Namespace Pulumi.Keycloak.Saml
Classes
Client
# keycloak.saml.Client
Allows for creating and managing Keycloak clients that use the SAML protocol.
Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.
Example Usage
using System.IO;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var samlClient = new Keycloak.Saml.Client("samlClient", new Keycloak.Saml.ClientArgs
{
ClientId = "test-saml-client",
IncludeAuthnStatement = true,
RealmId = realm.Id,
SignAssertions = true,
SignDocuments = false,
SigningCertificate = File.ReadAllText("saml-cert.pem"),
SigningPrivateKey = File.ReadAllText("saml-key.pem"),
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this client is attached to.client_id- (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.name- (Optional) The display name of this client in the GUI.enabled- (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults totrue.description- (Optional) The description of this client in the GUI.include_authn_statement- (Optional) Whentrue, anAuthnStatementwill be included in the SAML response.sign_documents- (Optional) Whentrue, the SAML document will be signed by Keycloak using the realm's private key.sign_assertions- (Optional) Whentrue, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response.client_signature_required- (Optional) Whentrue, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured viasigning_certificateandsigning_private_key.force_post_binding- (Optional) Whentrue, Keycloak will always respond to an authentication request via the SAML POST Binding.front_channel_logout- (Optional) Whentrue, this client will require a browser redirect in order to perform a logout.name_id_format- (Optional) Sets the Name ID format for the subject.root_url- (Optional) When specified, this value is prepended to all relative URLs.valid_redirect_uris- (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.base_url- (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client.master_saml_processing_url- (Optional) When specified, this URL will be used for all SAML requests.signing_certificate- (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature.signing_private_key- (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature.idp_initiated_sso_url_name- (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO.idp_initiated_sso_relay_state- (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO.assertion_consumer_post_url- (Optional) SAML POST Binding URL for the client's assertion consumer service (login responses).assertion_consumer_redirect_url- (Optional) SAML Redirect Binding URL for the client's assertion consumer service (login responses).logout_service_post_binding_url- (Optional) SAML POST Binding URL for the client's single logout service.logout_service_redirect_binding_url- (Optional) SAML Redirect Binding URL for the client's single logout service.full_scope_allowed- (Optional) - Allow to include all roles mappings in the access token
ClientArgs
ClientState
GetClientInstallationProvider
GetClientInstallationProviderArgs
GetClientInstallationProviderResult
IdentityProvider
# keycloak.saml.IdentityProvider
Allows to create and manage SAML Identity Providers within Keycloak.
SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.
Example Usage
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realmIdentityProvider", new Keycloak.Saml.IdentityProviderArgs
{
Alias = "my-idp",
BackchannelSupported = true,
ForceAuthn = true,
PostBindingAuthnRequest = true,
PostBindingLogout = true,
PostBindingResponse = true,
Realm = "my-realm",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
StoreToken = false,
TrustEmail = true,
});
}
}
Argument Reference
The following arguments are supported:
realm- (Required) The name of the realm. This is unique across Keycloak.alias- (Optional) The uniq name of identity provider.enabled- (Optional) When false, users and clients will not be able to access this realm. Defaults totrue.display_name- (Optional) The display name for the realm that is shown when logging in to the admin console.store_token- (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults totrue.add_read_token_role_on_create- (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults tofalse.trust_email- (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults tofalse.link_only- (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults tofalse.hide_on_login_page- (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.first_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults tofirst broker login.post_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.authenticate_by_default- (Optional) Authenticate users by default. Defaults tofalse.
SAML Configuration
single_sign_on_service_url- (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).single_logout_service_url- (Optional) The Url that must be used to send logout requests.backchannel_supported- (Optional) Does the external IDP support back-channel logout ?.name_id_policy_format- (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.post_binding_response- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..post_binding_authn_request- (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.post_binding_logout- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.want_assertions_signed- (Optional) Indicates whether this service provider expects a signed Assertion.want_assertions_encrypted- (Optional) Indicates whether this service provider expects an encrypted Assertion.force_authn- (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.validate_signature- (Optional) Enable/disable signature validation of SAML responses.signing_certificate- (Optional) Signing Certificate.signature_algorithm- (Optional) Signing Algorithm. Defaults to empty.xml_sign_key_info_key_name_transformer- (Optional) Sign Key Transformer. Defaults to empty.
IdentityProviderArgs
IdentityProviderState
UserAttributeProtocolMapper
# keycloak.saml.UserAttributeProtocolMapper
Allows for creating and managing user attribute protocol mappers for SAML clients within Keycloak.
SAML user attribute protocol mappers allow you to map custom attributes defined for a user within Keycloak to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var samlClient = new Keycloak.Saml.Client("samlClient", new Keycloak.Saml.ClientArgs
{
ClientId = "test-saml-client",
RealmId = keycloak_realm.Test.Id,
});
var samlUserAttributeMapper = new Keycloak.Saml.UserAttributeProtocolMapper("samlUserAttributeMapper", new Keycloak.Saml.UserAttributeProtocolMapperArgs
{
ClientId = samlClient.Id,
RealmId = keycloak_realm.Test.Id,
SamlAttributeName = "displayName",
SamlAttributeNameFormat = "Unspecified",
UserAttribute = "displayName",
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The SAML client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The SAML client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.user_attribute- (Required) The custom user attribute to map.friendly_name- (Optional) An optional human-friendly name for this attribute.saml_attribute_name- (Required) The name of the SAML attribute.saml_attribute_name_format- (Required) The SAML attribute Name Format. Can be one ofUnspecified,Basic, orURI Reference.
UserAttributeProtocolMapperArgs
UserAttributeProtocolMapperState
UserPropertyProtocolMapper
# keycloak.saml.UserPropertyProtocolMapper
Allows for creating and managing user property protocol mappers for SAML clients within Keycloak.
SAML user property protocol mappers allow you to map properties of the Keycloak user model to an attribute in a SAML assertion. Protocol mappers can be defined for a single client, or they can be defined for a client scope which can be shared between multiple different clients.
Example Usage (Client)
using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
{
Enabled = true,
Realm = "my-realm",
});
var samlClient = new Keycloak.Saml.Client("samlClient", new Keycloak.Saml.ClientArgs
{
ClientId = "test-saml-client",
RealmId = keycloak_realm.Test.Id,
});
var samlUserPropertyMapper = new Keycloak.Saml.UserPropertyProtocolMapper("samlUserPropertyMapper", new Keycloak.Saml.UserPropertyProtocolMapperArgs
{
ClientId = samlClient.Id,
RealmId = keycloak_realm.Test.Id,
SamlAttributeName = "email",
SamlAttributeNameFormat = "Unspecified",
UserProperty = "email",
});
}
}
Argument Reference
The following arguments are supported:
realm_id- (Required) The realm this protocol mapper exists within.client_id- (Required ifclient_scope_idis not specified) The SAML client this protocol mapper is attached to.client_scope_id- (Required ifclient_idis not specified) The SAML client scope this protocol mapper is attached to.name- (Required) The display name of this protocol mapper in the GUI.user_property- (Required) The property of the Keycloak user model to map.friendly_name- (Optional) An optional human-friendly name for this attribute.saml_attribute_name- (Required) The name of the SAML attribute.saml_attribute_name_format- (Required) The SAML attribute Name Format. Can be one ofUnspecified,Basic, orURI Reference.