pulumi-keycloak-kotlin/com.pulumi.keycloak.saml.kotlin/IdentityProvider

IdentityProvider

class IdentityProvider : KotlinCustomResource

# keycloak.saml.IdentityProvider

Allows to create and manage SAML Identity Providers within Keycloak. SAML (Security Assertion Markup Language) identity providers allows to authenticate through a third-party system, using SAML standard.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realmIdentityProvider = new keycloak.saml.IdentityProvider("realm_identity_provider", {
    realm: "my-realm",
    alias: "my-idp",
    singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
    singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannelSupported: true,
    postBindingResponse: true,
    postBindingLogout: true,
    postBindingAuthnRequest: true,
    storeToken: false,
    trustEmail: true,
    forceAuthn: true,
});

import pulumi
import pulumi_keycloak as keycloak
realm_identity_provider = keycloak.saml.IdentityProvider("realm_identity_provider",
    realm="my-realm",
    alias="my-idp",
    single_sign_on_service_url="https://domain.com/adfs/ls/",
    single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannel_supported=True,
    post_binding_response=True,
    post_binding_logout=True,
    post_binding_authn_request=True,
    store_token=False,
    trust_email=True,
    force_authn=True)

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realmIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_identity_provider", new()
    {
        Realm = "my-realm",
        Alias = "my-idp",
        SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
        SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
        BackchannelSupported = true,
        PostBindingResponse = true,
        PostBindingLogout = true,
        PostBindingAuthnRequest = true,
        StoreToken = false,
        TrustEmail = true,
        ForceAuthn = true,
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := saml.NewIdentityProvider(ctx, "realm_identity_provider", &saml.IdentityProviderArgs{
			Realm:                   pulumi.String("my-realm"),
			Alias:                   pulumi.String("my-idp"),
			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
			BackchannelSupported:    pulumi.Bool(true),
			PostBindingResponse:     pulumi.Bool(true),
			PostBindingLogout:       pulumi.Bool(true),
			PostBindingAuthnRequest: pulumi.Bool(true),
			StoreToken:              pulumi.Bool(false),
			TrustEmail:              pulumi.Bool(true),
			ForceAuthn:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realmIdentityProvider = new IdentityProvider("realmIdentityProvider", IdentityProviderArgs.builder()
            .realm("my-realm")
            .alias("my-idp")
            .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
            .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
            .backchannelSupported(true)
            .postBindingResponse(true)
            .postBindingLogout(true)
            .postBindingAuthnRequest(true)
            .storeToken(false)
            .trustEmail(true)
            .forceAuthn(true)
            .build());
    }
}

resources:
  realmIdentityProvider:
    type: keycloak:saml:IdentityProvider
    name: realm_identity_provider
    properties:
      realm: my-realm
      alias: my-idp
      singleSignOnServiceUrl: https://domain.com/adfs/ls/
      singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
      backchannelSupported: true
      postBindingResponse: true
      postBindingLogout: true
      postBindingAuthnRequest: true
      storeToken: false
      trustEmail: true
      forceAuthn: true

Argument Reference

The following arguments are supported:

realm - (Required) The name of the realm. This is unique across Keycloak.
alias - (Optional) The uniq name of identity provider.
enabled - (Optional) When false, users and clients will not be able to access this realm. Defaults to true.
display_name - (Optional) The display name for the realm that is shown when logging in to the admin console.
store_token - (Optional) Enable/disable if tokens must be stored after authenticating users. Defaults to true.
add_read_token_role_on_create - (Optional) Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. Defaults to false.
trust_email - (Optional) If enabled then email provided by this provider is not verified even if verification is enabled for the realm. Defaults to false.
link_only - (Optional) If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider. Defaults to false.
hide_on_login_page - (Optional) If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
first_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
post_broker_login_flow_alias - (Optional) Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
authenticate_by_default - (Optional) Authenticate users by default. Defaults to false.

SAML Configuration

single_sign_on_service_url - (Optional) The Url that must be used to send authentication requests (SAML AuthnRequest).
single_logout_service_url - (Optional) The Url that must be used to send logout requests.
backchannel_supported - (Optional) Does the external IDP support back-channel logout ?.
name_id_policy_format - (Optional) Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
post_binding_response - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
post_binding_authn_request - (Optional) Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_logout - (Optional) Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
want_assertions_signed - (Optional) Indicates whether this service provider expects a signed Assertion.
want_assertions_encrypted - (Optional) Indicates whether this service provider expects an encrypted Assertion.
force_authn - (Optional) Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
validate_signature - (Optional) Enable/disable signature validation of SAML responses.
signing_certificate - (Optional) Signing Certificate.
signature_algorithm - (Optional) Signing Algorithm. Defaults to empty.
xml_sign_key_info_key_name_transformer - (Optional) Sign Key Transformer. Defaults to empty.

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example:

$ terraform import keycloak_saml_identity_provider.realm_identity_provider my-realm/my-idp

Properties

addReadTokenRoleOnCreate

val addReadTokenRoleOnCreate: Output<Boolean>?

Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.

alias

val alias: Output<String>

The alias uniquely identifies an identity provider and it is also used to build the redirect uri.

authenticateByDefault

val authenticateByDefault: Output<Boolean>?

Enable/disable authenticate users by default.

authnContextClassRefs

val authnContextClassRefs: Output<List<String>>?

AuthnContext ClassRefs

authnContextComparisonType

val authnContextComparisonType: Output<String>?

AuthnContext Comparison

authnContextDeclRefs

val authnContextDeclRefs: Output<List<String>>?

AuthnContext DeclRefs

backchannelSupported

val backchannelSupported: Output<Boolean>?

Does the external IDP support backchannel logout?

displayName

val displayName: Output<String>?

Friendly name for Identity Providers.

enabled

val enabled: Output<Boolean>?

Enable/disable this identity provider.

entityId

val entityId: Output<String>

The Entity ID that will be used to uniquely identify this SAML Service Provider.

extraConfig

val extraConfig: Output<Map<String, Any>>?

firstBrokerLoginFlowAlias

val firstBrokerLoginFlowAlias: Output<String>?

Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.

forceAuthn

val forceAuthn: Output<Boolean>?

Require Force Authn.

guiOrder

val guiOrder: Output<String>?

GUI Order

hideOnLoginPage

val hideOnLoginPage: Output<Boolean>?

Hide On Login Page.

val id: Output<String>

internalId

val internalId: Output<String>

Internal Identity Provider Id

linkOnly

val linkOnly: Output<Boolean>?

If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider

loginHint

val loginHint: Output<String>?

nameIdPolicyFormat

val nameIdPolicyFormat: Output<String>?

Name ID Policy Format.

postBindingAuthnRequest

val postBindingAuthnRequest: Output<Boolean>?

Post Binding Authn Request.

postBindingLogout

val postBindingLogout: Output<Boolean>?

Post Binding Logout.

postBindingResponse

val postBindingResponse: Output<Boolean>?

Post Binding Response.

postBrokerLoginFlowAlias

val postBrokerLoginFlowAlias: Output<String>?

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.

principalAttribute

val principalAttribute: Output<String>?

Principal Attribute

principalType

val principalType: Output<String>?

Principal Type

providerId

val providerId: Output<String>?

provider id, is always saml, unless you have a custom implementation

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName