pulumi-keycloak-kotlin/com.pulumi.keycloak.saml.kotlin/IdentityProvider

IdentityProvider

class IdentityProvider : KotlinCustomResource

Allows for creating and managing SAML Identity Providers within Keycloak. SAML (Security Assertion Markup Language) identity providers allows users to authenticate through a third-party system using the SAML protocol.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";
const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", {
    realm: realm.id,
    alias: "my-saml-idp",
    entityId: "https://domain.com/entity_id",
    singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
    singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannelSupported: true,
    postBindingResponse: true,
    postBindingLogout: true,
    postBindingAuthnRequest: true,
    storeToken: false,
    trustEmail: true,
    forceAuthn: true,
});

import pulumi
import pulumi_keycloak as keycloak
realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider",
    realm=realm.id,
    alias="my-saml-idp",
    entity_id="https://domain.com/entity_id",
    single_sign_on_service_url="https://domain.com/adfs/ls/",
    single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannel_supported=True,
    post_binding_response=True,
    post_binding_logout=True,
    post_binding_authn_request=True,
    store_token=False,
    trust_email=True,
    force_authn=True)

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;
return await Deployment.RunAsync(() =>
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });
    var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new()
    {
        Realm = realm.Id,
        Alias = "my-saml-idp",
        EntityId = "https://domain.com/entity_id",
        SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
        SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
        BackchannelSupported = true,
        PostBindingResponse = true,
        PostBindingLogout = true,
        PostBindingAuthnRequest = true,
        StoreToken = false,
        TrustEmail = true,
        ForceAuthn = true,
    });
});

package main
import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{
			Realm:                   realm.ID(),
			Alias:                   pulumi.String("my-saml-idp"),
			EntityId:                pulumi.String("https://domain.com/entity_id"),
			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
			BackchannelSupported:    pulumi.Bool(true),
			PostBindingResponse:     pulumi.Bool(true),
			PostBindingLogout:       pulumi.Bool(true),
			PostBindingAuthnRequest: pulumi.Bool(true),
			StoreToken:              pulumi.Bool(false),
			TrustEmail:              pulumi.Bool(true),
			ForceAuthn:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());
        var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
            .realm(realm.id())
            .alias("my-saml-idp")
            .entityId("https://domain.com/entity_id")
            .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
            .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
            .backchannelSupported(true)
            .postBindingResponse(true)
            .postBindingLogout(true)
            .postBindingAuthnRequest(true)
            .storeToken(false)
            .trustEmail(true)
            .forceAuthn(true)
            .build());
    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmSamlIdentityProvider:
    type: keycloak:saml:IdentityProvider
    name: realm_saml_identity_provider
    properties:
      realm: ${realm.id}
      alias: my-saml-idp
      entityId: https://domain.com/entity_id
      singleSignOnServiceUrl: https://domain.com/adfs/ls/
      singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
      backchannelSupported: true
      postBindingResponse: true
      postBindingLogout: true
      postBindingAuthnRequest: true
      storeToken: false
      trustEmail: true
      forceAuthn: true

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias. Example: bash

$ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp

Properties

addReadTokenRoleOnCreate

val addReadTokenRoleOnCreate: Output<Boolean>?

When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.

alias

val alias: Output<String>

The unique name of identity provider.

authenticateByDefault

val authenticateByDefault: Output<Boolean>?

Authenticate users by default. Defaults to false.

authnContextClassRefs

val authnContextClassRefs: Output<List<String>>?

Ordered list of requested AuthnContext ClassRefs.

authnContextComparisonType

val authnContextComparisonType: Output<String>?

Specifies the comparison method used to evaluate the requested context classes or statements.

authnContextDeclRefs

val authnContextDeclRefs: Output<List<String>>?

Ordered list of requested AuthnContext DeclRefs.

backchannelSupported

val backchannelSupported: Output<Boolean>?

Does the external IDP support backchannel logout?. Defaults to false.

displayName

val displayName: Output<String>?

The display name for the realm that is shown when logging in to the admin console.

enabled

val enabled: Output<Boolean>?

When false, users and clients will not be able to access this realm. Defaults to true.

entityId

val entityId: Output<String>

The Entity ID that will be used to uniquely identify this SAML Service Provider.

extraConfig

val extraConfig: Output<Map<String, String>>?

firstBrokerLoginFlowAlias

val firstBrokerLoginFlowAlias: Output<String>?

Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.

forceAuthn

val forceAuthn: Output<Boolean>?

Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.

guiOrder

val guiOrder: Output<String>?

A number defining the order of this identity provider in the GUI.

hideOnLoginPage

val hideOnLoginPage: Output<Boolean>?

If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.

val id: Output<String>

internalId

val internalId: Output<String>

Internal Identity Provider Id

linkOnly

val linkOnly: Output<Boolean>?

When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.

loginHint

val loginHint: Output<String>?

nameIdPolicyFormat

val nameIdPolicyFormat: Output<String>?

Specifies the URI reference corresponding to a name identifier format. Defaults to empty.

postBindingAuthnRequest

val postBindingAuthnRequest: Output<Boolean>?

Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.

postBindingLogout

val postBindingLogout: Output<Boolean>?

Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.

postBindingResponse

val postBindingResponse: Output<Boolean>?

Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.

postBrokerLoginFlowAlias

val postBrokerLoginFlowAlias: Output<String>?

Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.

principalAttribute

val principalAttribute: Output<String>?

The principal attribute.

principalType

val principalType: Output<String>?

The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.

providerId

val providerId: Output<String>?

The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

realm

val realm: Output<String>

The name of the realm. This is unique across Keycloak.

signatureAlgorithm

val signatureAlgorithm: Output<String>?

Signing Algorithm. Defaults to empty.

signingCertificate

val signingCertificate: Output<String>?

Signing Certificate.

singleLogoutServiceUrl

val singleLogoutServiceUrl: Output<String>?

The Url that must be used to send logout requests.

singleSignOnServiceUrl

val singleSignOnServiceUrl: Output<String>

The Url that must be used to send authentication requests (SAML AuthnRequest).

storeToken

val storeToken: Output<Boolean>?

When true, tokens will be stored after authenticating users. Defaults to true.

syncMode

val syncMode: Output<String>?

The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.

trustEmail

val trustEmail: Output<Boolean>?

When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.

urn

val urn: Output<String>

validateSignature

val validateSignature: Output<Boolean>?

Enable/disable signature validation of SAML responses.

wantAssertionsEncrypted

val wantAssertionsEncrypted: Output<Boolean>?

Indicates whether this service provider expects an encrypted Assertion.

wantAssertionsSigned

val wantAssertionsSigned: Output<Boolean>?

Indicates whether this service provider expects a signed Assertion.

xmlSignKeyInfoKeyNameTransformer

val xmlSignKeyInfoKeyNameTransformer: Output<String>?

The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.