Identity
Allows for creating and managing SAML Identity Providers within Keycloak. SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
realm: "my-realm",
enabled: true,
});
const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", {
realm: realm.id,
alias: "my-saml-idp",
entityId: "https://domain.com/entity_id",
singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannelSupported: true,
postBindingResponse: true,
postBindingLogout: true,
postBindingAuthnRequest: true,
storeToken: false,
trustEmail: true,
forceAuthn: true,
});import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
realm="my-realm",
enabled=True)
realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider",
realm=realm.id,
alias="my-saml-idp",
entity_id="https://domain.com/entity_id",
single_sign_on_service_url="https://domain.com/adfs/ls/",
single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
backchannel_supported=True,
post_binding_response=True,
post_binding_logout=True,
post_binding_authn_request=True,
store_token=False,
trust_email=True,
force_authn=True)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
var realm = new Keycloak.Realm("realm", new()
{
RealmName = "my-realm",
Enabled = true,
});
var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new()
{
Realm = realm.Id,
Alias = "my-saml-idp",
EntityId = "https://domain.com/entity_id",
SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
BackchannelSupported = true,
PostBindingResponse = true,
PostBindingLogout = true,
PostBindingAuthnRequest = true,
StoreToken = false,
TrustEmail = true,
ForceAuthn = true,
});
});package main
import (
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/saml"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
Realm: pulumi.String("my-realm"),
Enabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{
Realm: realm.ID(),
Alias: pulumi.String("my-saml-idp"),
EntityId: pulumi.String("https://domain.com/entity_id"),
SingleSignOnServiceUrl: pulumi.String("https://domain.com/adfs/ls/"),
SingleLogoutServiceUrl: pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
BackchannelSupported: pulumi.Bool(true),
PostBindingResponse: pulumi.Bool(true),
PostBindingLogout: pulumi.Bool(true),
PostBindingAuthnRequest: pulumi.Bool(true),
StoreToken: pulumi.Bool(false),
TrustEmail: pulumi.Bool(true),
ForceAuthn: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var realm = new Realm("realm", RealmArgs.builder()
.realm("my-realm")
.enabled(true)
.build());
var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
.realm(realm.id())
.alias("my-saml-idp")
.entityId("https://domain.com/entity_id")
.singleSignOnServiceUrl("https://domain.com/adfs/ls/")
.singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
.backchannelSupported(true)
.postBindingResponse(true)
.postBindingLogout(true)
.postBindingAuthnRequest(true)
.storeToken(false)
.trustEmail(true)
.forceAuthn(true)
.build());
}
}resources:
realm:
type: keycloak:Realm
properties:
realm: my-realm
enabled: true
realmSamlIdentityProvider:
type: keycloak:saml:IdentityProvider
name: realm_saml_identity_provider
properties:
realm: ${realm.id}
alias: my-saml-idp
entityId: https://domain.com/entity_id
singleSignOnServiceUrl: https://domain.com/adfs/ls/
singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
backchannelSupported: true
postBindingResponse: true
postBindingLogout: true
postBindingAuthnRequest: true
storeToken: false
trustEmail: true
forceAuthn: trueImport
Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example: bash
$ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idpConstructors
Properties
When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Authenticate users by default. Defaults to false.
Ordered list of requested AuthnContext ClassRefs.
Specifies the comparison method used to evaluate the requested context classes or statements.
Ordered list of requested AuthnContext DeclRefs.
Does the external IDP support backchannel logout?. Defaults to false.
The display name for the realm that is shown when logging in to the admin console.
Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
The principal attribute.
The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
Signing Algorithm. Defaults to empty.
Signing Certificate.
The Url that must be used to send logout requests.
The Url that must be used to send authentication requests (SAML AuthnRequest).
When true, tokens will be stored after authenticating users. Defaults to true.
When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
Enable/disable signature validation of SAML responses.
Indicates whether this service provider expects an encrypted Assertion.
Indicates whether this service provider expects a signed Assertion.
The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.