Identity
# keycloak.saml.IdentityProvider
Allows to create and manage SAML Identity Providers within Keycloak. SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
realm: "my-realm",
alias: "my-idp",
singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannelSupported: true,
postBindingResponse: true,
postBindingLogout: true,
postBindingAuthnRequest: true,
storeToken: false,
trustEmail: true,
forceAuthn: true,
});import pulumi
import pulumi_keycloak as keycloak
realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider",
realm="my-realm",
alias="my-idp",
single_sign_on_service_url="https://domain.com/adfs/ls/",
single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannel_supported=True,
post_binding_response=True,
post_binding_logout=True,
post_binding_authn_request=True,
store_token=False,
trust_email=True,
force_authn=True)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new()
{
Realm = "my-realm",
Alias = "my-idp",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
BackchannelSupported = true,
PostBindingResponse = true,
PostBindingLogout = true,
PostBindingAuthnRequest = true,
StoreToken = false,
TrustEmail = true,
ForceAuthn = true,
});
});package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{
Realm: pulumi.String("my-realm"),
Alias: pulumi.String("my-idp"),
SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"),
SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
BackchannelSupported: pulumi.Bool(true),
PostBindingResponse: pulumi.Bool(true),
PostBindingLogout: pulumi.Bool(true),
PostBindingAuthnRequest: pulumi.Bool(true),
StoreToken: pulumi.Bool(false),
TrustEmail: pulumi.Bool(true),
ForceAuthn: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
.realm("my-realm")
.alias("my-idp")
.singleSignOnServiceUrl("https://domain.com/adfs/ls/")
.singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
.backchannelSupported(true)
.postBindingResponse(true)
.postBindingLogout(true)
.postBindingAuthnRequest(true)
.storeToken(false)
.trustEmail(true)
.forceAuthn(true)
.build());
}
}resources:
realmIdentityProvider:
type: keycloak:saml:IdentityProvider
name: realm_identity_provider
properties:
realm: my-realm
alias: my-idp
singleSignOnServiceUrl: https://domain.com/adfs/ls/
singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
backchannelSupported: true
postBindingResponse: true
postBindingLogout: true
postBindingAuthnRequest: true
storeToken: false
trustEmail: true
forceAuthn: trueArgument Reference
The following arguments are supported:
realm- (Required) The name of the realm. This is unique across Keycloak.alias- (Optional) The uniq name of identity provider.enabled- (Optional) When false, users and clients will not be able to access this realm. Defaults totrue.display_name- (Optional) The display name for the realm that is shown when logging in to the admin console.store_token- (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults totrue.add_read_token_role_on_create- (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults tofalse.trust_email- (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults tofalse.link_only- (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults tofalse.hide_on_login_page- (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.first_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults tofirst broker login.post_broker_login_flow_alias- (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.authenticate_by_default- (Optional) Authenticate users by default. Defaults tofalse.
SAML Configuration
single_sign_on_service_url- (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).single_logout_service_url- (Optional) The Url that must be used to send logout requests.backchannel_supported- (Optional) Does the external IDP support back-channel logout ?.name_id_policy_format- (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.post_binding_response- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..post_binding_authn_request- (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.post_binding_logout- (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.want_assertions_signed- (Optional) Indicates whether this service provider expects a signed Assertion.want_assertions_encrypted- (Optional) Indicates whether this service provider expects an encrypted Assertion.force_authn- (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.validate_signature- (Optional) Enable/disable signature validation of SAML responses.signing_certificate- (Optional) Signing Certificate.signature_algorithm- (Optional) Signing Algorithm. Defaults to empty.xml_sign_key_info_key_name_transformer- (Optional) Sign Key Transformer. Defaults to empty.
Import
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example:
$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idpConstructors
Properties
Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
Enable/disable authenticate users by default.
AuthnContext ClassRefs
AuthnContext Comparison
AuthnContext DeclRefs
Does the external IDP support backchannel logout?
Friendly name for Identity Providers.
Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
Require Force Authn.
Hide On Login Page.
Name ID Policy Format.
Post Binding Authn Request.
Post Binding Logout.
Post Binding Response.
Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
Principal Attribute
Principal Type
provider id, is always saml, unless you have a custom implementation
Signing Algorithm.
Signing Certificate.
Logout URL.
SSO Logout URL.
Enable/disable if tokens must be stored after authenticating users.
If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
Enable/disable signature validation of SAML responses.
Want Assertions Encrypted.
Want Assertions Signed.
Sign Key Transformer.