Client
Allows for creating and managing Keycloak clients that use the SAML protocol. Clients are entities that can use Keycloak for user authentication. Typically, clients are applications that redirect users to Keycloak for authentication in order to take advantage of Keycloak's user sessions for SSO.
Import
Clients can be imported using the format {{realm_id}}/{{client_keycloak_id}}, where client_keycloak_id is the unique ID that Keycloak assigns to the client upon creation. This value can be found in the URI when editing this client in the GUI, and is typically a GUID. Example: bash
$ pulumi import keycloak:saml/client:Client saml_client my-realm/dcbc4c73-e478-4928-ae2e-d5e420223352Properties
Always list this client in the Account UI, even if the user does not have an active session.
SAML POST Binding URL for the client's assertion consumer service (login responses).
SAML Redirect Binding URL for the client's assertion consumer service (login responses).
Override realm authentication flow bindings
The Canonicalization Method for XML signatures. Should be one of "EXCLUSIVE", "EXCLUSIVE_WITH_COMMENTS", "INCLUSIVE", or "INCLUSIVE_WITH_COMMENTS". Defaults to "EXCLUSIVE".
When true, Keycloak will expect that documents originating from a client will be signed using the certificate and/or key configured via signing_certificate and signing_private_key. Defaults to true.
When true, users have to consent to client access. Defaults to false.
The description of this client in the GUI.
When true, the SAML assertions will be encrypted by Keycloak using the client's public key. Defaults to false.
If assertions for the client are encrypted, this certificate will be used for encryption.
(Computed) The sha1sum fingerprint of the encryption certificate. If the encryption certificate is not in correct base64 format, this will be left empty.
Ignore requested NameID subject format and use the one defined in name_id_format instead. Defaults to false.
When true, Keycloak will always respond to an authentication request via the SAML POST Binding. Defaults to true.
When true, this client will require a browser redirect in order to perform a logout. Defaults to true.
Allow to include all roles mappings in the access token
Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
URL fragment name to reference client when you want to do IDP Initiated SSO.
When true, an AuthnStatement will be included in the SAML response. Defaults to true.
The login theme of this client.
SAML POST Binding URL for the client's single logout service.
SAML Redirect Binding URL for the client's single logout service.
When specified, this URL will be used for all SAML requests.
Sets the Name ID format for the subject.
When true, the SAML assertions will be signed by Keycloak using the realm's private key, and embedded within the SAML XML Auth response. Defaults to false.
The signature algorithm used to sign documents. Should be one of "RSA_SHA1", "RSA_SHA256", "RSA_SHA256_MGF1, "RSA_SHA512", "RSA_SHA512_MGF1" or "DSA_SHA1".
The value of the KeyName element within the signed SAML document. Should be one of "NONE", "KEY_ID", or "CERT_SUBJECT". Defaults to "KEY_ID".
When true, the SAML document will be signed by Keycloak using the realm's private key. Defaults to true.
If documents or assertions from the client are signed, this certificate will be used to verify the signature.
(Computed) The sha1sum fingerprint of the signing certificate. If the signing certificate is not in correct base64 format, this will be left empty.
If documents or assertions from the client are signed, this private key will be used to verify the signature.
(Computed) The sha1sum fingerprint of the signing private key. If the signing private key is not in correct base64 format, this will be left empty.
When specified, Keycloak will use this list to validate given Assertion Consumer URLs specified in the authentication request.