Client

# keycloak.saml.Client

Allows for creating and managing Keycloak clients that use the SAML protocol.

Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak’s user sessions for SSO.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as fs from "fs";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    enabled: true,
    realm: "my-realm",
});
const samlClient = new keycloak.saml.Client("saml_client", {
    clientId: "test-saml-client",
    includeAuthnStatement: true,
    realmId: realm.id,
    signAssertions: true,
    signDocuments: false,
    signingCertificate: fs.readFileSync("saml-cert.pem", "utf-8"),
    signingPrivateKey: fs.readFileSync("saml-key.pem", "utf-8"),
});

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    enabled=True,
    realm="my-realm")
saml_client = keycloak.saml.Client("samlClient",
    client_id="test-saml-client",
    include_authn_statement=True,
    realm_id=realm.id,
    sign_assertions=True,
    sign_documents=False,
    signing_certificate=(lambda path: open(path).read())("saml-cert.pem"),
    signing_private_key=(lambda path: open(path).read())("saml-key.pem"))

using System.IO;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

class MyStack : Stack
{
    public MyStack()
    {
        var realm = new Keycloak.Realm("realm", new Keycloak.RealmArgs
        {
            Enabled = true,
            Realm = "my-realm",
        });
        var samlClient = new Keycloak.Saml.Client("samlClient", new Keycloak.Saml.ClientArgs
        {
            ClientId = "test-saml-client",
            IncludeAuthnStatement = true,
            RealmId = realm.Id,
            SignAssertions = true,
            SignDocuments = false,
            SigningCertificate = File.ReadAllText("saml-cert.pem"),
            SigningPrivateKey = File.ReadAllText("saml-key.pem"),
        });
    }

}

Argument Reference

The following arguments are supported:

realm_id - (Required) The realm this client is attached to.
client_id - (Required) The unique ID of this client, referenced in the URI during authentication and in issued tokens.
name - (Optional) The display name of this client in the GUI.
enabled - (Optional) When false, this client will not be able to initiate a login or obtain access tokens. Defaults to true.
description - (Optional) The description of this client in the GUI.
include_authn_statement - (Optional) When true, an AuthnStatement will be included in the SAML response.
sign_documents - (Optional) When true, the SAML document will be signed by Keycloak using the realm’s private key.
sign_assertions - (Optional) When true, the SAML assertions will be signed by Keycloak using the realm’s private key, and embedded within the SAML XML Auth response.
client_signature_required - (Optional) When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key.
force_post_binding - (Optional) When true, Keycloak will always respond to an authentication request via the SAML POST Binding.
front_channel_logout - (Optional) When true, this client will require a browser redirect in order to perform a logout.
name_id_format - (Optional) Sets the Name ID format for the subject.
root_url - (Optional) When specified, this value is prepended to all relative URLs.
valid_redirect_uris - (Optional) When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.
base_url - (Optional) When specified, this URL will be used whenever Keycloak needs to link to this client.
master_saml_processing_url - (Optional) When specified, this URL will be used for all SAML requests.
signing_certificate - (Optional) If documents or assertions from the client are signed, this certificate will be used to verify the signature.
signing_private_key - (Optional) If documents or assertions from the client are signed, this private key will be used to verify the signature.
idp_initiated_sso_url_name - (Optional) URL fragment name to reference client when you want to do IDP Initiated SSO.
idp_initiated_sso_relay_state - (Optional) Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
assertion_consumer_post_url - (Optional) SAML POST Binding URL for the client’s assertion consumer service (login responses).
assertion_consumer_redirect_url - (Optional) SAML Redirect Binding URL for the client’s assertion consumer service (login responses).
logout_service_post_binding_url - (Optional) SAML POST Binding URL for the client’s single logout service.
logout_service_redirect_binding_url - (Optional) SAML Redirect Binding URL for the client’s single logout service.
full_scope_allowed - (Optional) - Allow to include all roles mappings in the access token

Create a Client Resource

new Client(name: string, args: ClientArgs, opts?: CustomResourceOptions);

def Client(resource_name, opts=None, assertion_consumer_post_url=None, assertion_consumer_redirect_url=None, base_url=None, client_id=None, client_signature_required=None, description=None, enabled=None, force_name_id_format=None, force_post_binding=None, front_channel_logout=None, full_scope_allowed=None, idp_initiated_sso_relay_state=None, idp_initiated_sso_url_name=None, include_authn_statement=None, logout_service_post_binding_url=None, logout_service_redirect_binding_url=None, master_saml_processing_url=None, name=None, name_id_format=None, realm_id=None, root_url=None, sign_assertions=None, sign_documents=None, signing_certificate=None, signing_private_key=None, valid_redirect_uris=None, __props__=None);

func NewClient(ctx *Context, name string, args ClientArgs, opts ...ResourceOption) (*Client, error)

public Client(string name, ClientArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ClientArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Client Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Client resource accepts the following input properties:

Outputs

All input properties are implicitly available as output properties. Additionally, the Client resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing Client Resource

Get an existing Client resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ClientState, opts?: CustomResourceOptions): Client

static get(resource_name, id, opts=None, assertion_consumer_post_url=None, assertion_consumer_redirect_url=None, base_url=None, client_id=None, client_signature_required=None, description=None, enabled=None, force_name_id_format=None, force_post_binding=None, front_channel_logout=None, full_scope_allowed=None, idp_initiated_sso_relay_state=None, idp_initiated_sso_url_name=None, include_authn_statement=None, logout_service_post_binding_url=None, logout_service_redirect_binding_url=None, master_saml_processing_url=None, name=None, name_id_format=None, realm_id=None, root_url=None, sign_assertions=None, sign_documents=None, signing_certificate=None, signing_private_key=None, valid_redirect_uris=None, __props__=None);

func GetClient(ctx *Context, name string, id IDInput, state *ClientState, opts ...ResourceOption) (*Client, error)

public static Client Get(string name, Input<string> id, ClientState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Package Details

Repository: https://github.com/pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud