IdentityProvider
# keycloak.saml.IdentityProvider
Allows to create and manage SAML Identity Providers within Keycloak.
SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
alias: "my-idp",
backchannelSupported: true,
forceAuthn: true,
postBindingAuthnRequest: true,
postBindingLogout: true,
postBindingResponse: true,
realm: "my-realm",
singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
storeToken: false,
trustEmail: true,
});import pulumi
import pulumi_keycloak as keycloak
realm_identity_provider = keycloak.saml.IdentityProvider("realmIdentityProvider",
alias="my-idp",
backchannel_supported=True,
force_authn=True,
post_binding_authn_request=True,
post_binding_logout=True,
post_binding_response=True,
realm="my-realm",
single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
single_sign_on_service_url="https://domain.com/adfs/ls/",
store_token=False,
trust_email=True)using Pulumi;
using Keycloak = Pulumi.Keycloak;
class MyStack : Stack
{
public MyStack()
{
var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realmIdentityProvider", new Keycloak.Saml.IdentityProviderArgs
{
Alias = "my-idp",
BackchannelSupported = true,
ForceAuthn = true,
PostBindingAuthnRequest = true,
PostBindingLogout = true,
PostBindingResponse = true,
Realm = "my-realm",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
StoreToken = false,
TrustEmail = true,
});
}
}
Argument Reference
The following arguments are supported:
realm- (Required) The name of the realm. This is unique across Keycloak.alias- (Optional) The uniq name of identity provider.enabled- (Optional) When false, users and clients will not be able to access this realm. Defaults totrue.display_name- (Optional) The display name for the realm that is shown when logging in to the admin console.store_token- (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults totrue.add_read_token_role_on_create- (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults tofalse.trust_email- (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults tofalse.link_only- (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider. Defaults tofalse.hide_on_login_page- (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the ‘kc_idp_hint’ parameter.first_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults tofirst broker login.post_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.authenticate_by_default- (Optional) Authenticate users by default. Defaults tofalse.
SAML Configuration
single_sign_on_service_url- (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).single_logout_service_url- (Optional) The Url that must be used to send logout requests.backchannel_supported- (Optional) Does the external IDP support back-channel logout ?.name_id_policy_format- (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.post_binding_response- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..post_binding_authn_request- (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.post_binding_logout- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.want_assertions_signed- (Optional) Indicates whether this service provider expects a signed Assertion.want_assertions_encrypted- (Optional) Indicates whether this service provider expects an encrypted Assertion.force_authn- (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.validate_signature- (Optional) Enable/disable signature validation of SAML responses.signing_certificate- (Optional) Signing Certificate.signature_algorithm- (Optional) Signing Algorithm. Defaults to empty.xml_sign_key_info_key_name_transformer- (Optional) Sign Key Transformer. Defaults to empty.
Create a IdentityProvider Resource
new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);def IdentityProvider(resource_name, opts=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, backchannel_supported=None, display_name=None, enabled=None, first_broker_login_flow_alias=None, force_authn=None, hide_on_login_page=None, link_only=None, name_id_policy_format=None, post_binding_authn_request=None, post_binding_logout=None, post_binding_response=None, post_broker_login_flow_alias=None, realm=None, signature_algorithm=None, signing_certificate=None, single_logout_service_url=None, single_sign_on_service_url=None, store_token=None, trust_email=None, validate_signature=None, want_assertions_encrypted=None, want_assertions_signed=None, xml_sign_key_info_key_name_transformer=None, __props__=None);func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- opts ResourceOptions
- A bag of options that control this resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IdentityProviderArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
IdentityProvider Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.
Inputs
The IdentityProvider resource accepts the following input properties:
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Realm string
Realm Name
- Single
Sign stringOn Service Url SSO Logout URL.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool Require Force Authn.
- Hide
On boolLogin Page Hide On Login Page.
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Name
Id stringPolicy Format Name ID Policy Format.
- Post
Binding boolAuthn Request Post Binding Authn Request.
- Post
Binding boolLogout Post Binding Logout.
- Post
Binding boolResponse Post Binding Response.
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Signature
Algorithm string Signing Algorithm.
- Signing
Certificate string Signing Certificate.
- Single
Logout stringService Url Logout URL.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted Want Assertions Encrypted.
- Want
Assertions boolSigned Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Realm string
Realm Name
- Single
Sign stringOn Service Url SSO Logout URL.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool Require Force Authn.
- Hide
On boolLogin Page Hide On Login Page.
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Name
Id stringPolicy Format Name ID Policy Format.
- Post
Binding boolAuthn Request Post Binding Authn Request.
- Post
Binding boolLogout Post Binding Logout.
- Post
Binding boolResponse Post Binding Response.
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Signature
Algorithm string Signing Algorithm.
- Signing
Certificate string Signing Certificate.
- Single
Logout stringService Url Logout URL.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted Want Assertions Encrypted.
- Want
Assertions boolSigned Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- realm string
Realm Name
- single
Sign stringOn Service Url SSO Logout URL.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- backchannel
Supported boolean Does the external IDP support backchannel logout?
- display
Name string Friendly name for Identity Providers.
- enabled boolean
Enable/disable this identity provider.
- first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn boolean Require Force Authn.
- hide
On booleanLogin Page Hide On Login Page.
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- name
Id stringPolicy Format Name ID Policy Format.
- post
Binding booleanAuthn Request Post Binding Authn Request.
- post
Binding booleanLogout Post Binding Logout.
- post
Binding booleanResponse Post Binding Response.
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- signature
Algorithm string Signing Algorithm.
- signing
Certificate string Signing Certificate.
- single
Logout stringService Url Logout URL.
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature boolean Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted Want Assertions Encrypted.
- want
Assertions booleanSigned Want Assertions Signed.
- xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- realm str
Realm Name
- single_
sign_ stron_ service_ url SSO Logout URL.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- backchannel_
supported bool Does the external IDP support backchannel logout?
- display_
name str Friendly name for Identity Providers.
- enabled bool
Enable/disable this identity provider.
- first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force_
authn bool Require Force Authn.
- hide_
on_ boollogin_ page Hide On Login Page.
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- name_
id_ strpolicy_ format Name ID Policy Format.
- post_
binding_ boolauthn_ request Post Binding Authn Request.
- post_
binding_ boollogout Post Binding Logout.
- post_
binding_ boolresponse Post Binding Response.
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- signature_
algorithm str Signing Algorithm.
- signing_
certificate str Signing Certificate.
- single_
logout_ strservice_ url Logout URL.
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate_
signature bool Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted Want Assertions Encrypted.
- want_
assertions_ boolsigned Want Assertions Signed.
- xml_
sign_ strkey_ info_ key_ name_ transformer Sign Key Transformer.
Outputs
All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- Id string
- The provider-assigned unique ID for this managed resource.
- Internal
Id string Internal Identity Provider Id
- id string
- The provider-assigned unique ID for this managed resource.
- internal
Id string Internal Identity Provider Id
- id str
- The provider-assigned unique ID for this managed resource.
- internal_
id str Internal Identity Provider Id
Look up an Existing IdentityProvider Resource
Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProviderstatic get(resource_name, id, opts=None, add_read_token_role_on_create=None, alias=None, authenticate_by_default=None, backchannel_supported=None, display_name=None, enabled=None, first_broker_login_flow_alias=None, force_authn=None, hide_on_login_page=None, internal_id=None, link_only=None, name_id_policy_format=None, post_binding_authn_request=None, post_binding_logout=None, post_binding_response=None, post_broker_login_flow_alias=None, realm=None, signature_algorithm=None, signing_certificate=None, single_logout_service_url=None, single_sign_on_service_url=None, store_token=None, trust_email=None, validate_signature=None, want_assertions_encrypted=None, want_assertions_signed=None, xml_sign_key_info_key_name_transformer=None, __props__=None);func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool Require Force Authn.
- Hide
On boolLogin Page Hide On Login Page.
- Internal
Id string Internal Identity Provider Id
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Name
Id stringPolicy Format Name ID Policy Format.
- Post
Binding boolAuthn Request Post Binding Authn Request.
- Post
Binding boolLogout Post Binding Logout.
- Post
Binding boolResponse Post Binding Response.
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Realm string
Realm Name
- Signature
Algorithm string Signing Algorithm.
- Signing
Certificate string Signing Certificate.
- Single
Logout stringService Url Logout URL.
- Single
Sign stringOn Service Url SSO Logout URL.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted Want Assertions Encrypted.
- Want
Assertions boolSigned Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- Add
Read boolToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- Alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- Authenticate
By boolDefault Enable/disable authenticate users by default.
- Backchannel
Supported bool Does the external IDP support backchannel logout?
- Display
Name string Friendly name for Identity Providers.
- Enabled bool
Enable/disable this identity provider.
- First
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- Force
Authn bool Require Force Authn.
- Hide
On boolLogin Page Hide On Login Page.
- Internal
Id string Internal Identity Provider Id
- Link
Only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- Name
Id stringPolicy Format Name ID Policy Format.
- Post
Binding boolAuthn Request Post Binding Authn Request.
- Post
Binding boolLogout Post Binding Logout.
- Post
Binding boolResponse Post Binding Response.
- Post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- Realm string
Realm Name
- Signature
Algorithm string Signing Algorithm.
- Signing
Certificate string Signing Certificate.
- Single
Logout stringService Url Logout URL.
- Single
Sign stringOn Service Url SSO Logout URL.
- Store
Token bool Enable/disable if tokens must be stored after authenticating users.
- Trust
Email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- Validate
Signature bool Enable/disable signature validation of SAML responses.
- Want
Assertions boolEncrypted Want Assertions Encrypted.
- Want
Assertions boolSigned Want Assertions Signed.
- Xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- add
Read booleanToken Role On Create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias string
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate
By booleanDefault Enable/disable authenticate users by default.
- backchannel
Supported boolean Does the external IDP support backchannel logout?
- display
Name string Friendly name for Identity Providers.
- enabled boolean
Enable/disable this identity provider.
- first
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force
Authn boolean Require Force Authn.
- hide
On booleanLogin Page Hide On Login Page.
- internal
Id string Internal Identity Provider Id
- link
Only boolean If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- name
Id stringPolicy Format Name ID Policy Format.
- post
Binding booleanAuthn Request Post Binding Authn Request.
- post
Binding booleanLogout Post Binding Logout.
- post
Binding booleanResponse Post Binding Response.
- post
Broker stringLogin Flow Alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- realm string
Realm Name
- signature
Algorithm string Signing Algorithm.
- signing
Certificate string Signing Certificate.
- single
Logout stringService Url Logout URL.
- single
Sign stringOn Service Url SSO Logout URL.
- store
Token boolean Enable/disable if tokens must be stored after authenticating users.
- trust
Email boolean If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate
Signature boolean Enable/disable signature validation of SAML responses.
- want
Assertions booleanEncrypted Want Assertions Encrypted.
- want
Assertions booleanSigned Want Assertions Signed.
- xml
Sign stringKey Info Key Name Transformer Sign Key Transformer.
- add_
read_ booltoken_ role_ on_ create Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
- alias str
The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
- authenticate_
by_ booldefault Enable/disable authenticate users by default.
- backchannel_
supported bool Does the external IDP support backchannel logout?
- display_
name str Friendly name for Identity Providers.
- enabled bool
Enable/disable this identity provider.
- first_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
- force_
authn bool Require Force Authn.
- hide_
on_ boollogin_ page Hide On Login Page.
- internal_
id str Internal Identity Provider Id
- link_
only bool If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider
- name_
id_ strpolicy_ format Name ID Policy Format.
- post_
binding_ boolauthn_ request Post Binding Authn Request.
- post_
binding_ boollogout Post Binding Logout.
- post_
binding_ boolresponse Post Binding Response.
- post_
broker_ strlogin_ flow_ alias Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
- realm str
Realm Name
- signature_
algorithm str Signing Algorithm.
- signing_
certificate str Signing Certificate.
- single_
logout_ strservice_ url Logout URL.
- single_
sign_ stron_ service_ url SSO Logout URL.
- store_
token bool Enable/disable if tokens must be stored after authenticating users.
- trust_
email bool If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
- validate_
signature bool Enable/disable signature validation of SAML responses.
- want_
assertions_ boolencrypted Want Assertions Encrypted.
- want_
assertions_ boolsigned Want Assertions Signed.
- xml_
sign_ strkey_ info_ key_ name_ transformer Sign Key Transformer.
Package Details
- Repository
- https://github.com/pulumi/pulumi-keycloak
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
keycloakTerraform Provider.