Keycloak v6.4.0, Apr 16 25

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

keycloak.saml.IdentityProvider

Explore with Pulumi AI

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as keycloak from "@pulumi/keycloak";

const realm = new keycloak.Realm("realm", {
    realm: "my-realm",
    enabled: true,
});
const realmSamlIdentityProvider = new keycloak.saml.IdentityProvider("realm_saml_identity_provider", {
    realm: realm.id,
    alias: "my-saml-idp",
    entityId: "https://domain.com/entity_id",
    singleSignOnServiceUrl: "https://domain.com/adfs/ls/",
    singleLogoutServiceUrl: "https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannelSupported: true,
    postBindingResponse: true,
    postBindingLogout: true,
    postBindingAuthnRequest: true,
    storeToken: false,
    trustEmail: true,
    forceAuthn: true,
});

import pulumi
import pulumi_keycloak as keycloak

realm = keycloak.Realm("realm",
    realm="my-realm",
    enabled=True)
realm_saml_identity_provider = keycloak.saml.IdentityProvider("realm_saml_identity_provider",
    realm=realm.id,
    alias="my-saml-idp",
    entity_id="https://domain.com/entity_id",
    single_sign_on_service_url="https://domain.com/adfs/ls/",
    single_logout_service_url="https://domain.com/adfs/ls/?wa=wsignout1.0",
    backchannel_supported=True,
    post_binding_response=True,
    post_binding_logout=True,
    post_binding_authn_request=True,
    store_token=False,
    trust_email=True,
    force_authn=True)

package main

import (
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak"
	"github.com/pulumi/pulumi-keycloak/sdk/v6/go/keycloak/saml"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		realm, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
			Realm:   pulumi.String("my-realm"),
			Enabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = saml.NewIdentityProvider(ctx, "realm_saml_identity_provider", &saml.IdentityProviderArgs{
			Realm:                   realm.ID(),
			Alias:                   pulumi.String("my-saml-idp"),
			EntityId:                pulumi.String("https://domain.com/entity_id"),
			SingleSignOnServiceUrl:  pulumi.String("https://domain.com/adfs/ls/"),
			SingleLogoutServiceUrl:  pulumi.String("https://domain.com/adfs/ls/?wa=wsignout1.0"),
			BackchannelSupported:    pulumi.Bool(true),
			PostBindingResponse:     pulumi.Bool(true),
			PostBindingLogout:       pulumi.Bool(true),
			PostBindingAuthnRequest: pulumi.Bool(true),
			StoreToken:              pulumi.Bool(false),
			TrustEmail:              pulumi.Bool(true),
			ForceAuthn:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Keycloak = Pulumi.Keycloak;

return await Deployment.RunAsync(() => 
{
    var realm = new Keycloak.Realm("realm", new()
    {
        RealmName = "my-realm",
        Enabled = true,
    });

    var realmSamlIdentityProvider = new Keycloak.Saml.IdentityProvider("realm_saml_identity_provider", new()
    {
        Realm = realm.Id,
        Alias = "my-saml-idp",
        EntityId = "https://domain.com/entity_id",
        SingleSignOnServiceUrl = "https://domain.com/adfs/ls/",
        SingleLogoutServiceUrl = "https://domain.com/adfs/ls/?wa=wsignout1.0",
        BackchannelSupported = true,
        PostBindingResponse = true,
        PostBindingLogout = true,
        PostBindingAuthnRequest = true,
        StoreToken = false,
        TrustEmail = true,
        ForceAuthn = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.keycloak.Realm;
import com.pulumi.keycloak.RealmArgs;
import com.pulumi.keycloak.saml.IdentityProvider;
import com.pulumi.keycloak.saml.IdentityProviderArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var realm = new Realm("realm", RealmArgs.builder()
            .realm("my-realm")
            .enabled(true)
            .build());

        var realmSamlIdentityProvider = new IdentityProvider("realmSamlIdentityProvider", IdentityProviderArgs.builder()
            .realm(realm.id())
            .alias("my-saml-idp")
            .entityId("https://domain.com/entity_id")
            .singleSignOnServiceUrl("https://domain.com/adfs/ls/")
            .singleLogoutServiceUrl("https://domain.com/adfs/ls/?wa=wsignout1.0")
            .backchannelSupported(true)
            .postBindingResponse(true)
            .postBindingLogout(true)
            .postBindingAuthnRequest(true)
            .storeToken(false)
            .trustEmail(true)
            .forceAuthn(true)
            .build());

    }
}

resources:
  realm:
    type: keycloak:Realm
    properties:
      realm: my-realm
      enabled: true
  realmSamlIdentityProvider:
    type: keycloak:saml:IdentityProvider
    name: realm_saml_identity_provider
    properties:
      realm: ${realm.id}
      alias: my-saml-idp
      entityId: https://domain.com/entity_id
      singleSignOnServiceUrl: https://domain.com/adfs/ls/
      singleLogoutServiceUrl: https://domain.com/adfs/ls/?wa=wsignout1.0
      backchannelSupported: true
      postBindingResponse: true
      postBindingLogout: true
      postBindingAuthnRequest: true
      storeToken: false
      trustEmail: true
      forceAuthn: true

Create IdentityProvider Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new IdentityProvider(name: string, args: IdentityProviderArgs, opts?: CustomResourceOptions);

@overload
def IdentityProvider(resource_name: str,
                     args: IdentityProviderArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def IdentityProvider(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     entity_id: Optional[str] = None,
                     alias: Optional[str] = None,
                     single_sign_on_service_url: Optional[str] = None,
                     realm: Optional[str] = None,
                     post_binding_authn_request: Optional[bool] = None,
                     post_broker_login_flow_alias: Optional[str] = None,
                     backchannel_supported: Optional[bool] = None,
                     display_name: Optional[str] = None,
                     enabled: Optional[bool] = None,
                     authn_context_comparison_type: Optional[str] = None,
                     extra_config: Optional[Mapping[str, str]] = None,
                     first_broker_login_flow_alias: Optional[str] = None,
                     force_authn: Optional[bool] = None,
                     gui_order: Optional[str] = None,
                     hide_on_login_page: Optional[bool] = None,
                     link_only: Optional[bool] = None,
                     login_hint: Optional[str] = None,
                     name_id_policy_format: Optional[str] = None,
                     add_read_token_role_on_create: Optional[bool] = None,
                     post_binding_logout: Optional[bool] = None,
                     post_binding_response: Optional[bool] = None,
                     authn_context_decl_refs: Optional[Sequence[str]] = None,
                     principal_attribute: Optional[str] = None,
                     principal_type: Optional[str] = None,
                     provider_id: Optional[str] = None,
                     authn_context_class_refs: Optional[Sequence[str]] = None,
                     signature_algorithm: Optional[str] = None,
                     signing_certificate: Optional[str] = None,
                     single_logout_service_url: Optional[str] = None,
                     authenticate_by_default: Optional[bool] = None,
                     store_token: Optional[bool] = None,
                     sync_mode: Optional[str] = None,
                     trust_email: Optional[bool] = None,
                     validate_signature: Optional[bool] = None,
                     want_assertions_encrypted: Optional[bool] = None,
                     want_assertions_signed: Optional[bool] = None,
                     xml_sign_key_info_key_name_transformer: Optional[str] = None)

func NewIdentityProvider(ctx *Context, name string, args IdentityProviderArgs, opts ...ResourceOption) (*IdentityProvider, error)

public IdentityProvider(string name, IdentityProviderArgs args, CustomResourceOptions? opts = null)

public IdentityProvider(String name, IdentityProviderArgs args)
public IdentityProvider(String name, IdentityProviderArgs args, CustomResourceOptions options)

type: keycloak:saml:IdentityProvider
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args IdentityProviderArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var keycloakIdentityProviderResource = new Keycloak.Saml.IdentityProvider("keycloakIdentityProviderResource", new()
{
    EntityId = "string",
    Alias = "string",
    SingleSignOnServiceUrl = "string",
    Realm = "string",
    PostBindingAuthnRequest = false,
    PostBrokerLoginFlowAlias = "string",
    BackchannelSupported = false,
    DisplayName = "string",
    Enabled = false,
    AuthnContextComparisonType = "string",
    ExtraConfig = 
    {
        { "string", "string" },
    },
    FirstBrokerLoginFlowAlias = "string",
    ForceAuthn = false,
    GuiOrder = "string",
    HideOnLoginPage = false,
    LinkOnly = false,
    LoginHint = "string",
    NameIdPolicyFormat = "string",
    AddReadTokenRoleOnCreate = false,
    PostBindingLogout = false,
    PostBindingResponse = false,
    AuthnContextDeclRefs = new[]
    {
        "string",
    },
    PrincipalAttribute = "string",
    PrincipalType = "string",
    ProviderId = "string",
    AuthnContextClassRefs = new[]
    {
        "string",
    },
    SignatureAlgorithm = "string",
    SigningCertificate = "string",
    SingleLogoutServiceUrl = "string",
    AuthenticateByDefault = false,
    StoreToken = false,
    SyncMode = "string",
    TrustEmail = false,
    ValidateSignature = false,
    WantAssertionsEncrypted = false,
    WantAssertionsSigned = false,
    XmlSignKeyInfoKeyNameTransformer = "string",
});

example, err := saml.NewIdentityProvider(ctx, "keycloakIdentityProviderResource", &saml.IdentityProviderArgs{
	EntityId:                   pulumi.String("string"),
	Alias:                      pulumi.String("string"),
	SingleSignOnServiceUrl:     pulumi.String("string"),
	Realm:                      pulumi.String("string"),
	PostBindingAuthnRequest:    pulumi.Bool(false),
	PostBrokerLoginFlowAlias:   pulumi.String("string"),
	BackchannelSupported:       pulumi.Bool(false),
	DisplayName:                pulumi.String("string"),
	Enabled:                    pulumi.Bool(false),
	AuthnContextComparisonType: pulumi.String("string"),
	ExtraConfig: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	FirstBrokerLoginFlowAlias: pulumi.String("string"),
	ForceAuthn:                pulumi.Bool(false),
	GuiOrder:                  pulumi.String("string"),
	HideOnLoginPage:           pulumi.Bool(false),
	LinkOnly:                  pulumi.Bool(false),
	LoginHint:                 pulumi.String("string"),
	NameIdPolicyFormat:        pulumi.String("string"),
	AddReadTokenRoleOnCreate:  pulumi.Bool(false),
	PostBindingLogout:         pulumi.Bool(false),
	PostBindingResponse:       pulumi.Bool(false),
	AuthnContextDeclRefs: pulumi.StringArray{
		pulumi.String("string"),
	},
	PrincipalAttribute: pulumi.String("string"),
	PrincipalType:      pulumi.String("string"),
	ProviderId:         pulumi.String("string"),
	AuthnContextClassRefs: pulumi.StringArray{
		pulumi.String("string"),
	},
	SignatureAlgorithm:               pulumi.String("string"),
	SigningCertificate:               pulumi.String("string"),
	SingleLogoutServiceUrl:           pulumi.String("string"),
	AuthenticateByDefault:            pulumi.Bool(false),
	StoreToken:                       pulumi.Bool(false),
	SyncMode:                         pulumi.String("string"),
	TrustEmail:                       pulumi.Bool(false),
	ValidateSignature:                pulumi.Bool(false),
	WantAssertionsEncrypted:          pulumi.Bool(false),
	WantAssertionsSigned:             pulumi.Bool(false),
	XmlSignKeyInfoKeyNameTransformer: pulumi.String("string"),
})

var keycloakIdentityProviderResource = new IdentityProvider("keycloakIdentityProviderResource", IdentityProviderArgs.builder()
    .entityId("string")
    .alias("string")
    .singleSignOnServiceUrl("string")
    .realm("string")
    .postBindingAuthnRequest(false)
    .postBrokerLoginFlowAlias("string")
    .backchannelSupported(false)
    .displayName("string")
    .enabled(false)
    .authnContextComparisonType("string")
    .extraConfig(Map.of("string", "string"))
    .firstBrokerLoginFlowAlias("string")
    .forceAuthn(false)
    .guiOrder("string")
    .hideOnLoginPage(false)
    .linkOnly(false)
    .loginHint("string")
    .nameIdPolicyFormat("string")
    .addReadTokenRoleOnCreate(false)
    .postBindingLogout(false)
    .postBindingResponse(false)
    .authnContextDeclRefs("string")
    .principalAttribute("string")
    .principalType("string")
    .providerId("string")
    .authnContextClassRefs("string")
    .signatureAlgorithm("string")
    .signingCertificate("string")
    .singleLogoutServiceUrl("string")
    .authenticateByDefault(false)
    .storeToken(false)
    .syncMode("string")
    .trustEmail(false)
    .validateSignature(false)
    .wantAssertionsEncrypted(false)
    .wantAssertionsSigned(false)
    .xmlSignKeyInfoKeyNameTransformer("string")
    .build());

keycloak_identity_provider_resource = keycloak.saml.IdentityProvider("keycloakIdentityProviderResource",
    entity_id="string",
    alias="string",
    single_sign_on_service_url="string",
    realm="string",
    post_binding_authn_request=False,
    post_broker_login_flow_alias="string",
    backchannel_supported=False,
    display_name="string",
    enabled=False,
    authn_context_comparison_type="string",
    extra_config={
        "string": "string",
    },
    first_broker_login_flow_alias="string",
    force_authn=False,
    gui_order="string",
    hide_on_login_page=False,
    link_only=False,
    login_hint="string",
    name_id_policy_format="string",
    add_read_token_role_on_create=False,
    post_binding_logout=False,
    post_binding_response=False,
    authn_context_decl_refs=["string"],
    principal_attribute="string",
    principal_type="string",
    provider_id="string",
    authn_context_class_refs=["string"],
    signature_algorithm="string",
    signing_certificate="string",
    single_logout_service_url="string",
    authenticate_by_default=False,
    store_token=False,
    sync_mode="string",
    trust_email=False,
    validate_signature=False,
    want_assertions_encrypted=False,
    want_assertions_signed=False,
    xml_sign_key_info_key_name_transformer="string")

const keycloakIdentityProviderResource = new keycloak.saml.IdentityProvider("keycloakIdentityProviderResource", {
    entityId: "string",
    alias: "string",
    singleSignOnServiceUrl: "string",
    realm: "string",
    postBindingAuthnRequest: false,
    postBrokerLoginFlowAlias: "string",
    backchannelSupported: false,
    displayName: "string",
    enabled: false,
    authnContextComparisonType: "string",
    extraConfig: {
        string: "string",
    },
    firstBrokerLoginFlowAlias: "string",
    forceAuthn: false,
    guiOrder: "string",
    hideOnLoginPage: false,
    linkOnly: false,
    loginHint: "string",
    nameIdPolicyFormat: "string",
    addReadTokenRoleOnCreate: false,
    postBindingLogout: false,
    postBindingResponse: false,
    authnContextDeclRefs: ["string"],
    principalAttribute: "string",
    principalType: "string",
    providerId: "string",
    authnContextClassRefs: ["string"],
    signatureAlgorithm: "string",
    signingCertificate: "string",
    singleLogoutServiceUrl: "string",
    authenticateByDefault: false,
    storeToken: false,
    syncMode: "string",
    trustEmail: false,
    validateSignature: false,
    wantAssertionsEncrypted: false,
    wantAssertionsSigned: false,
    xmlSignKeyInfoKeyNameTransformer: "string",
});

type: keycloak:saml:IdentityProvider
properties:
    addReadTokenRoleOnCreate: false
    alias: string
    authenticateByDefault: false
    authnContextClassRefs:
        - string
    authnContextComparisonType: string
    authnContextDeclRefs:
        - string
    backchannelSupported: false
    displayName: string
    enabled: false
    entityId: string
    extraConfig:
        string: string
    firstBrokerLoginFlowAlias: string
    forceAuthn: false
    guiOrder: string
    hideOnLoginPage: false
    linkOnly: false
    loginHint: string
    nameIdPolicyFormat: string
    postBindingAuthnRequest: false
    postBindingLogout: false
    postBindingResponse: false
    postBrokerLoginFlowAlias: string
    principalAttribute: string
    principalType: string
    providerId: string
    realm: string
    signatureAlgorithm: string
    signingCertificate: string
    singleLogoutServiceUrl: string
    singleSignOnServiceUrl: string
    storeToken: false
    syncMode: string
    trustEmail: false
    validateSignature: false
    wantAssertionsEncrypted: false
    wantAssertionsSigned: false
    xmlSignKeyInfoKeyNameTransformer: string

IdentityProvider Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The IdentityProvider resource accepts the following input properties:

Alias string: The unique name of identity provider.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
Realm string: The name of the realm. This is unique across Keycloak.
SingleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool: Authenticate users by default. Defaults to false.
AuthnContextClassRefs List<string>: Ordered list of requested AuthnContext ClassRefs.
AuthnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
AuthnContextDeclRefs List<string>: Ordered list of requested AuthnContext DeclRefs.
BackchannelSupported bool: Does the external IDP support backchannel logout?. Defaults to false.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
ForceAuthn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
LinkOnly bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string: Login Hint.
NameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
PostBindingAuthnRequest bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingLogout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingResponse bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
PrincipalAttribute string: The principal attribute.
PrincipalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
ProviderId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
SignatureAlgorithm string: Signing Algorithm. Defaults to empty.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: The Url that must be used to send logout requests.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Indicates whether this service provider expects an encrypted Assertion.
WantAssertionsSigned bool: Indicates whether this service provider expects a signed Assertion.
XmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

Alias string: The unique name of identity provider.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
Realm string: The name of the realm. This is unique across Keycloak.
SingleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
AuthenticateByDefault bool: Authenticate users by default. Defaults to false.
AuthnContextClassRefs []string: Ordered list of requested AuthnContext ClassRefs.
AuthnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
AuthnContextDeclRefs []string: Ordered list of requested AuthnContext DeclRefs.
BackchannelSupported bool: Does the external IDP support backchannel logout?. Defaults to false.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
ForceAuthn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
LinkOnly bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string: Login Hint.
NameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
PostBindingAuthnRequest bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingLogout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingResponse bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
PrincipalAttribute string: The principal attribute.
PrincipalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
ProviderId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
SignatureAlgorithm string: Signing Algorithm. Defaults to empty.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: The Url that must be used to send logout requests.
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Indicates whether this service provider expects an encrypted Assertion.
WantAssertionsSigned bool: Indicates whether this service provider expects a signed Assertion.
XmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

alias String: The unique name of identity provider.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm String: The name of the realm. This is unique across Keycloak.
singleSignOnServiceUrl String: The Url that must be used to send authentication requests (SAML AuthnRequest).
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs List<String>: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType String: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs List<String>: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported Boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName String: The display name for the realm that is shown when logging in to the admin console.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn Boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
linkOnly Boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String: Login Hint.
nameIdPolicyFormat String: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest Boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute String: The principal attribute.
principalType String: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId String: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
signatureAlgorithm String: Signing Algorithm. Defaults to empty.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: The Url that must be used to send logout requests.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned Boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer String: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

alias string: The unique name of identity provider.
entityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm string: The name of the realm. This is unique across Keycloak.
singleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
addReadTokenRoleOnCreate boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs string[]: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs string[]: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName string: The display name for the realm that is shown when logging in to the admin console.
enabled boolean: When false, users and clients will not be able to access this realm. Defaults to true.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder string: A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
linkOnly boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint string: Login Hint.
nameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute string: The principal attribute.
principalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
signatureAlgorithm string: Signing Algorithm. Defaults to empty.
signingCertificate string: Signing Certificate.
singleLogoutServiceUrl string: The Url that must be used to send logout requests.
storeToken boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

alias str: The unique name of identity provider.
entity_id str: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm str: The name of the realm. This is unique across Keycloak.
single_sign_on_service_url str: The Url that must be used to send authentication requests (SAML AuthnRequest).
add_read_token_role_on_create bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticate_by_default bool: Authenticate users by default. Defaults to false.
authn_context_class_refs Sequence[str]: Ordered list of requested AuthnContext ClassRefs.
authn_context_comparison_type str: Specifies the comparison method used to evaluate the requested context classes or statements.
authn_context_decl_refs Sequence[str]: Ordered list of requested AuthnContext DeclRefs.
backchannel_supported bool: Does the external IDP support backchannel logout?. Defaults to false.
display_name str: The display name for the realm that is shown when logging in to the admin console.
enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
extra_config Mapping[str, str]
first_broker_login_flow_alias str: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
force_authn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
gui_order str: A number defining the order of this identity provider in the GUI.
hide_on_login_page bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
link_only bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
login_hint str: Login Hint.
name_id_policy_format str: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
post_binding_authn_request bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_logout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_response bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_broker_login_flow_alias str: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principal_attribute str: The principal attribute.
principal_type str: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
provider_id str: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
signature_algorithm str: Signing Algorithm. Defaults to empty.
signing_certificate str: Signing Certificate.
single_logout_service_url str: The Url that must be used to send logout requests.
store_token bool: When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trust_email bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validate_signature bool: Enable/disable signature validation of SAML responses.
want_assertions_encrypted bool: Indicates whether this service provider expects an encrypted Assertion.
want_assertions_signed bool: Indicates whether this service provider expects a signed Assertion.
xml_sign_key_info_key_name_transformer str: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

alias String: The unique name of identity provider.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
realm String: The name of the realm. This is unique across Keycloak.
singleSignOnServiceUrl String: The Url that must be used to send authentication requests (SAML AuthnRequest).
addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
authenticateByDefault Boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs List<String>: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType String: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs List<String>: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported Boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName String: The display name for the realm that is shown when logging in to the admin console.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
extraConfig Map<String>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn Boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
linkOnly Boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String: Login Hint.
nameIdPolicyFormat String: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest Boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute String: The principal attribute.
principalType String: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId String: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
signatureAlgorithm String: Signing Algorithm. Defaults to empty.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: The Url that must be used to send logout requests.
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned Boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer String: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

Outputs

All input properties are implicitly available as output properties. Additionally, the IdentityProvider resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
InternalId string: Internal Identity Provider Id

Id string: The provider-assigned unique ID for this managed resource.
InternalId string: Internal Identity Provider Id

id String: The provider-assigned unique ID for this managed resource.
internalId String: Internal Identity Provider Id

id string: The provider-assigned unique ID for this managed resource.
internalId string: Internal Identity Provider Id

id str: The provider-assigned unique ID for this managed resource.
internal_id str: Internal Identity Provider Id

id String: The provider-assigned unique ID for this managed resource.
internalId String: Internal Identity Provider Id

Look up Existing IdentityProvider Resource

Get an existing IdentityProvider resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: IdentityProviderState, opts?: CustomResourceOptions): IdentityProvider

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        add_read_token_role_on_create: Optional[bool] = None,
        alias: Optional[str] = None,
        authenticate_by_default: Optional[bool] = None,
        authn_context_class_refs: Optional[Sequence[str]] = None,
        authn_context_comparison_type: Optional[str] = None,
        authn_context_decl_refs: Optional[Sequence[str]] = None,
        backchannel_supported: Optional[bool] = None,
        display_name: Optional[str] = None,
        enabled: Optional[bool] = None,
        entity_id: Optional[str] = None,
        extra_config: Optional[Mapping[str, str]] = None,
        first_broker_login_flow_alias: Optional[str] = None,
        force_authn: Optional[bool] = None,
        gui_order: Optional[str] = None,
        hide_on_login_page: Optional[bool] = None,
        internal_id: Optional[str] = None,
        link_only: Optional[bool] = None,
        login_hint: Optional[str] = None,
        name_id_policy_format: Optional[str] = None,
        post_binding_authn_request: Optional[bool] = None,
        post_binding_logout: Optional[bool] = None,
        post_binding_response: Optional[bool] = None,
        post_broker_login_flow_alias: Optional[str] = None,
        principal_attribute: Optional[str] = None,
        principal_type: Optional[str] = None,
        provider_id: Optional[str] = None,
        realm: Optional[str] = None,
        signature_algorithm: Optional[str] = None,
        signing_certificate: Optional[str] = None,
        single_logout_service_url: Optional[str] = None,
        single_sign_on_service_url: Optional[str] = None,
        store_token: Optional[bool] = None,
        sync_mode: Optional[str] = None,
        trust_email: Optional[bool] = None,
        validate_signature: Optional[bool] = None,
        want_assertions_encrypted: Optional[bool] = None,
        want_assertions_signed: Optional[bool] = None,
        xml_sign_key_info_key_name_transformer: Optional[str] = None) -> IdentityProvider

func GetIdentityProvider(ctx *Context, name string, id IDInput, state *IdentityProviderState, opts ...ResourceOption) (*IdentityProvider, error)

public static IdentityProvider Get(string name, Input<string> id, IdentityProviderState? state, CustomResourceOptions? opts = null)

public static IdentityProvider get(String name, Output<String> id, IdentityProviderState state, CustomResourceOptions options)

resources:  _:    type: keycloak:saml:IdentityProvider    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias string: The unique name of identity provider.
AuthenticateByDefault bool: Authenticate users by default. Defaults to false.
AuthnContextClassRefs List<string>: Ordered list of requested AuthnContext ClassRefs.
AuthnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
AuthnContextDeclRefs List<string>: Ordered list of requested AuthnContext DeclRefs.
BackchannelSupported bool: Does the external IDP support backchannel logout?. Defaults to false.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
ExtraConfig Dictionary<string, string>
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
ForceAuthn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
InternalId string: Internal Identity Provider Id
LinkOnly bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string: Login Hint.
NameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
PostBindingAuthnRequest bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingLogout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingResponse bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
PrincipalAttribute string: The principal attribute.
PrincipalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
ProviderId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
Realm string: The name of the realm. This is unique across Keycloak.
SignatureAlgorithm string: Signing Algorithm. Defaults to empty.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: The Url that must be used to send logout requests.
SingleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Indicates whether this service provider expects an encrypted Assertion.
WantAssertionsSigned bool: Indicates whether this service provider expects a signed Assertion.
XmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

AddReadTokenRoleOnCreate bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
Alias string: The unique name of identity provider.
AuthenticateByDefault bool: Authenticate users by default. Defaults to false.
AuthnContextClassRefs []string: Ordered list of requested AuthnContext ClassRefs.
AuthnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
AuthnContextDeclRefs []string: Ordered list of requested AuthnContext DeclRefs.
BackchannelSupported bool: Does the external IDP support backchannel logout?. Defaults to false.
DisplayName string: The display name for the realm that is shown when logging in to the admin console.
Enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
EntityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
ExtraConfig map[string]string
FirstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
ForceAuthn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
GuiOrder string: A number defining the order of this identity provider in the GUI.
HideOnLoginPage bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
InternalId string: Internal Identity Provider Id
LinkOnly bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
LoginHint string: Login Hint.
NameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
PostBindingAuthnRequest bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingLogout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBindingResponse bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
PostBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
PrincipalAttribute string: The principal attribute.
PrincipalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
ProviderId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
Realm string: The name of the realm. This is unique across Keycloak.
SignatureAlgorithm string: Signing Algorithm. Defaults to empty.
SigningCertificate string: Signing Certificate.
SingleLogoutServiceUrl string: The Url that must be used to send logout requests.
SingleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
StoreToken bool: When true, tokens will be stored after authenticating users. Defaults to true.
SyncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
TrustEmail bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
ValidateSignature bool: Enable/disable signature validation of SAML responses.
WantAssertionsEncrypted bool: Indicates whether this service provider expects an encrypted Assertion.
WantAssertionsSigned bool: Indicates whether this service provider expects a signed Assertion.
XmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias String: The unique name of identity provider.
authenticateByDefault Boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs List<String>: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType String: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs List<String>: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported Boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName String: The display name for the realm that is shown when logging in to the admin console.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig Map<String,String>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn Boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
internalId String: Internal Identity Provider Id
linkOnly Boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String: Login Hint.
nameIdPolicyFormat String: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest Boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute String: The principal attribute.
principalType String: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId String: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
realm String: The name of the realm. This is unique across Keycloak.
signatureAlgorithm String: Signing Algorithm. Defaults to empty.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: The Url that must be used to send logout requests.
singleSignOnServiceUrl String: The Url that must be used to send authentication requests (SAML AuthnRequest).
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned Boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer String: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

addReadTokenRoleOnCreate boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias string: The unique name of identity provider.
authenticateByDefault boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs string[]: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType string: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs string[]: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName string: The display name for the realm that is shown when logging in to the admin console.
enabled boolean: When false, users and clients will not be able to access this realm. Defaults to true.
entityId string: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig {[key: string]: string}
firstBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder string: A number defining the order of this identity provider in the GUI.
hideOnLoginPage boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
internalId string: Internal Identity Provider Id
linkOnly boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint string: Login Hint.
nameIdPolicyFormat string: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias string: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute string: The principal attribute.
principalType string: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId string: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
realm string: The name of the realm. This is unique across Keycloak.
signatureAlgorithm string: Signing Algorithm. Defaults to empty.
signingCertificate string: Signing Certificate.
singleLogoutServiceUrl string: The Url that must be used to send logout requests.
singleSignOnServiceUrl string: The Url that must be used to send authentication requests (SAML AuthnRequest).
storeToken boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode string: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer string: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

add_read_token_role_on_create bool: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias str: The unique name of identity provider.
authenticate_by_default bool: Authenticate users by default. Defaults to false.
authn_context_class_refs Sequence[str]: Ordered list of requested AuthnContext ClassRefs.
authn_context_comparison_type str: Specifies the comparison method used to evaluate the requested context classes or statements.
authn_context_decl_refs Sequence[str]: Ordered list of requested AuthnContext DeclRefs.
backchannel_supported bool: Does the external IDP support backchannel logout?. Defaults to false.
display_name str: The display name for the realm that is shown when logging in to the admin console.
enabled bool: When false, users and clients will not be able to access this realm. Defaults to true.
entity_id str: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extra_config Mapping[str, str]
first_broker_login_flow_alias str: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
force_authn bool: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
gui_order str: A number defining the order of this identity provider in the GUI.
hide_on_login_page bool: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
internal_id str: Internal Identity Provider Id
link_only bool: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
login_hint str: Login Hint.
name_id_policy_format str: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
post_binding_authn_request bool: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_logout bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_binding_response bool: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
post_broker_login_flow_alias str: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principal_attribute str: The principal attribute.
principal_type str: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
provider_id str: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
realm str: The name of the realm. This is unique across Keycloak.
signature_algorithm str: Signing Algorithm. Defaults to empty.
signing_certificate str: Signing Certificate.
single_logout_service_url str: The Url that must be used to send logout requests.
single_sign_on_service_url str: The Url that must be used to send authentication requests (SAML AuthnRequest).
store_token bool: When true, tokens will be stored after authenticating users. Defaults to true.
sync_mode str: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trust_email bool: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validate_signature bool: Enable/disable signature validation of SAML responses.
want_assertions_encrypted bool: Indicates whether this service provider expects an encrypted Assertion.
want_assertions_signed bool: Indicates whether this service provider expects a signed Assertion.
xml_sign_key_info_key_name_transformer str: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

addReadTokenRoleOnCreate Boolean: When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
alias String: The unique name of identity provider.
authenticateByDefault Boolean: Authenticate users by default. Defaults to false.
authnContextClassRefs List<String>: Ordered list of requested AuthnContext ClassRefs.
authnContextComparisonType String: Specifies the comparison method used to evaluate the requested context classes or statements.
authnContextDeclRefs List<String>: Ordered list of requested AuthnContext DeclRefs.
backchannelSupported Boolean: Does the external IDP support backchannel logout?. Defaults to false.
displayName String: The display name for the realm that is shown when logging in to the admin console.
enabled Boolean: When false, users and clients will not be able to access this realm. Defaults to true.
entityId String: The Entity ID that will be used to uniquely identify this SAML Service Provider.
extraConfig Map<String>
firstBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
forceAuthn Boolean: Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
guiOrder String: A number defining the order of this identity provider in the GUI.
hideOnLoginPage Boolean: If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
internalId String: Internal Identity Provider Id
linkOnly Boolean: When true, users cannot log in using this provider, but their existing accounts will be linked when possible. Defaults to false.
loginHint String: Login Hint.
nameIdPolicyFormat String: Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
postBindingAuthnRequest Boolean: Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingLogout Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBindingResponse Boolean: Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
postBrokerLoginFlowAlias String: Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
principalAttribute String: The principal attribute.
principalType String: The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
providerId String: The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
realm String: The name of the realm. This is unique across Keycloak.
signatureAlgorithm String: Signing Algorithm. Defaults to empty.
signingCertificate String: Signing Certificate.
singleLogoutServiceUrl String: The Url that must be used to send logout requests.
singleSignOnServiceUrl String: The Url that must be used to send authentication requests (SAML AuthnRequest).
storeToken Boolean: When true, tokens will be stored after authenticating users. Defaults to true.
syncMode String: The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
trustEmail Boolean: When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
validateSignature Boolean: Enable/disable signature validation of SAML responses.
wantAssertionsEncrypted Boolean: Indicates whether this service provider expects an encrypted Assertion.
wantAssertionsSigned Boolean: Indicates whether this service provider expects a signed Assertion.
xmlSignKeyInfoKeyNameTransformer String: The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.

Import

Identity providers can be imported using the format {{realm_id}}/{{idp_alias}}, where idp_alias is the identity provider alias.

Example:

bash

$ pulumi import keycloak:saml/identityProvider:IdentityProvider realm_saml_identity_provider my-realm/my-saml-idp

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Keycloak pulumi/pulumi-keycloak
License: Apache-2.0
Notes: This Pulumi package is based on the keycloak Terraform Provider.

Keycloak v6.4.0 published on Wednesday, Apr 16, 2025 by Pulumi

pulumi/pulumi-keycloak

keycloak.saml.IdentityProvider

On this page

On this page

Example Usage

Create IdentityProvider Resource

Constructor syntax

Parameters

Constructor example

IdentityProvider Resource Properties

Inputs

Outputs

Look up Existing IdentityProvider Resource

Import

Package Details

On this page

On this page