepCopy() *IdentityProvider
- func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)
- func (in *IdentityProvider) DeepCopyObject() runtime.Object
- func (mg *IdentityProvider) GetCondition(ct xpv1.ConditionType) xpv1.Condition
- func (tr *IdentityProvider) GetConnectionDetailsMapping() map[string]string
- func (mg *IdentityProvider) GetDeletionPolicy() xpv1.DeletionPolicy
- func (tr *IdentityProvider) GetID() string
- func (tr *IdentityProvider) GetInitParameters() (map[string]any, error)
- func (mg *IdentityProvider) GetManagementPolicies() xpv1.ManagementPolicies
- func (tr *IdentityProvider) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error)
- func (tr *IdentityProvider) GetObservation() (map[string]any, error)
- func (tr *IdentityProvider) GetParameters() (map[string]any, error)
- func (mg *IdentityProvider) GetProviderConfigReference() *xpv1.Reference
- func (mg *IdentityProvider) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
- func (mg *IdentityProvider) GetTerraformResourceType() string
- func (tr *IdentityProvider) GetTerraformSchemaVersion() int
- func (mg *IdentityProvider) GetWriteConnectionSecretToReference() *xpv1.SecretReference
- func (tr *IdentityProvider) Hub()
- func (tr *IdentityProvider) LateInitialize(attrs []byte) (bool, error)
- func (mg *IdentityProvider) ResolveReferences(ctx context.Context, c client.Reader) error
- func (mg *IdentityProvider) SetConditions(c ...xpv1.Condition)
- func (mg *IdentityProvider) SetDeletionPolicy(r xpv1.DeletionPolicy)
- func (mg *IdentityProvider) SetManagementPolicies(r xpv1.ManagementPolicies)
- func (tr *IdentityProvider) SetObservation(obs map[string]any) error
- func (tr *IdentityProvider) SetParameters(params map[string]any) error
- func (mg *IdentityProvider) SetProviderConfigReference(r *xpv1.Reference)
- func (mg *IdentityProvider) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
- func (mg *IdentityProvider) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
- type IdentityProviderInitParameters
- type IdentityProviderList
- type IdentityProviderObservation
- type IdentityProviderParameters
- type IdentityProviderSpec
- type IdentityProviderStatus
Constants ¶
View Source
const ( CRDGroup = "saml.keycloak.crossplane.io" CRDVersion = "v1alpha1" )
Package type metadata.
Variables ¶
View Source
var ( // CRDGroupVersion is the API Group Version used to register the objects CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
View Source
var ( IdentityProvider_Kind = "IdentityProvider" IdentityProvider_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: IdentityProvider_Kind}.String() IdentityProvider_KindAPIVersion = IdentityProvider_Kind + "." + CRDGroupVersion.String() IdentityProvider_GroupVersionKind = CRDGroupVersion.WithKind(IdentityProvider_Kind) )
Repository type metadata.
Functions ¶
This section is empty.
Types ¶
type IdentityProvider ¶
type IdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.alias) || (has(self.initProvider) && has(self.initProvider.alias))",message="spec.forProvider.alias is a required parameter"
// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.entityId) || (has(self.initProvider) && has(self.initProvider.entityId))",message="spec.forProvider.entityId is a required parameter"
// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.singleSignOnServiceUrl) || (has(self.initProvider) && has(self.initProvider.singleSignOnServiceUrl))",message="spec.forProvider.singleSignOnServiceUrl is a required parameter"
Spec IdentityProviderSpec `json:"spec"`
Status IdentityProviderStatus `json:"status,omitempty"`
}
IdentityProvider is the Schema for the IdentityProviders API. +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,keycloak}
func (*IdentityProvider) DeepCopy ¶
func (in *IdentityProvider) DeepCopy() *IdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.
func (*IdentityProvider) DeepCopyInto ¶
func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IdentityProvider) DeepCopyObject ¶
func (in *IdentityProvider) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*IdentityProvider) GetCondition ¶
func (mg *IdentityProvider) GetCondition(ct xpv1.ConditionType) xpv1.Condition
GetCondition of this IdentityProvider.
func (*IdentityProvider) GetConnectionDetailsMapping ¶
func (tr *IdentityProvider) GetConnectionDetailsMapping() map[string]string
GetConnectionDetailsMapping for this IdentityProvider
func (*IdentityProvider) GetDeletionPolicy ¶
func (mg *IdentityProvider) GetDeletionPolicy() xpv1.DeletionPolicy
GetDeletionPolicy of this IdentityProvider.
func (*IdentityProvider) GetID ¶
func (tr *IdentityProvider) GetID() string
GetID returns ID of underlying Terraform resource of this IdentityProvider
func (*IdentityProvider) GetInitParameters ¶
func (tr *IdentityProvider) GetInitParameters() (map[string]any, error)
GetInitParameters of this IdentityProvider
func (*IdentityProvider) GetManagementPolicies ¶
func (mg *IdentityProvider) GetManagementPolicies() xpv1.ManagementPolicies
GetManagementPolicies of this IdentityProvider.
func (*IdentityProvider) GetMergedParameters ¶
func (tr *IdentityProvider) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error)
GetInitParameters of this IdentityProvider
func (*IdentityProvider) GetObservation ¶
func (tr *IdentityProvider) GetObservation() (map[string]any, error)
GetObservation of this IdentityProvider
func (*IdentityProvider) GetParameters ¶
func (tr *IdentityProvider) GetParameters() (map[string]any, error)
GetParameters of this IdentityProvider
func (*IdentityProvider) GetProviderConfigReference ¶
func (mg *IdentityProvider) GetProviderConfigReference() *xpv1.Reference
GetProviderConfigReference of this IdentityProvider.
func (*IdentityProvider) GetPublishConnectionDetailsTo ¶
func (mg *IdentityProvider) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo
GetPublishConnectionDetailsTo of this IdentityProvider.
func (*IdentityProvider) GetTerraformResourceType ¶
func (mg *IdentityProvider) GetTerraformResourceType() string
GetTerraformResourceType returns Terraform resource type for this IdentityProvider
func (*IdentityProvider) GetTerraformSchemaVersion ¶
func (tr *IdentityProvider) GetTerraformSchemaVersion() int
GetTerraformSchemaVersion returns the associated Terraform schema version
func (*IdentityProvider) GetWriteConnectionSecretToReference ¶
func (mg *IdentityProvider) GetWriteConnectionSecretToReference() *xpv1.SecretReference
GetWriteConnectionSecretToReference of this IdentityProvider.
func (*IdentityProvider) Hub ¶
func (tr *IdentityProvider) Hub()
Hub marks this type as a conversion hub.
func (*IdentityProvider) LateInitialize ¶
func (tr *IdentityProvider) LateInitialize(attrs []byte) (bool, error)
LateInitialize this IdentityProvider using its observed tfState. returns True if there are any spec changes for the resource.
func (*IdentityProvider) ResolveReferences ¶
ResolveReferences of this IdentityProvider.
func (*IdentityProvider) SetConditions ¶
func (mg *IdentityProvider) SetConditions(c ...xpv1.Condition)
SetConditions of this IdentityProvider.
func (*IdentityProvider) SetDeletionPolicy ¶
func (mg *IdentityProvider) SetDeletionPolicy(r xpv1.DeletionPolicy)
SetDeletionPolicy of this IdentityProvider.
func (*IdentityProvider) SetManagementPolicies ¶
func (mg *IdentityProvider) SetManagementPolicies(r xpv1.ManagementPolicies)
SetManagementPolicies of this IdentityProvider.
func (*IdentityProvider) SetObservation ¶
func (tr *IdentityProvider) SetObservation(obs map[string]any) error
SetObservation for this IdentityProvider
func (*IdentityProvider) SetParameters ¶
func (tr *IdentityProvider) SetParameters(params map[string]any) error
SetParameters for this IdentityProvider
func (*IdentityProvider) SetProviderConfigReference ¶
func (mg *IdentityProvider) SetProviderConfigReference(r *xpv1.Reference)
SetProviderConfigReference of this IdentityProvider.
func (*IdentityProvider) SetPublishConnectionDetailsTo ¶
func (mg *IdentityProvider) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)
SetPublishConnectionDetailsTo of this IdentityProvider.
func (*IdentityProvider) SetWriteConnectionSecretToReference ¶
func (mg *IdentityProvider) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)
SetWriteConnectionSecretToReference of this IdentityProvider.
type IdentityProviderInitParameters ¶
type IdentityProviderInitParameters struct {
// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`
// The unique name of identity provider.
// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
// Authenticate users by default. Defaults to false.
// Enable/disable authenticate users by default.
AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`
// Ordered list of requested AuthnContext ClassRefs.
// AuthnContext ClassRefs
AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`
// Specifies the comparison method used to evaluate the requested context classes or statements.
// AuthnContext Comparison
AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`
// Ordered list of requested AuthnContext DeclRefs.
// AuthnContext DeclRefs
AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`
// Does the external IDP support backchannel logout?. Defaults to false.
// Does the external IDP support backchannel logout?
BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`
// The display name for the realm that is shown when logging in to the admin console.
// Friendly name for Identity Providers.
DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
// When false, users and clients will not be able to access this realm. Defaults to true.
// Enable/disable this identity provider.
Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
// +mapType=granular
ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`
// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
// Require Force Authn.
ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`
// A number defining the order of this identity provider in the GUI.
// GUI Order
GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`
// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
// Hide On Login Page.
HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`
// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`
// Login Hint.
LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`
// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
// Name ID Policy Format.
NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`
// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Authn Request.
PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Logout.
PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
// Post Binding Response.
PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`
// The principal attribute.
// Principal Attribute
PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`
// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
// Principal Type
PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`
// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
// provider id, is always saml, unless you have a custom implementation
ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`
// The name of the realm. This is unique across Keycloak.
// Realm Name
// +crossplane:generate:reference:type=github.com/stakater/provider-keycloak/apis/realm/v1alpha1.Realm
Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`
// Reference to a Realm in realm to populate realm.
// +kubebuilder:validation:Optional
RealmRef *v1.Reference `json:"realmRef,omitempty" tf:"-"`
// Selector for a Realm in realm to populate realm.
// +kubebuilder:validation:Optional
RealmSelector *v1.Selector `json:"realmSelector,omitempty" tf:"-"`
// Signing Algorithm. Defaults to empty.
// Signing Algorithm.
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
// Signing Certificate.
// Signing Certificate.
SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`
// The Url that must be used to send logout requests.
// Logout URL.
SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`
// The Url that must be used to send authentication requests (SAML AuthnRequest).
// SSO Logout URL.
SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`
// When true, tokens will be stored after authenticating users. Defaults to true.
// Enable/disable if tokens must be stored after authenticating users.
StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`
// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
// Sync Mode
SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`
// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`
// Enable/disable signature validation of SAML responses.
// Enable/disable signature validation of SAML responses.
ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`
// Indicates whether this service provider expects an encrypted Assertion.
// Want Assertions Encrypted.
WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`
// Indicates whether this service provider expects a signed Assertion.
// Want Assertions Signed.
WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`
// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
// Sign Key Transformer.
XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}
func (*IdentityProviderInitParameters) DeepCopy ¶
func (in *IdentityProviderInitParameters) DeepCopy() *IdentityProviderInitParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderInitParameters.
func (*IdentityProviderInitParameters) DeepCopyInto ¶
func (in *IdentityProviderInitParameters) DeepCopyInto(out *IdentityProviderInitParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProviderList ¶
type IdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []IdentityProvider `json:"items"`
}
IdentityProviderList contains a list of IdentityProviders
func (*IdentityProviderList) DeepCopy ¶
func (in *IdentityProviderList) DeepCopy() *IdentityProviderList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderList.
func (*IdentityProviderList) DeepCopyInto ¶
func (in *IdentityProviderList) DeepCopyInto(out *IdentityProviderList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IdentityProviderList) DeepCopyObject ¶
func (in *IdentityProviderList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*IdentityProviderList) GetItems ¶
func (l *IdentityProviderList) GetItems() []resource.Managed
GetItems of this IdentityProviderList.
type IdentityProviderObservation ¶
type IdentityProviderObservation struct {
// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`
// The unique name of identity provider.
// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
// Authenticate users by default. Defaults to false.
// Enable/disable authenticate users by default.
AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`
// Ordered list of requested AuthnContext ClassRefs.
// AuthnContext ClassRefs
AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`
// Specifies the comparison method used to evaluate the requested context classes or statements.
// AuthnContext Comparison
AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`
// Ordered list of requested AuthnContext DeclRefs.
// AuthnContext DeclRefs
AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`
// Does the external IDP support backchannel logout?. Defaults to false.
// Does the external IDP support backchannel logout?
BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`
// The display name for the realm that is shown when logging in to the admin console.
// Friendly name for Identity Providers.
DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
// When false, users and clients will not be able to access this realm. Defaults to true.
// Enable/disable this identity provider.
Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
// +mapType=granular
ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`
// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
// Require Force Authn.
ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`
// A number defining the order of this identity provider in the GUI.
// GUI Order
GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`
// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
// Hide On Login Page.
HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`
ID *string `json:"id,omitempty" tf:"id,omitempty"`
// Internal Identity Provider Id
InternalID *string `json:"internalId,omitempty" tf:"internal_id,omitempty"`
// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`
// Login Hint.
LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`
// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
// Name ID Policy Format.
NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`
// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Authn Request.
PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Logout.
PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
// Post Binding Response.
PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`
// The principal attribute.
// Principal Attribute
PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`
// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
// Principal Type
PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`
// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
// provider id, is always saml, unless you have a custom implementation
ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`
// The name of the realm. This is unique across Keycloak.
// Realm Name
Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`
// Signing Algorithm. Defaults to empty.
// Signing Algorithm.
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
// Signing Certificate.
// Signing Certificate.
SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`
// The Url that must be used to send logout requests.
// Logout URL.
SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`
// The Url that must be used to send authentication requests (SAML AuthnRequest).
// SSO Logout URL.
SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`
// When true, tokens will be stored after authenticating users. Defaults to true.
// Enable/disable if tokens must be stored after authenticating users.
StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`
// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
// Sync Mode
SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`
// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`
// Enable/disable signature validation of SAML responses.
// Enable/disable signature validation of SAML responses.
ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`
// Indicates whether this service provider expects an encrypted Assertion.
// Want Assertions Encrypted.
WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`
// Indicates whether this service provider expects a signed Assertion.
// Want Assertions Signed.
WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`
// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
// Sign Key Transformer.
XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}
func (*IdentityProviderObservation) DeepCopy ¶
func (in *IdentityProviderObservation) DeepCopy() *IdentityProviderObservation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderObservation.
func (*IdentityProviderObservation) DeepCopyInto ¶
func (in *IdentityProviderObservation) DeepCopyInto(out *IdentityProviderObservation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProviderParameters ¶
type IdentityProviderParameters struct {
// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
// +kubebuilder:validation:Optional
AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`
// The unique name of identity provider.
// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
// +kubebuilder:validation:Optional
Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
// Authenticate users by default. Defaults to false.
// Enable/disable authenticate users by default.
// +kubebuilder:validation:Optional
AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`
// Ordered list of requested AuthnContext ClassRefs.
// AuthnContext ClassRefs
// +kubebuilder:validation:Optional
AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`
// Specifies the comparison method used to evaluate the requested context classes or statements.
// AuthnContext Comparison
// +kubebuilder:validation:Optional
AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`
// Ordered list of requested AuthnContext DeclRefs.
// AuthnContext DeclRefs
// +kubebuilder:validation:Optional
AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`
// Does the external IDP support backchannel logout?. Defaults to false.
// Does the external IDP support backchannel logout?
// +kubebuilder:validation:Optional
BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`
// The display name for the realm that is shown when logging in to the admin console.
// Friendly name for Identity Providers.
// +kubebuilder:validation:Optional
DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
// When false, users and clients will not be able to access this realm. Defaults to true.
// Enable/disable this identity provider.
// +kubebuilder:validation:Optional
Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
// The Entity ID that will be used to uniquely identify this SAML Service Provider.
// +kubebuilder:validation:Optional
EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
// +kubebuilder:validation:Optional
// +mapType=granular
ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
// +kubebuilder:validation:Optional
FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`
// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
// Require Force Authn.
// +kubebuilder:validation:Optional
ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`
// A number defining the order of this identity provider in the GUI.
// GUI Order
// +kubebuilder:validation:Optional
GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`
// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
// Hide On Login Page.
// +kubebuilder:validation:Optional
HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`
// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
// If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
// +kubebuilder:validation:Optional
LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`
// Login Hint.
// +kubebuilder:validation:Optional
LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`
// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
// Name ID Policy Format.
// +kubebuilder:validation:Optional
NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`
// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Authn Request.
// +kubebuilder:validation:Optional
PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
// Post Binding Logout.
// +kubebuilder:validation:Optional
PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`
// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
// Post Binding Response.
// +kubebuilder:validation:Optional
PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
// +kubebuilder:validation:Optional
PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`
// The principal attribute.
// Principal Attribute
// +kubebuilder:validation:Optional
PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`
// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
// Principal Type
// +kubebuilder:validation:Optional
PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`
// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
// provider id, is always saml, unless you have a custom implementation
// +kubebuilder:validation:Optional
ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`
// The name of the realm. This is unique across Keycloak.
// Realm Name
// +crossplane:generate:reference:type=github.com/stakater/provider-keycloak/apis/realm/v1alpha1.Realm
// +kubebuilder:validation:Optional
Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`
// Reference to a Realm in realm to populate realm.
// +kubebuilder:validation:Optional
RealmRef *v1.Reference `json:"realmRef,omitempty" tf:"-"`
// Selector for a Realm in realm to populate realm.
// +kubebuilder:validation:Optional
RealmSelector *v1.Selector `json:"realmSelector,omitempty" tf:"-"`
// Signing Algorithm. Defaults to empty.
// Signing Algorithm.
// +kubebuilder:validation:Optional
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
// Signing Certificate.
// Signing Certificate.
// +kubebuilder:validation:Optional
SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`
// The Url that must be used to send logout requests.
// Logout URL.
// +kubebuilder:validation:Optional
SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`
// The Url that must be used to send authentication requests (SAML AuthnRequest).
// SSO Logout URL.
// +kubebuilder:validation:Optional
SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`
// When true, tokens will be stored after authenticating users. Defaults to true.
// Enable/disable if tokens must be stored after authenticating users.
// +kubebuilder:validation:Optional
StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`
// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
// Sync Mode
// +kubebuilder:validation:Optional
SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`
// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
// +kubebuilder:validation:Optional
TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`
// Enable/disable signature validation of SAML responses.
// Enable/disable signature validation of SAML responses.
// +kubebuilder:validation:Optional
ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`
// Indicates whether this service provider expects an encrypted Assertion.
// Want Assertions Encrypted.
// +kubebuilder:validation:Optional
WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`
// Indicates whether this service provider expects a signed Assertion.
// Want Assertions Signed.
// +kubebuilder:validation:Optional
WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`
// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
// Sign Key Transformer.
// +kubebuilder:validation:Optional
XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}
func (*IdentityProviderParameters) DeepCopy ¶
func (in *IdentityProviderParameters) DeepCopy() *IdentityProviderParameters
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderParameters.
func (*IdentityProviderParameters) DeepCopyInto ¶
func (in *IdentityProviderParameters) DeepCopyInto(out *IdentityProviderParameters)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProviderSpec ¶
type IdentityProviderSpec struct {
v1.ResourceSpec `json:",inline"`
ForProvider IdentityProviderParameters `json:"forProvider"`
// THIS IS A BETA FIELD. It will be honored
// unless the Management Policies feature flag is disabled.
// InitProvider holds the same fields as ForProvider, with the exception
// of Identifier and other resource reference fields. The fields that are
// in InitProvider are merged into ForProvider when the resource is created.
// The same fields are also added to the terraform ignore_changes hook, to
// avoid updating them after creation. This is useful for fields that are
// required on creation, but we do not desire to update them after creation,
// for example because of an external controller is managing them, like an
// autoscaler.
InitProvider IdentityProviderInitParameters `json:"initProvider,omitempty"`
}
IdentityProviderSpec defines the desired state of IdentityProvider
func (*IdentityProviderSpec) DeepCopy ¶
func (in *IdentityProviderSpec) DeepCopy() *IdentityProviderSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderSpec.
func (*IdentityProviderSpec) DeepCopyInto ¶
func (in *IdentityProviderSpec) DeepCopyInto(out *IdentityProviderSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityProviderStatus ¶
type IdentityProviderStatus struct {
v1.ResourceStatus `json:",inline"`
AtProvider IdentityProviderObservation `json:"atProvider,omitempty"`
}
IdentityProviderStatus defines the observed state of IdentityProvider.
func (*IdentityProviderStatus) DeepCopy ¶
func (in *IdentityProviderStatus) DeepCopy() *IdentityProviderStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderStatus.
func (*IdentityProviderStatus) DeepCopyInto ¶
func (in *IdentityProviderStatus) DeepCopyInto(out *IdentityProviderStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files
Click to show internal directories.
Click to hide internal directories.