Keycloak v5.3.2, May 10 24

Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi

keycloak.saml.IdentityProvider

Explore with Pulumi AI

Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi

pulumi/pulumi-keycloak

# keycloak.saml.IdentityProvider

Allows to create and manage SAML Identity Providers within Keycloak.

SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
    realm: "my-realm",
    alias: "my-idp",
    singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
    singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannelSupported: true,
    postBindingResponse: true,
    postBindingLogout: true,
    postBindingAuthnRequest: true,
    storeToken: false,
    trustEmail: true,
    forceAuthn: true,
});

import pulumi
import pulumi_keycloak as keycloak

realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider",
    realm="my-realm",
    alias="my-idp",
    single_sign_on_service_url="https://domain.com/adfs/ls/",
    single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannel_supported=True,
    post_binding_response=True,
    post_binding_logout=True,
    post_binding_authn_request=True,
    store_token=False,
    trust_email=True,
    force_authn=True)

package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{
			Realm:                   pulumi.String("my-realm"),
			Alias:                   pulumi.String("my-idp"),
			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
			BackchannelSupported:    pulumi.Bool(true),
			PostBindingResponse:     pulumi.Bool(true),
			PostBindingLogout:       pulumi.Bool(true),
			PostBindingAuthnRequest: pulumi.Bool(true),
			StoreToken:              pulumi.Bool(false),
			TrustEmail:              pulumi.Bool(true),
			ForceAuthn:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new()
    {
        Realm = "my-realm",
        Alias = "my-idp",
        SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
        SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
        BackchannelSupported = true,
        PostBindingResponse = true,
        PostBindingLogout = true,
        PostBindingAuthnRequest = true,
        StoreToken = false,
        TrustEmail = true,
        ForceAuthn = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()        
            .realm("my-realm")
            .alias("my-idp")
            .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
            .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
            .backchannelSupported(true)
            .postBindingResponse(true)
            .postBindingLogout(true)
            .postBindingAuthnRequest(true)
            .storeToken(false)
            .trustEmail(true)
            .forceAuthn(true)
            .build());

    }
}

resources:
  realmIdentityProvider:
    type: keycloak:saml:IdentityProvider
    name: realm_identity_provider
    properties:
      realm: my-realm
      alias: my-idp
      singleSignOnServiceUrl: https://domain.com/adfs/ls/
      singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
      backchannelSupported: true
      postBindingResponse: true
      postBindingLogout: true
      postBindingAuthnRequest: true
      storeToken: false
      trustEmail: true
      forceAuthn: true

Argument Reference

The following arguments are supported:

realm - (Required) The name of the realm. This is unique across Keycloak.
alias - (Optional) The uniq name of identity provider.
enabled - (Optional) When false, users and clients will not be able to access this realm. Defaults to true.
display_name - (Optional) The display name for the realm that is shown when logging in to the admin console.
store_token - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to true.
add_read_token_role_on_create - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to false.
trust_email - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to false.
link_only - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don’t want to allow login from the provider, but want to integrate with a provider. Defaults to false.
hide_on_login_page - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the ‘kc_idp_hint’ parameter.
first_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term ‘First Login’ means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
post_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don’t want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
authenticate_by_default - (Optional) Authenticate users by default. Defaults to false.

SAML Configuration

single_sign_on_service_url - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).
single_logout_service_url - (Optional) The Url that must be used to send logout requests.
backchannel_supported - (Optional) Does the external IDP support back-channel logout ?.
name_id_policy_format - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
post_binding_response - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
post_binding_authn_request - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_logout - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
want_assertions_signed - (Optional) Indicates whether this service provider expects a signed Assertion.
want_assertions_encrypted - (Optional) Indicates whether this service provider expects an encrypted Assertion.
force_authn - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
validate_signature - (Optional) Enable/disable signature validation of SAML responses.
signing_certificate - (Optional) Signing Certificate.
signature_algorithm - (Optional) Signing Algorithm. Defaults to empty.
xml_sign_key_info_key_name_transformer - (Optional) Sign Key Transformer. Defaults to empty.

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

Example:

$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp

Create IdentityProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);

@overload
def IdentityProvider(resource_name: str,
                     args: IdentityProviderArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def IdentityProvider(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     entity_id: Optional[str] = None,
                     alias: Optional[str] = None,
                     single_sign_on_service_url: Optional[str] = None,
                     realm: Optional[str] = None,
                     post_binding_authn_request: Optional[bool] = None,
                     post_broker_login_flow_alias: Optional[str] = None,
                     backchannel_supported: Optional[bool] = None,
                     display_name: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     authn_context_comparison_type: Optional[str] = None,
                     extra_config: Optional[Mapping[str, Any]] = None,
                     first_broker_login_flow_alias: Optional[str] = None,
                     force_authn: Optional[bool] = None,
                     gui_order: Optional[str] = None,
                     hide_on_login_page: Optional[bool] = None,
                     link_only: Optional[bool] = None,
                     login_hint: Optional[str] = None,
                     name_id_policy_format: Optional[str] = None,
                     add_read_token_role_on_create: Optional[bool] = None,
                     post_binding_logout: Optional[bool] = None,
                     post_binding_response: Optional[bool] = None,
                     authn_context_decl_refs: Optional[Sequence[str]] = None,
                     principal_attribute: Optional[str] = None,
                     principal_type: Optional[str] = None,
                     provider_id: Optional[str] = None,
                     authn_context_class_refs: Optional[Sequence[str]] = None,
                     signature_algorithm: Optional[str] = None,
                     signing_certificate: Optional[str] = None,
                     single_logout_service_url: Optional[str] = None,
                     authenticate_by_default: Optional[bool] = None,
                     store_token: Optional[bool] = None,
                     sync_mode: Optional[str] = None,
                     trust_email: Optional[bool] = None,
                     validate_signature: Optional[bool] = None,
                     want_assertions_encrypted: Optional[bool] = None,
                     want_assertions_signed: Optional[bool] = None,
                     xml_sign_key_info_key_name_transformer: Optional[str] = None)

func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)

public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)

public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)

type: keycloak:saml:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
{
    EntityId = "string",
    Alias = "string",
    SingleSignOnServiceUrl = "string",
    Realm = "string",
    PostBindingAuthnRequest = false,
    PostBrokerLoginFlowAlias = "string",
    BackchannelSupported = false,
    DisplayName = "string",
    Enabled = false,
    AuthnContextComparisonType = "string",
    ExtraConfig = 
    {
        { "string", "any" },
    },
    FirstBrokerLoginFlowAlias = "string",
    ForceAuthn = false,
    GuiOrder = "string",
    HideOnLoginPage = false,
    LinkOnly = false,
    LoginHint = "string",
    NameIdPolicyFormat = "string",
    AddReadTokenRoleOnCreate = false,
    PostBindingLogout = false,
    PostBindingResponse = false,
    AuthnContextDeclRefs = new[]
    {
        "string",
    },
    PrincipalAttribute = "string",
    PrincipalType = "string",
    ProviderId = "string",
    AuthnContextClassRefs = new[]
    {
        "string",
    },
    SignatureAlgorithm = "string",
    SigningCertificate = "string",
    SingleLogoutServiceUrl = "string",
    AuthenticateByDefault = false,
    StoreToken = false,
    SyncMode = "string",
    TrustEmail = false,
    ValidateSignature = false,
    WantAssertionsEncrypted = false,
    WantAssertionsSigned = false,
    XmlSignKeyInfoKeyNameTransformer = "string",
});

example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
	EntityId:                   pulumi.String("string"),
	Alias:                      pulumi.String("string"),
	SingleSignOnServiceUrl:     pulumi.String("string"),
	Realm:                      pulumi.String("string"),
	PostBindingAuthnRequest:    pulumi.Bool(false),
	PostBrokerLoginFlowAlias:   pulumi.String("string"),
	BackchannelSupported:       pulumi.Bool(false),
	DisplayName:                pulumi.String("string"),
	Enabled:                    pulumi.Bool(false),
	AuthnContextComparisonType: pulumi.String("string"),
	ExtraConfig: pulumi.Map{
		"string": pulumi.Any("any"),
	},
	FirstBrokerLoginFlowAlias: pulumi.String("string"),
	ForceAuthn:                pulumi.Bool(false),
	GuiOrder:                  pulumi.String("string"),
	HideOnLoginPage:           pulumi.Bool(false),
	LinkOnly:                  pulumi.Bool(false),
	LoginHint:                 pulumi.String("string"),
	NameIdPolicyFormat:        pulumi.String("string"),
	AddReadTokenRoleOnCreate:  pulumi.Bool(false),
	PostBindingLogout:         pulumi.Bool(false),
	PostBindingResponse:       pulumi.Bool(false),
	AuthnContextDeclRefs: pulumi.StringArray{
		pulumi.String("string"),
	},
	PrincipalAttribute: pulumi.String("string"),
	PrincipalType:      pulumi.String("string"),
	ProviderId:         pulumi.String("string"),
	AuthnContextClassRefs: pulumi.StringArray{
		pulumi.String("string"),
	},
	SignatureAlgorithm:               pulumi.String("string"),
	SigningCertificate:               pulumi.String("string"),
	SingleLogoutServiceUrl:           pulumi.String("string"),
	AuthenticateByDefault:            pulumi.Bool(false),
	StoreToken:                       pulumi.Bool(false),
	SyncMode:                         pulumi.String("string"),
	TrustEmail:                       pulumi.Bool(false),
	ValidateSignature:                pulumi.Bool(false),
	WantAssertionsEncrypted:          pulumi.Bool(false),
	WantAssertionsSigned:             pulumi.Bool(false),
	XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
})

var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
    .entityId("string")
    .alias("string")
    .singleSignOnServiceUrl("string")
    .realm("string")
    .postBindingAuthnRequest(false)
    .postBrokerLoginFlowAlias("string")
    .backchannelSupported(false)
    .displayName("string")
    .enabled(false)
    .authnContextComparisonType("string")
    .extraConfig(Map.of("string", "any"))
    .firstBrokerLoginFlowAlias("string")
    .forceAuthn(false)
    .guiOrder("string")
    .hideOnLoginPage(false)
    .linkOnly(false)
    .loginHint("string")
    .nameIdPolicyFormat("string")
    .addReadTokenRoleOnCreate(false)
    .postBindingLogout(false)
    .postBindingResponse(false)
    .authnContextDeclRefs("string")
    .principalAttribute("string")
    .principalType("string")
    .providerId("string")
    .authnContextClassRefs("string")
    .signatureAlgorithm("string")
    .signingCertificate("string")
    .singleLogoutServiceUrl("string")
    .authenticateByDefault(false)
    .storeToken(false)
    .syncMode("string")
    .trustEmail(false)
    .validateSignature(false)
    .wantAssertionsEncrypted(false)
    .wantAssertionsSigned(false)
    .xmlSignKeyInfoKeyNameTransformer("string")
    .build());

keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
    entity_id="string",
    alias="string",
    single_sign_on_service_url="string",
    realm="string",
    post_binding_authn_request=False,
    post_broker_login_flow_alias="string",
    backchannel_supported=False,
    display_name="string",
    enabled=False,
    authn_context_comparison_type="string",
    extra_config={
        "string": "any",
    },
    first_broker_login_flow_alias="string",
    force_authn=False,
    gui_order="string",
    hide_on_login_page=False,
    link_only=False,
    login_hint="string",
    name_id_policy_format="string",
    add_read_token_role_on_create=False,
    post_binding_logout=False,
    post_binding_response=False,
    authn_context_decl_refs=["string"],
    principal_attribute="string",
    principal_type="string",
    provider_id="string",
    authn_context_class_refs=["string"],
    signature_algorithm="string",
    signing_certificate="string",
    single_logout_service_url="string",
    authenticate_by_default=False,
    store_token=False,
    sync_mode="string",
    trust_email=False,
    validate_signature=False,
    want_assertions_encrypted=False,
    want_assertions_signed=False,
    xml_sign_key_info_key_name_transformer="string")

const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
    entityId: "string",
    alias: "string",
    singleSignOnServiceUrl: "string",
    realm: "string",
    postBindingAuthnRequest: false,
    postBrokerLoginFlowAlias: "string",
    backchannelSupported: false,
    displayName: "string",
    enabled: false,
    authnContextComparisonType: "string",
    extraConfig: {
        string: "any",
    },
    firstBrokerLoginFlowAlias: "string",
    forceAuthn: false,
    guiOrder: "string",
    hideOnLoginPage: false,
    linkOnly: false,
    loginHint: "string",
    nameIdPolicyFormat: "string",
    addReadTokenRoleOnCreate: false,
    postBindingLogout: false,
    postBindingResponse: false,
    authnContextDeclRefs: ["string"],
    principalAttribute: "string",
    principalType: "string",
    providerId: "string",
    authnContextClassRefs: ["string"],
    signatureAlgorithm: "string",
    signingCertificate: "string",
    singleLogoutServiceUrl: "string",
    authenticateByDefault: false,
    storeToken: false,
    syncMode: "string",
    trustEmail: false,
    validateSignature: false,
    wantAssertionsEncrypted: false,
    wantAssertionsSigned: false,
    xmlSignKeyInfoKeyNameTransformer: "string",
});

type: keycloak:saml:IdentityProvider
properties:
    addReadTokenRoleOnCreate: false
    alias: string
    authenticateByDefault: false
    authnContextClassRefs:
        - string
    authnContextComparisonType: string
    authnContextDeclRefs:
        - string
    backchannelSupported: false
    displayName: string
    enabled: false
    entityId: string
    extraConfig:
        string: any
    firstBrokerLoginFlowAlias: string
    forceAuthn: false
    guiOrder: string
    hideOnLoginPage: false
    linkOnly: false
    loginHint: string
    nameIdPolicyFormat: string
    postBindingAuthnRequest: false
    postBindingLogout: false
    postBindingResponse: false
    postBrokerLoginFlowAlias: string
    principalAttribute: string
    principalType: string
    providerId: string
    realm: string
    signatureAlgorithm: string
    signingCertificate: string
    singleLogoutServiceUrl: string
    singleSignOnServiceUrl: string
    storeToken: false
    syncMode: string
    trustEmail: false
    validateSignature: false
    wantAssertionsEncrypted: false
    wantAssertionsSigned: false
    xmlSignKeyInfoKeyNameTransformer: string

IdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The IdentityProvider resource accepts the following input properties:

Alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
Realm string: Realm Name
SingleSignOnServiceUrl string: SSO Logout URL.
AddReadTokenRoleOnCreate bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
AuthnContextClassRefs List<string>: AuthnContext ClassRefs
AuthnContextComparisonType string: AuthnContext Comparison
AuthnContextDeclRefs List<string>: AuthnContext DeclRefs
BackchannelSupported bool: Does the external IDP support backchannel logout?
DisplayName string: Friendly name for Identity Providers.
Enabled bool: Enable/disable this identity provider.
ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
ForceAuthn bool: Require Force Authn.
GuiOrder string: GUI Order
HideOnLoginPage bool: Hide On Login Page.
LinkOnly bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LoginHint string: Login Hint.
NameIdPolicyFormat string: Name ID Policy Format.
PostBindingAuthnRequest bool: Post Binding Authn Request.
PostBindingLogout bool: Post Binding Logout.
PostBindingResponse bool: Post Binding Response.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PrincipalAttribute string: Principal Attribute
PrincipalType string: Principal Type
ProviderId string: provider id, is always saml, unless you have a custom implementation
SignatureAlgorithm string: Signing Algorithm.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: Logout URL.
StoreToken bool: Enable/disable if tokens must be stored after authenticating users.
SyncMode string: Sync Mode
TrustEmail bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Want Assertions Encrypted.
WantAssertionsSigned bool: Want Assertions Signed.
XmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

Alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
Realm string: Realm Name
SingleSignOnServiceUrl string: SSO Logout URL.
AddReadTokenRoleOnCreate bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
AuthnContextClassRefs []string: AuthnContext ClassRefs
AuthnContextComparisonType string: AuthnContext Comparison
AuthnContextDeclRefs []string: AuthnContext DeclRefs
BackchannelSupported bool: Does the external IDP support backchannel logout?
DisplayName string: Friendly name for Identity Providers.
Enabled bool: Enable/disable this identity provider.
ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
ForceAuthn bool: Require Force Authn.
GuiOrder string: GUI Order
HideOnLoginPage bool: Hide On Login Page.
LinkOnly bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LoginHint string: Login Hint.
NameIdPolicyFormat string: Name ID Policy Format.
PostBindingAuthnRequest bool: Post Binding Authn Request.
PostBindingLogout bool: Post Binding Logout.
PostBindingResponse bool: Post Binding Response.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PrincipalAttribute string: Principal Attribute
PrincipalType string: Principal Type
ProviderId string: provider id, is always saml, unless you have a custom implementation
SignatureAlgorithm string: Signing Algorithm.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: Logout URL.
StoreToken bool: Enable/disable if tokens must be stored after authenticating users.
SyncMode string: Sync Mode
TrustEmail bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Want Assertions Encrypted.
WantAssertionsSigned bool: Want Assertions Signed.
XmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

alias String: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm String: Realm Name
singleSignOnServiceUrl String: SSO Logout URL.
addReadTokenRoleOnCreate Boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
authnContextClassRefs List<String>: AuthnContext ClassRefs
authnContextComparisonType String: AuthnContext Comparison
authnContextDeclRefs List<String>: AuthnContext DeclRefs
backchannelSupported Boolean: Does the external IDP support backchannel logout?
displayName String: Friendly name for Identity Providers.
enabled Boolean: Enable/disable this identity provider.
extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn Boolean: Require Force Authn.
guiOrder String: GUI Order
hideOnLoginPage Boolean: Hide On Login Page.
linkOnly Boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint String: Login Hint.
nameIdPolicyFormat String: Name ID Policy Format.
postBindingAuthnRequest Boolean: Post Binding Authn Request.
postBindingLogout Boolean: Post Binding Logout.
postBindingResponse Boolean: Post Binding Response.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute String: Principal Attribute
principalType String: Principal Type
providerId String: provider id, is always saml, unless you have a custom implementation
signatureAlgorithm String: Signing Algorithm.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: Logout URL.
storeToken Boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode String: Sync Mode
trustEmail Boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Want Assertions Encrypted.
wantAssertionsSigned Boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer String: Sign Key Transformer.

alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
entityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm string: Realm Name
singleSignOnServiceUrl string: SSO Logout URL.
addReadTokenRoleOnCreate boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
authenticateByDefault boolean: Enable/disable authenticate users by default.
authnContextClassRefs string[]: AuthnContext ClassRefs
authnContextComparisonType string: AuthnContext Comparison
authnContextDeclRefs string[]: AuthnContext DeclRefs
backchannelSupported boolean: Does the external IDP support backchannel logout?
displayName string: Friendly name for Identity Providers.
enabled boolean: Enable/disable this identity provider.
extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn boolean: Require Force Authn.
guiOrder string: GUI Order
hideOnLoginPage boolean: Hide On Login Page.
linkOnly boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint string: Login Hint.
nameIdPolicyFormat string: Name ID Policy Format.
postBindingAuthnRequest boolean: Post Binding Authn Request.
postBindingLogout boolean: Post Binding Logout.
postBindingResponse boolean: Post Binding Response.
postBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute string: Principal Attribute
principalType string: Principal Type
providerId string: provider id, is always saml, unless you have a custom implementation
signatureAlgorithm string: Signing Algorithm.
signingCertificate string: Signing Certificate.
singleLogoutServiceUrl string: Logout URL.
storeToken boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode string: Sync Mode
trustEmail boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted boolean: Want Assertions Encrypted.
wantAssertionsSigned boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

alias str: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
entity_id str: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm str: Realm Name
single_sign_on_service_url str: SSO Logout URL.
add_read_token_role_on_create bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
authenticate_by_default bool: Enable/disable authenticate users by default.
authn_context_class_refs Sequence[str]: AuthnContext ClassRefs
authn_context_comparison_type str: AuthnContext Comparison
authn_context_decl_refs Sequence[str]: AuthnContext DeclRefs
backchannel_supported bool: Does the external IDP support backchannel logout?
display_name str: Friendly name for Identity Providers.
enabled bool: Enable/disable this identity provider.
extra_config Mapping[str, Any]
first_broker_login_flow_alias str: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
force_authn bool: Require Force Authn.
gui_order str: GUI Order
hide_on_login_page bool: Hide On Login Page.
link_only bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
login_hint str: Login Hint.
name_id_policy_format str: Name ID Policy Format.
post_binding_authn_request bool: Post Binding Authn Request.
post_binding_logout bool: Post Binding Logout.
post_binding_response bool: Post Binding Response.
post_broker_login_flow_alias str: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principal_attribute str: Principal Attribute
principal_type str: Principal Type
provider_id str: provider id, is always saml, unless you have a custom implementation
signature_algorithm str: Signing Algorithm.
signing_certificate str: Signing Certificate.
single_logout_service_url str: Logout URL.
store_token bool: Enable/disable if tokens must be stored after authenticating users.
sync_mode str: Sync Mode
trust_email bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validate_signature bool: Enable/disable signature validation of SAML responses.
want_assertions_encrypted bool: Want Assertions Encrypted.
want_assertions_signed bool: Want Assertions Signed.
xml_sign_key_info_key_name_transformer str: Sign Key Transformer.

alias String: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm String: Realm Name
singleSignOnServiceUrl String: SSO Logout URL.
addReadTokenRoleOnCreate Boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
authnContextClassRefs List<String>: AuthnContext ClassRefs
authnContextComparisonType String: AuthnContext Comparison
authnContextDeclRefs List<String>: AuthnContext DeclRefs
backchannelSupported Boolean: Does the external IDP support backchannel logout?
displayName String: Friendly name for Identity Providers.
enabled Boolean: Enable/disable this identity provider.
extraConfig Map<Any>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn Boolean: Require Force Authn.
guiOrder String: GUI Order
hideOnLoginPage Boolean: Hide On Login Page.
linkOnly Boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint String: Login Hint.
nameIdPolicyFormat String: Name ID Policy Format.
postBindingAuthnRequest Boolean: Post Binding Authn Request.
postBindingLogout Boolean: Post Binding Logout.
postBindingResponse Boolean: Post Binding Response.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute String: Principal Attribute
principalType String: Principal Type
providerId String: provider id, is always saml, unless you have a custom implementation
signatureAlgorithm String: Signing Algorithm.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: Logout URL.
storeToken Boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode String: Sync Mode
trustEmail Boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Want Assertions Encrypted.
wantAssertionsSigned Boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer String: Sign Key Transformer.

Outputs

All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
InternalId string: Internal Identity Provider Id

Id string: The provider-assigned unique ID for this managed resource.
InternalId string: Internal Identity Provider Id

id String: The provider-assigned unique ID for this managed resource.
internalId String: Internal Identity Provider Id

id string: The provider-assigned unique ID for this managed resource.
internalId string: Internal Identity Provider Id

id str: The provider-assigned unique ID for this managed resource.
internal_id str: Internal Identity Provider Id

id String: The provider-assigned unique ID for this managed resource.
internalId String: Internal Identity Provider Id

Look up Existing IdentityProvider Resource

Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        authn_context_class_refs: Optional[Sequence[str]] = None,
        authn_context_comparison_type: Optional[str] = None,
        authn_context_decl_refs: Optional[Sequence[str]] = None,
        backchannel_supported: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_id: Optional[str] = None,
        extra_config: Optional[Mapping[str, Any]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        force_authn: Optional[bool] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        internal_id: Optional[str] = None,
        link_only: Optional[bool] = None,
        login_hint: Optional[str] = None,
        name_id_policy_format: Optional[str] = None,
        post_binding_authn_request: Optional[bool] = None,
        post_binding_logout: Optional[bool] = None,
        post_binding_response: Optional[bool] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        principal_attribute: Optional[str] = None,
        principal_type: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        signature_algorithm: Optional[str] = None,
        signing_certificate: Optional[str] = None,
        single_logout_service_url: Optional[str] = None,
        single_sign_on_service_url: Optional[str] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        trust_email: Optional[bool] = None,
        validate_signature: Optional[bool] = None,
        want_assertions_encrypted: Optional[bool] = None,
        want_assertions_signed: Optional[bool] = None,
        xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider

func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)

public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)

public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AddReadTokenRoleOnCreate bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
Alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
AuthnContextClassRefs List<string>: AuthnContext ClassRefs
AuthnContextComparisonType string: AuthnContext Comparison
AuthnContextDeclRefs List<string>: AuthnContext DeclRefs
BackchannelSupported bool: Does the external IDP support backchannel logout?
DisplayName string: Friendly name for Identity Providers.
Enabled bool: Enable/disable this identity provider.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
ExtraConfig Dictionary<string, object>
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
ForceAuthn bool: Require Force Authn.
GuiOrder string: GUI Order
HideOnLoginPage bool: Hide On Login Page.
InternalId string: Internal Identity Provider Id
LinkOnly bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LoginHint string: Login Hint.
NameIdPolicyFormat string: Name ID Policy Format.
PostBindingAuthnRequest bool: Post Binding Authn Request.
PostBindingLogout bool: Post Binding Logout.
PostBindingResponse bool: Post Binding Response.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PrincipalAttribute string: Principal Attribute
PrincipalType string: Principal Type
ProviderId string: provider id, is always saml, unless you have a custom implementation
Realm string: Realm Name
SignatureAlgorithm string: Signing Algorithm.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: Logout URL.
SingleSignOnServiceUrl string: SSO Logout URL.
StoreToken bool: Enable/disable if tokens must be stored after authenticating users.
SyncMode string: Sync Mode
TrustEmail bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Want Assertions Encrypted.
WantAssertionsSigned bool: Want Assertions Signed.
XmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

AddReadTokenRoleOnCreate bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
Alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
AuthenticateByDefault bool: Enable/disable authenticate users by default.
AuthnContextClassRefs []string: AuthnContext ClassRefs
AuthnContextComparisonType string: AuthnContext Comparison
AuthnContextDeclRefs []string: AuthnContext DeclRefs
BackchannelSupported bool: Does the external IDP support backchannel logout?
DisplayName string: Friendly name for Identity Providers.
Enabled bool: Enable/disable this identity provider.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
ExtraConfig map[string]interface{}
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
ForceAuthn bool: Require Force Authn.
GuiOrder string: GUI Order
HideOnLoginPage bool: Hide On Login Page.
InternalId string: Internal Identity Provider Id
LinkOnly bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
LoginHint string: Login Hint.
NameIdPolicyFormat string: Name ID Policy Format.
PostBindingAuthnRequest bool: Post Binding Authn Request.
PostBindingLogout bool: Post Binding Logout.
PostBindingResponse bool: Post Binding Response.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
PrincipalAttribute string: Principal Attribute
PrincipalType string: Principal Type
ProviderId string: provider id, is always saml, unless you have a custom implementation
Realm string: Realm Name
SignatureAlgorithm string: Signing Algorithm.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: Logout URL.
SingleSignOnServiceUrl string: SSO Logout URL.
StoreToken bool: Enable/disable if tokens must be stored after authenticating users.
SyncMode string: Sync Mode
TrustEmail bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Want Assertions Encrypted.
WantAssertionsSigned bool: Want Assertions Signed.
XmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

addReadTokenRoleOnCreate Boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
alias String: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
authnContextClassRefs List<String>: AuthnContext ClassRefs
authnContextComparisonType String: AuthnContext Comparison
authnContextDeclRefs List<String>: AuthnContext DeclRefs
backchannelSupported Boolean: Does the external IDP support backchannel logout?
displayName String: Friendly name for Identity Providers.
enabled Boolean: Enable/disable this identity provider.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig Map<String,Object>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn Boolean: Require Force Authn.
guiOrder String: GUI Order
hideOnLoginPage Boolean: Hide On Login Page.
internalId String: Internal Identity Provider Id
linkOnly Boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint String: Login Hint.
nameIdPolicyFormat String: Name ID Policy Format.
postBindingAuthnRequest Boolean: Post Binding Authn Request.
postBindingLogout Boolean: Post Binding Logout.
postBindingResponse Boolean: Post Binding Response.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute String: Principal Attribute
principalType String: Principal Type
providerId String: provider id, is always saml, unless you have a custom implementation
realm String: Realm Name
signatureAlgorithm String: Signing Algorithm.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: Logout URL.
singleSignOnServiceUrl String: SSO Logout URL.
storeToken Boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode String: Sync Mode
trustEmail Boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Want Assertions Encrypted.
wantAssertionsSigned Boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer String: Sign Key Transformer.

addReadTokenRoleOnCreate boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
alias string: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
authenticateByDefault boolean: Enable/disable authenticate users by default.
authnContextClassRefs string[]: AuthnContext ClassRefs
authnContextComparisonType string: AuthnContext Comparison
authnContextDeclRefs string[]: AuthnContext DeclRefs
backchannelSupported boolean: Does the external IDP support backchannel logout?
displayName string: Friendly name for Identity Providers.
enabled boolean: Enable/disable this identity provider.
entityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig {[key: string]: any}
firstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn boolean: Require Force Authn.
guiOrder string: GUI Order
hideOnLoginPage boolean: Hide On Login Page.
internalId string: Internal Identity Provider Id
linkOnly boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint string: Login Hint.
nameIdPolicyFormat string: Name ID Policy Format.
postBindingAuthnRequest boolean: Post Binding Authn Request.
postBindingLogout boolean: Post Binding Logout.
postBindingResponse boolean: Post Binding Response.
postBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute string: Principal Attribute
principalType string: Principal Type
providerId string: provider id, is always saml, unless you have a custom implementation
realm string: Realm Name
signatureAlgorithm string: Signing Algorithm.
signingCertificate string: Signing Certificate.
singleLogoutServiceUrl string: Logout URL.
singleSignOnServiceUrl string: SSO Logout URL.
storeToken boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode string: Sync Mode
trustEmail boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted boolean: Want Assertions Encrypted.
wantAssertionsSigned boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer string: Sign Key Transformer.

add_read_token_role_on_create bool: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
alias str: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
authenticate_by_default bool: Enable/disable authenticate users by default.
authn_context_class_refs Sequence[str]: AuthnContext ClassRefs
authn_context_comparison_type str: AuthnContext Comparison
authn_context_decl_refs Sequence[str]: AuthnContext DeclRefs
backchannel_supported bool: Does the external IDP support backchannel logout?
display_name str: Friendly name for Identity Providers.
enabled bool: Enable/disable this identity provider.
entity_id str: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extra_config Mapping[str, Any]
first_broker_login_flow_alias str: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
force_authn bool: Require Force Authn.
gui_order str: GUI Order
hide_on_login_page bool: Hide On Login Page.
internal_id str: Internal Identity Provider Id
link_only bool: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
login_hint str: Login Hint.
name_id_policy_format str: Name ID Policy Format.
post_binding_authn_request bool: Post Binding Authn Request.
post_binding_logout bool: Post Binding Logout.
post_binding_response bool: Post Binding Response.
post_broker_login_flow_alias str: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principal_attribute str: Principal Attribute
principal_type str: Principal Type
provider_id str: provider id, is always saml, unless you have a custom implementation
realm str: Realm Name
signature_algorithm str: Signing Algorithm.
signing_certificate str: Signing Certificate.
single_logout_service_url str: Logout URL.
single_sign_on_service_url str: SSO Logout URL.
store_token bool: Enable/disable if tokens must be stored after authenticating users.
sync_mode str: Sync Mode
trust_email bool: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validate_signature bool: Enable/disable signature validation of SAML responses.
want_assertions_encrypted bool: Want Assertions Encrypted.
want_assertions_signed bool: Want Assertions Signed.
xml_sign_key_info_key_name_transformer str: Sign Key Transformer.

addReadTokenRoleOnCreate Boolean: Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
alias String: The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
authenticateByDefault Boolean: Enable/disable authenticate users by default.
authnContextClassRefs List<String>: AuthnContext ClassRefs
authnContextComparisonType String: AuthnContext Comparison
authnContextDeclRefs List<String>: AuthnContext DeclRefs
backchannelSupported Boolean: Does the external IDP support backchannel logout?
displayName String: Friendly name for Identity Providers.
enabled Boolean: Enable/disable this identity provider.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig Map<Any>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
forceAuthn Boolean: Require Force Authn.
guiOrder String: GUI Order
hideOnLoginPage Boolean: Hide On Login Page.
internalId String: Internal Identity Provider Id
linkOnly Boolean: If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
loginHint String: Login Hint.
nameIdPolicyFormat String: Name ID Policy Format.
postBindingAuthnRequest Boolean: Post Binding Authn Request.
postBindingLogout Boolean: Post Binding Logout.
postBindingResponse Boolean: Post Binding Response.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
principalAttribute String: Principal Attribute
principalType String: Principal Type
providerId String: provider id, is always saml, unless you have a custom implementation
realm String: Realm Name
signatureAlgorithm String: Signing Algorithm.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: Logout URL.
singleSignOnServiceUrl String: SSO Logout URL.
storeToken Boolean: Enable/disable if tokens must be stored after authenticating users.
syncMode String: Sync Mode
trustEmail Boolean: If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Want Assertions Encrypted.
wantAssertionsSigned Boolean: Want Assertions Signed.
xmlSignKeyInfoKeyNameTransformer String: Sign Key Transformer.

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

Keycloak v5.3.2 published on Friday, May 10, 2024 by Pulumi

pulumi/pulumi-keycloak

keycloak.saml.IdentityProvider

On this page

On this page

# keycloak.saml.IdentityProvider

Example Usage

Argument Reference

SAML Configuration

Import

Create IdentityProvider Resource

Constructor syntax

Parameters

Constructor example

IdentityProvider Resource Properties

Inputs

Outputs

Look up Existing IdentityProvider Resource

Package Details

On this page

On this page