Class IdentityProvider

# keycloak.saml.IdentityProvider

Allows to create and manage SAML Identity Providers within Keycloak.

SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

Example Usage

using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
public MyStack()
{
    var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realmIdentityProvider", new Keycloak.Saml.IdentityProviderArgs
    {
        Alias = "my-idp",
        BackchannelSupported = true,
        ForceAuthn = true,
        PostBindingAuthnRequest = true,
        PostBindingLogout = true,
        PostBindingResponse = true,
        Realm = "my-realm",
        SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
        SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
        StoreToken = false,
        TrustEmail = true,
    });
}

}

Argument Reference

The following arguments are supported:

  • realm - (Required) The name of the realm. This is unique across Keycloak.
  • alias - (Optional) The uniq name of identity provider.
  • enabled - (Optional) When false, users and clients will not be able to access this realm. Defaults to true.
  • display_name - (Optional) The display name for the realm that is shown when logging in to the admin console.
  • store_token - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to true.
  • add_read_token_role_on_create - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to false.
  • trust_email - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to false.
  • link_only - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to false.
  • hide_on_login_page - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
  • first_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
  • post_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
  • authenticate_by_default - (Optional) Authenticate users by default. Defaults to false.

SAML Configuration

  • single_sign_on_service_url - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).
  • single_logout_service_url - (Optional) The Url that must be used to send logout requests.
  • backchannel_supported - (Optional) Does the external IDP support back-channel logout ?.
  • name_id_policy_format - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
  • post_binding_response - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
  • post_binding_authn_request - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
  • post_binding_logout - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
  • want_assertions_signed - (Optional) Indicates whether this service provider expects a signed Assertion.
  • want_assertions_encrypted - (Optional) Indicates whether this service provider expects an encrypted Assertion.
  • force_authn - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
  • validate_signature - (Optional) Enable/disable signature validation of SAML responses.
  • signing_certificate - (Optional) Signing Certificate.
  • signature_algorithm - (Optional) Signing Algorithm. Defaults to empty.
  • xml_sign_key_info_key_name_transformer - (Optional) Sign Key Transformer. Defaults to empty.
Inheritance
System.Object
Resource
CustomResource
IdentityProvider
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Keycloak.Saml
Assembly: Pulumi.Keycloak.dll
Syntax
public class IdentityProvider : CustomResource

Constructors

View Source

IdentityProvider(String, IdentityProviderArgs, CustomResourceOptions)

Create a IdentityProvider resource with the given unique name, arguments, and options.

Declaration
public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
IdentityProviderArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

AddReadTokenRoleOnCreate

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

Declaration
public Output<bool?> AddReadTokenRoleOnCreate { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

Alias

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

Declaration
public Output<string> Alias { get; }
Property Value
Type Description
Output<System.String>
View Source

AuthenticateByDefault

Enable/disable authenticate users by default.

Declaration
public Output<bool?> AuthenticateByDefault { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

BackchannelSupported

Does the external IDP support backchannel logout?

Declaration
public Output<bool?> BackchannelSupported { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

DisplayName

Friendly name for Identity Providers.

Declaration
public Output<string> DisplayName { get; }
Property Value
Type Description
Output<System.String>
View Source

Enabled

Enable/disable this identity provider.

Declaration
public Output<bool?> Enabled { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

FirstBrokerLoginFlowAlias

Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

Declaration
public Output<string> FirstBrokerLoginFlowAlias { get; }
Property Value
Type Description
Output<System.String>
View Source

ForceAuthn

Require Force Authn.

Declaration
public Output<bool?> ForceAuthn { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

HideOnLoginPage

Hide On Login Page.

Declaration
public Output<bool?> HideOnLoginPage { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

InternalId

Internal Identity Provider Id

Declaration
public Output<string> InternalId { get; }
Property Value
Type Description
Output<System.String>
View Source

LinkOnly

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider

Declaration
public Output<bool?> LinkOnly { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

NameIdPolicyFormat

Name ID Policy Format.

Declaration
public Output<string> NameIdPolicyFormat { get; }
Property Value
Type Description
Output<System.String>
View Source

PostBindingAuthnRequest

Post Binding Authn Request.

Declaration
public Output<bool?> PostBindingAuthnRequest { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

PostBindingLogout

Post Binding Logout.

Declaration
public Output<bool?> PostBindingLogout { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

PostBindingResponse

Post Binding Response.

Declaration
public Output<bool?> PostBindingResponse { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

PostBrokerLoginFlowAlias

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

Declaration
public Output<string> PostBrokerLoginFlowAlias { get; }
Property Value
Type Description
Output<System.String>
View Source

Realm

Realm Name

Declaration
public Output<string> Realm { get; }
Property Value
Type Description
Output<System.String>
View Source

SignatureAlgorithm

Signing Algorithm.

Declaration
public Output<string> SignatureAlgorithm { get; }
Property Value
Type Description
Output<System.String>
View Source

SigningCertificate

Signing Certificate.

Declaration
public Output<string> SigningCertificate { get; }
Property Value
Type Description
Output<System.String>
View Source

SingleLogoutServiceUrl

Logout URL.

Declaration
public Output<string> SingleLogoutServiceUrl { get; }
Property Value
Type Description
Output<System.String>
View Source

SingleSignOnServiceUrl

SSO Logout URL.

Declaration
public Output<string> SingleSignOnServiceUrl { get; }
Property Value
Type Description
Output<System.String>
View Source

StoreToken

Enable/disable if tokens must be stored after authenticating users.

Declaration
public Output<bool?> StoreToken { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

TrustEmail

If enabled then email provided by this provider is not verified even if verification is enabled for the realm.

Declaration
public Output<bool?> TrustEmail { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

ValidateSignature

Enable/disable signature validation of SAML responses.

Declaration
public Output<bool?> ValidateSignature { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

WantAssertionsEncrypted

Want Assertions Encrypted.

Declaration
public Output<bool?> WantAssertionsEncrypted { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

WantAssertionsSigned

Want Assertions Signed.

Declaration
public Output<bool?> WantAssertionsSigned { get; }
Property Value
Type Description
Output<System.Nullable<System.Boolean>>
View Source

XmlSignKeyInfoKeyNameTransformer

Sign Key Transformer.

Declaration
public Output<string> XmlSignKeyInfoKeyNameTransformer { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, IdentityProviderState, CustomResourceOptions)

Get an existing IdentityProvider resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
IdentityProviderState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
IdentityProvider