REFERENCE.md

Reference

Table of Contents

Classes

Public Classes

• keycloak: Manage Keycloak
• keycloak::config: Private class.
• keycloak::datasource::h2: Private class.
• keycloak::install: Private class.
• keycloak::service: Private class.
• keycloak::sssd: Private class.

Private Classes

• keycloak::datasource::mysql: Manage MySQL datasource
• keycloak::datasource::oracle: Manage Oracle datasource
• keycloak::datasource::postgresql: Manage postgresql datasource
• keycloak::resources: Define Keycloak resources

Defined types

• keycloak::client_scope::oidc: Manage Keycloak OpenID Connect client scope using built-in mappers
• keycloak::client_scope::saml: Manage Keycloak SAML client scope using built-in mappers
• keycloak::spi_deployment: Manage Keycloak SPI deployment
• keycloak::truststore::host: Add host to Keycloak truststore

Resource types

• keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.
• keycloak_client: Manage Keycloak clients
• keycloak_client_protocol_mapper: Manage Keycloak protocol mappers
• keycloak_client_scope: Manage Keycloak client scopes
• keycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to pre
• keycloak_flow: Manage a Keycloak flow Autorequires * keycloak_realm defined for realm parameter * keycloak_flow of flow_alias if `top_level=fals
• keycloak_flow_execution: Manage a Keycloak flow Autorequires * keycloak_realm defined for realm parameter * keycloak_flow of value defined for flow_alias
• keycloak_identity_provider: Manage Keycloak identity providers
• keycloak_ldap_mapper: Manage Keycloak LDAP attribute mappers
• keycloak_ldap_user_provider: Manage Keycloak LDAP user providers
• keycloak_protocol_mapper: Manage Keycloak client scope protocol mappers
• keycloak_realm: Manage Keycloak realms
• keycloak_resource_validator: Verify that a specific Keycloak resource is available
• keycloak_sssd_user_provider: Manage Keycloak SSSD user providers

Classes

keycloak

Manage Keycloak

Examples

include ::keycloak

Parameters

The following parameters are available in the keycloak class.

manage_install

Data type: Boolean

Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.

Default value: true

version

Data type: String

Version of Keycloak to install and manage.

Default value: '8.0.1'

package_url

Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]

URL of the Keycloak download. Default is based on version.

Default value: undef

install_dir

Data type: Optional[Stdlib::Absolutepath]

The directory of where to install Keycloak. Default is /opt/keycloak-${version}.

Default value: undef

service_name

Data type: String

Keycloak service name. Default is keycloak.

Default value: 'keycloak'

service_ensure

Data type: String

Keycloak service ensure property. Default is running.

Default value: 'running'

service_enable

Data type: Boolean

Keycloak service enable property. Default is true.

Default value: true

service_hasstatus

Data type: Boolean

Keycloak service hasstatus parameter. Default is true.

Default value: true

service_hasrestart

Data type: Boolean

Keycloak service hasrestart parameter. Default is true.

Default value: true

service_bind_address

Data type: Stdlib::IP::Address

Bind address for Keycloak service. Default is '0.0.0.0'.

Default value: '0.0.0.0'

java_opts

Data type: Optional[Variant[String, Array]]

Sets additional options to Java virtual machine environment variable.

Default value: undef

java_opts_append

Data type: Boolean

Determine if $JAVA_OPTS should be appended to when setting java_opts parameter

Default value: true

service_extra_opts

Data type: Optional[String]

Additional options added to the end of the service command-line.

Default value: undef

manage_user

Data type: Boolean

Defines if the module should manage the Linux user for Keycloak installation

Default value: true

user

Data type: String

Keycloak user name. Default is keycloak.

Default value: 'keycloak'

user_shell

Data type: Stdlib::Absolutepath

Keycloak user shell.

Default value: '/sbin/nologin'

group

Data type: String

Keycloak user group name. Default is keycloak.

Default value: 'keycloak'

user_uid

Data type: Optional[Integer]

Keycloak user UID. Default is undef.

Default value: undef

group_gid

Data type: Optional[Integer]

Keycloak user group GID. Default is undef.

Default value: undef

admin_user

Data type: String

Keycloak administrative username. Default is admin.

Default value: 'admin'

admin_user_password

Data type: String

Keycloak administrative user password. Default is changeme.

Default value: 'changeme'

manage_datasource

Data type: Boolean

Boolean that determines if configured datasource will be managed. Default is true.

Default value: true

datasource_driver

Data type: Enum['h2', 'mysql', 'oracle', 'postgresql']

Datasource driver to use for Keycloak. Valid values are h2, mysql, 'oracle' and 'postgresql' Default is h2.

Default value: 'h2'

datasource_host

Data type: Optional[String]

Datasource host. Only used when datasource_driver is mysql, 'oracle' or 'postgresql' Default is localhost for MySQL.

Default value: undef

datasource_port

Data type: Optional[Integer]

Datasource port. Only used when datasource_driver is mysql, 'oracle' or 'postgresql' Default is 3306 for MySQL.

Default value: undef

datasource_url

Data type: Optional[String]

Datasource url. Default datasource URLs are defined in init class.

Default value: undef

datasource_dbname

Data type: String

Datasource database name. Default is keycloak.

Default value: 'keycloak'

datasource_username

Data type: String

Datasource user name. Default is sa.

Default value: 'sa'

datasource_password

Data type: String

Datasource user password. Default is sa.

Default value: 'sa'

datasource_package

Data type: Optional[String]

Package to add specified datasource support

Default value: undef

datasource_jar_source

Data type: Optional[String]

Source for datasource JDBC driver - could be puppet link or local file on the node. Default is dependent on value for datasource_driver. This parameter is required if datasource_driver is oracle.

Default value: undef

datasource_module_source

Data type: Optional[String]

Source for datasource module.xml. Default depends on datasource_driver.

Default value: undef

datasource_xa_class

Data type: Optional[String]

MySQL Connector/J JDBC driver xa-datasource class name

Default value: undef

proxy_https

Data type: Boolean

Boolean that sets if HTTPS proxy should be enabled. Set to true if proxying traffic through Apache. Default is false.

Default value: false

truststore

Data type: Boolean

Boolean that sets if truststore should be used. Default is false.

Default value: false

truststore_hosts

Data type: Hash

Hash that is used to define keycloak::turststore::host resources. Default is {}.

Default value: {}

truststore_password

Data type: String

Truststore password. Default is keycloak.

Default value: 'keycloak'

truststore_hostname_verification_policy

Data type: Enum['WILDCARD', 'STRICT', 'ANY']

Valid values are WILDCARD, STRICT, and ANY. Default is WILDCARD.

Default value: 'WILDCARD'

http_port

Data type: Integer

HTTP port used by Keycloak. Default is 8080.

Default value: 8080

theme_static_max_age

Data type: Integer

Max cache age in seconds of static content. Default is 2592000.

Default value: 2592000

theme_cache_themes

Data type: Boolean

Boolean that sets if themes should be cached. Default is true.

Default value: true

theme_cache_templates

Data type: Boolean

Boolean that sets if templates should be cached. Default is true.

Default value: true

realms

Data type: Hash

Hash that is used to define keycloak_realm resources. Default is {}.

Default value: {}

realms_merge

Data type: Boolean

Boolean that sets if realms should be merged from Hiera.

Default value: false

oidc_client_scopes

Data type: Hash

Hash that is used to define keycloak::client_scope::oidc resources. Default is {}.

Default value: {}

oidc_client_scopes_merge

Data type: Boolean

Boolean that sets if oidc_client_scopes should be merged from Hiera.

Default value: false

saml_client_scopes

Data type: Hash

Hash that is used to define keycloak::client_scope::saml resources. Default is {}.

Default value: {}

saml_client_scopes_merge

Data type: Boolean

Boolean that sets if saml_client_scopes should be merged from Hiera.

Default value: false

identity_providers

Data type: Hash

Hash that is used to define keycloak_identity_provider resources.

Default value: {}

identity_providers_merge

Data type: Boolean

Boolean that sets if identity_providers should be merged from Hiera.

Default value: false

client_scopes

Data type: Hash

Hash that is used to define keycloak_client_scope resources.

Default value: {}

client_scopes_merge

Data type: Boolean

Boolean that sets if client_scopes should be merged from Hiera.

Default value: false

protocol_mappers

Data type: Hash

Hash that is used to define keycloak_protocol_mapper resources.

Default value: {}

protocol_mappers_merge

Data type: Boolean

Boolean that sets if protocol_mappers should be merged from Hiera.

Default value: false

clients

Data type: Hash

Hash that is used to define keycloak_client resources.

Default value: {}

clients_merge

Data type: Boolean

Boolean that sets if clients should be merged from Hiera.

Default value: false

flows

Data type: Hash

Hash taht is used to define keycloak_flow resources.

Default value: {}

flows_merge

Data type: Boolean

Boolean that sets if flows should be merged from Hiera.

Default value: false

flow_executions

Data type: Hash

Hash taht is used to define keycloak_flow resources.

Default value: {}

flow_executions_merge

Data type: Boolean

Boolean that sets if flows should be merged from Hiera.

Default value: false

with_sssd_support

Data type: Boolean

Boolean that determines if SSSD user provider support should be available

Default value: false

libunix_dbus_java_source

Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]

Source URL of libunix-dbus-java

Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'

install_libunix_dbus_java_build_dependencies

Data type: Boolean

Boolean that determines of libunix-dbus-java build dependencies are managed by this module

Default value: true

libunix_dbus_java_build_dependencies

Data type: Array

Packages needed to build libunix-dbus-java

Default value: []

libunix_dbus_java_libdir

Data type: Stdlib::Absolutepath

Path to directory to install libunix-dbus-java libraries

Default value: '/usr/lib64'

jna_package_name

Data type: String

Package name for jna

Default value: 'jna'

manage_sssd_config

Data type: Boolean

Boolean that determines if SSSD ifp config for Keycloak is managed

Default value: true

sssd_ifp_user_attributes

Data type: Array

user_attributes to define for SSSD ifp service

Default value: []

restart_sssd

Data type: Boolean

Boolean that determines if SSSD should be restarted

Default value: true

service_environment_file

Data type: Optional[Stdlib::Absolutepath]

Path to the file with environment variables for the systemd service

Default value: undef

operating_mode

Data type: Enum['standalone', 'clustered']

Keycloak operating mode deployment

Default value: 'standalone'

enable_jdbc_ping

Data type: Boolean

Use JDBC_PING to discover the nodes and manage the replication of data More info: http://jgroups.org/manual/#_jdbc_ping Only applies when operating_mode is clustered JDBC_PING uses port 7600 to ensure cluster members are discoverable by each other This module does not manage firewall changes

Default value: false

jboss_bind_public_address

Data type: Stdlib::IP::Address

JBoss bind public IP address

Default value: $facts['networking']['ip']

jboss_bind_private_address

Data type: Stdlib::IP::Address

JBoss bind private IP address

Default value: $facts['networking']['ip']

user_cache

Data type: Boolean

Boolean that determines if userCache is enabled

Default value: true

tech_preview_features

Data type: Array

List of technology Preview features to enable

Default value: []

auto_deploy_exploded

Data type: Boolean

Set if exploded deployements will be auto deployed

Default value: false

auto_deploy_zipped

Data type: Boolean

Set if zipped deployments will be auto deployed

Default value: true

spi_deployments

Data type: Hash

Hash used to define keycloak::spi_deployment resources

Default value: {}

custom_config_content

Data type: Optional[String]

Custom configuration content to be added to config.cli

Default value: undef

custom_config_source

Data type: Optional[Variant[String, Array]]

Custom configuration source file to be added to config.cli

Default value: undef

keycloak::config

Private class.

keycloak::datasource::h2

Private class.

keycloak::install

Private class.

keycloak::service

Private class.

keycloak::sssd

Private class.

Defined types

keycloak::client_scope::oidc

Manage Keycloak OpenID Connect client scope using built-in mappers

Examples

keycloak::client_scope::oidc { 'oidc-clients':
  realm => 'test',
}

Parameters

The following parameters are available in the keycloak::client_scope::oidc defined type.

realm

Data type: String

Realm of the client scope.

resource_name

Data type: String

Name of the client scope resource

Default value: $name

keycloak::client_scope::saml

Manage Keycloak SAML client scope using built-in mappers

Examples

keycloak::client_scope::saml { 'saml-clients':
  realm => 'test',
}

Parameters

The following parameters are available in the keycloak::client_scope::saml defined type.

realm

Data type: String

Realm of the client scope.

resource_name

Data type: String

Name of the client scope resource

Default value: $name

keycloak::spi_deployment

}

Examples

Add Duo SPI

keycloak::spi_deployment { 'duo-spi':
  ensure        => 'present',
  deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
  source        => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}

Add Duo SPI and check API for existance of resources before going onto dependenct resources

keycloak::spi_deployment { 'duo-spi':
  deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
  source        => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
  test_url      => 'authentication/authenticator-providers',
  test_key      => 'id',
  test_value    => 'duo-mfa-authenticator',
  test_realm    => 'test',
  before        => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],

Parameters

The following parameters are available in the keycloak::spi_deployment defined type.

ensure

Data type: Enum['present', 'absent']

State of the deployment

Default value: 'present'

deployed_name

Data type: String[1]

Name of the file to be deployed. Defaults to $name.

Default value: $name

source

Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]

Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'

test_url

Data type: Optional[String]

URL to test for existance of resources created by this SPI

Default value: undef

test_key

Data type: Optional[String]

Key of resource when testing for resource created by this SPI

Default value: undef

test_value

Data type: Optional[String]

Value of the test_key when testing for resources created by this SPI

Default value: undef

test_realm

Data type: Optional[String]

Realm to query when looking for resources created by this SPI

Default value: undef

keycloak::truststore::host

Add host to Keycloak truststore

Examples

keycloak::truststore::host { 'ldap1.example.com':
  certificate => '/etc/openldap/certs/0a00000.0',
}

Parameters

The following parameters are available in the keycloak::truststore::host defined type.

certificate

Data type: String

Path to host certificate

ensure

Data type: Enum['latest', 'present', 'absent']

Host ensure value passed to java_ks resource.

Default value: 'latest'

Resource types

keycloak_api

Type that configures API connection parameters for other keycloak types that use the Keycloak API.

Examples

Define API access

keycloak_api { 'keycloak'
  install_dir  => '/opt/keycloak',
  server       => 'http://localhost:8080/auth',
  realm        => 'master',
  user         => 'admin',
  password     => 'changeme',
}

Parameters

The following parameters are available in the keycloak_api type.

name

namevar

Keycloak API config

install_dir

Install location of Keycloak

Default value: /opt/keycloak

server

Auth URL for Keycloak server

Default value: http://localhost:8080/auth

realm

Realm for authentication

Default value: master

user

User for authentication

Default value: admin

password

Password for authentication

Default value: changeme

use_wrapper

Valid values: true, false

Boolean that determines if kcadm_wrapper.sh should be used

Default value: false

keycloak_client

Manage Keycloak clients

Examples

Add a OpenID Connect client

keycloak_client { 'www.example.com':
  ensure                => 'present',
  realm                 => 'test',
  redirect_uris         => [
    "https://www.example.com/oidc",
    "https://www.example.com",
  ],
  default_client_scopes => ['profile','email'],
  secret                => 'supersecret',
}

Properties

The following properties are available in the keycloak_client type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

client_authenticator_type

clientAuthenticatorType

Default value: client-secret

default_client_scopes

defaultClientScopes

Default value: []

optional_client_scopes

optionalClientScopes

Default value: []

full_scope_allowed

Valid values: true, false

fullScopeAllowed

Default value: true

enabled

Valid values: true, false

enabled

Default value: true

standard_flow_enabled

Valid values: true, false

standardFlowEnabled

Default value: true

implicit_flow_enabled

Valid values: true, false

implicitFlowEnabled

Default value: false

direct_access_grants_enabled

Valid values: true, false

enabled

Default value: true

service_accounts_enabled

Valid values: true, false

serviceAccountsEnabled

Default value: false

authorization_services_enabled

Valid values: true, false

authorizationServicesEnabled

Default value: false

public_client

Valid values: true, false

enabled

Default value: false

root_url

rootUrl

redirect_uris

redirectUris

Default value: []

base_url

baseUrl

web_origins

webOrigins

Default value: []

login_theme

login_theme

Default value: absent

access_token_lifespan

access.token.lifespan

Parameters

The following parameters are available in the keycloak_client type.

name

namevar

The client name

client_id

clientId. Defaults to name.

id

Id. Defaults to client_id

realm

realm

secret

secret

keycloak_client_protocol_mapper

Manage Keycloak protocol mappers

Examples

Add email protocol mapper to test.example.com client in realm test

keycloak_client_protocol_mapper { "email for test.example.com on test":
  claim_name     => 'email',
  user_attribute => 'email',
}

Properties

The following properties are available in the keycloak_client_protocol_mapper type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

user_attribute

user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper

json_type_label

json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.

full_path

Valid values: true, false

full.path. Default to false for type oidc-group-membership-mapper.

friendly_name

friendly.name. Default to resource_name for type saml-user-property-mapper.

attribute_name

attribute.name Default to resource_name for type saml-user-property-mapper.

claim_name

claim.name

id_token_claim

Valid values: true, false

id.token.claim. Default to true for protocol openid-connect.

access_token_claim

Valid values: true, false

access.token.claim. Default to true for protocol openid-connect.

userinfo_token_claim

Valid values: true, false

userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.

attribute_nameformat

attribute.nameformat

single

Valid values: true, false

single. Default to false for type saml-role-list-mapper.

script

Script, only valid for type of saml-javascript-mapper'

Array values will be joined with newlines. Strings will be kept unchanged.

included_client_audience

included.client.audience Required for type of oidc-audience-mapper

Parameters

The following parameters are available in the keycloak_client_protocol_mapper type.

name

namevar

The protocol mapper name

id

Id.

resource_name

The protocol mapper name. Defaults to name.

client

client

realm

realm

type

Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper

protocolMapper.

Default is oidc-usermodel-property-mapper for protocol openid-connect and saml-user-property-mapper for protocol saml.

keycloak_client_scope

Manage Keycloak client scopes

Examples

Define a OpenID Connect client scope in the test realm

keycloak_client_scope { 'email on test':
  protocol => 'openid-connect',
}

Properties

The following properties are available in the keycloak_client_scope type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

consent_screen_text

consent.screen.text

display_on_consent_screen

Valid values: true, false

display.on.consent.screen

Default value: true

Parameters

The following parameters are available in the keycloak_client_scope type.

name

namevar

The client scope name

resource_name

The client scope name. Defaults to name.

id

Id. Defaults to resource_name.

realm

realm

keycloak_conn_validator

Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.

Properties

The following properties are available in the keycloak_conn_validator type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the keycloak_conn_validator type.

name

namevar

An arbitrary name used as the identity of the resource.

keycloak_server

The DNS name or IP address of the server where keycloak should be running.

Default value: localhost

keycloak_port

The port that the keycloak server should be listening on.

Default value: 8080

use_ssl

Whether the connection will be attemped using https

Default value: false

test_url

URL to use for testing if the Keycloak database is up

Default value: /auth/admin/serverinfo

timeout

The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.

Default value: 30

keycloak_flow

Manage a Keycloak flow Autorequires

• keycloak_realm defined for realm parameter
• keycloak_flow of flow_alias if top_level=false
• keycloak_flow of flow_alias if other index is lower and if top_level=false
• keycloak_flow_execution if flow_alias is the same and other index is lower and if top_level=false

Examples

Add custom flow

keycloak_flow { 'browser-with-duo':
  ensure => 'present',
  realm  => 'test',
}

Add a flow execution to existing browser-with-duo flow

keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
  ensure      => 'present',
  index       => 2,
  requirement => 'ALTERNATIVE',
  top_level   => false,
}

Properties

The following properties are available in the keycloak_flow type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

index

execution index, only applied to top_level=false, required for top_level=false

description

description

requirement

Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional

requirement, only applied to top_level=false and defaults to DISABLED

Parameters

The following parameters are available in the keycloak_flow type.

name

namevar

The flow name

id

Id. Default to $alias-$realm when top_level is true. Only applies to top_level=true

alias

Alias. Default to name.

flow_alias

flowAlias, required for top_level=false

realm

realm

provider_id

Valid values: basic-flow, form-flow

providerId

Default value: basic-flow

type

sub-flow execution provider, default to registration-page-form for top_level=false and does not apply to top_level=true

top_level

Valid values: true, false

topLevel

Default value: true

keycloak_flow_execution

Manage a Keycloak flow Autorequires

• keycloak_realm defined for realm parameter
• keycloak_flow of value defined for flow_alias
• keycloak_flow if they share same flow_alias value and the other resource index is lower
• keycloak_flow_execution if flow_alias is the same and other index is lower

Examples

Add an execution to a flow

keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
  ensure       => 'present',
  configurable => false,
  display_name => 'Cookie',
  index        => 0,
  requirement  => 'ALTERNATIVE',
}

Add an execution to a execution flow that is one level deeper than top level

keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
  ensure       => 'present',
  configurable => false,
  display_name => 'Username Password Form',
  index        => 0,
  requirement  => 'REQUIRED',
}

Add an execution with a configuration

keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
  ensure       => 'present',
  configurable => true,
  display_name => 'Duo MFA',
  alias        => 'Duo',
  config       => {
    "duomfa.akey"    => "foo-akey",
    "duomfa.apihost" => "api-foo.duosecurity.com",
    "duomfa.skey"    => "secret",
    "duomfa.ikey"    => "foo-ikey",
    "duomfa.groups"  => "duo"
  },
  requirement  => 'REQUIRED',
  index        => 1,
}

Properties

The following properties are available in the keycloak_flow_execution type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

index

execution index

configurable

Valid values: true, false

configurable

requirement

Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional

requirement

Default value: DISABLED

config

execution config

Parameters

The following parameters are available in the keycloak_flow_execution type.

name

namevar

The flow execution name

id

read-only Id

provider_id

provider

flow_alias

flowAlias

realm

realm

display_name

displayName

alias

alias

config_id

read-only config ID

keycloak_identity_provider

Manage Keycloak identity providers

Examples

Add CILogon identity provider to test realm

keycloak_identity_provider { 'cilogon on test':
  ensure                         => 'present',
  display_name                   => 'CILogon',
  provider_id                    => 'oidc',
  first_broker_login_flow_alias  => 'browser',
  client_id                      => 'cilogon:/client_id/foobar',
  client_secret                  => 'supersecret',
  user_info_url                  => 'https://cilogon.org/oauth2/userinfo',
  token_url                      => 'https://cilogon.org/oauth2/token',
  authorization_url              => 'https://cilogon.org/authorize',
}

Properties

The following properties are available in the keycloak_identity_provider type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

display_name

displayName

enabled

Valid values: true, false

enabled

Default value: true

update_profile_first_login_mode

Valid values: on, off

updateProfileFirstLoginMode

Default value: on

trust_email

Valid values: true, false

trustEmail

Default value: false

store_token

Valid values: true, false

storeToken

Default value: false

add_read_token_role_on_create

Valid values: true, false

addReadTokenRoleOnCreate

Default value: false

authenticate_by_default

Valid values: true, false

authenticateByDefault

Default value: false

link_only

Valid values: true, false

linkOnly

Default value: false

first_broker_login_flow_alias

firstBrokerLoginFlowAlias

Default value: first broker login

post_broker_login_flow_alias

postBrokerLoginFlowAlias

hide_on_login_page

Valid values: true, false

hideOnLoginPage

Default value: false

user_info_url

userInfoUrl

validate_signature

Valid values: true, false

validateSignature

Default value: false

client_id

clientId

client_secret

clientSecret

client_auth_method

Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt

clientAuthMethod

Default value: client_secret_post

token_url

tokenUrl

ui_locales

Valid values: true, false

uiLocales

Default value: false

backchannel_supported

Valid values: true, false

backchannelSupported

Default value: false

use_jwks_url

Valid values: true, false

useJwksUrl

Default value: true

login_hint

Valid values: true, false

loginHint

Default value: false

authorization_url

authorizationUrl

disable_user_info

Valid values: true, false

disableUserInfo

Default value: false

logout_url

logoutUrl

issuer

issuer

default_scope

default_scope

prompt

Valid values: none, consent, login, select_account

prompt

allowed_clock_skew

allowedClockSkew

forward_parameters

forwardParameters

Parameters

The following parameters are available in the keycloak_identity_provider type.

name

namevar

The identity provider name

alias

The identity provider name. Defaults to name.

internal_id

internalId. Defaults to "alias-realm"

realm

realm

provider_id

Valid values: oidc

providerId

Default value: oidc

keycloak_ldap_mapper

Manage Keycloak LDAP attribute mappers

Examples

Add full name attribute mapping

keycloak_ldap_mapper { 'full name for LDAP-test on test:
  ensure         => 'present',
  type           => 'full-name-ldap-mapper',
  ldap_attribute => 'gecos',
}

Properties

The following properties are available in the keycloak_ldap_mapper type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

ldap_attribute

ldap.attribute

user_model_attribute

user.model.attribute

is_mandatory_in_ldap

is.mandatory.in.ldap. Defaults to false unless type is full-name-ldap-mapper.

always_read_value_from_ldap

Valid values: true, false

always.read.value.from.ldap. Defaults to true if type is user-attribute-ldap-mapper.

read_only

Valid values: true, false

read.only

write_only

Valid values: true, false

write.only. Defaults to false if type is full-name-ldap-mapper.

mode

Valid values: READ_ONLY, LDAP_ONLY

mode, only for type of group-ldap-mapper and role-ldap-mapper

membership_attribute_type

Valid values: DN, UID

membership.attribute.type, only for type of group-ldap-mapper and role-ldap-mapper

user_roles_retrieve_strategy

Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY

user.roles.retrieve.strategy, only for type of group-ldap-mapper and role-ldap-mapper

group_name_ldap_attribute

group.name.ldap.attribute, only for type of group-ldap-mapper

ignore_missing_groups

Valid values: true, false

ignore.missing.groups, only for type of group-ldap-mapper

membership_user_ldap_attribute

membership.user.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

membership_ldap_attribute

membership.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

preserve_group_inheritance

Valid values: true, false

preserve.group.inheritance, only for type of group-ldap-mapper

groups_dn

groups.dn, only for type of group-ldap-mapper

mapped_group_attributes

mapped.group.attributes, only for type of group-ldap-mapper

groups_ldap_filter

groups.ldap.filter, only for type of group-ldap-mapper

memberof_ldap_attribute

memberof.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper

group_object_classes

group.object.classes, only for type of group-ldap-mapper

drop_non_existing_groups_during_sync

Valid values: true, false

drop.non.existing.groups.during.sync, only for type of group-ldap-mapper

roles_dn

roles.dn, only for type of role-ldap-mapper

role_name_ldap_attribute

role.name.ldap.attribute, only for type of role-ldap-mapper

role_object_classes

role.object.classes, only for type of role-ldap-mapper

roles_ldap_filter

roles.ldap.filter, only for type of role-ldap-mapper

use_realm_roles_mapping

Valid values: true, false

use.realm.roles.mapping, only for type of role-ldap-mapper

client_id

client.id, only for type of role-ldap-mapper

Parameters

The following parameters are available in the keycloak_ldap_mapper type.

name

namevar

The LDAP mapper name

id

Id.

resource_name

The LDAP mapper name. Defaults to name

type

Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper

providerId

Default value: user-attribute-ldap-mapper

realm

realm

ldap

parentId

keycloak_ldap_user_provider

Manage Keycloak LDAP user providers

Examples

Add LDAP user provider to test realm

keycloak_ldap_user_provider { 'LDAP on test':
  ensure             => 'present',
  users_dn           => 'ou=People,dc=example,dc=com',
  connection_url     => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
  import_enabled     => false,
  use_truststore_spi => 'never',
}

Properties

The following properties are available in the keycloak_ldap_user_provider type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

enabled

Valid values: true, false

enabled

Default value: true

auth_type

Valid values: none, simple

authType

Default value: none

edit_mode

Valid values: READ_ONLY, WRITABLE, UNSYNCED

editMode

Default value: READ_ONLY

vendor

Valid values: ad, rhds, tivoli, eDirectory, other

vendor

Default value: other

use_truststore_spi

Valid values: always, ldapsOnly, never

useTruststoreSpi

Default value: ldapsOnly

users_dn

usersDn

connection_url

connectionUrl

priority

priority

Default value: 0

batch_size_for_sync

batchSizeForSync

Default value: 1000

username_ldap_attribute

usernameLdapAttribute

Default value: uid

rdn_ldap_attribute

rdnLdapAttribute

Default value: uid

uuid_ldap_attribute

uuidLdapAttribute

Default value: entryUUID

bind_dn

bindDn

bind_credential

bindCredential

import_enabled

Valid values: true, false

importEnabled

Default value: true

use_kerberos_for_password_authentication

Valid values: true, false

useKerberosForPasswordAuthentication

user_object_classes

userObjectClasses

Default value: ['inetOrgPerson', 'organizationalPerson']

search_scope

Valid values: one, one_level, subtree, 1, 2, 1, 2

searchScope

custom_user_search_filter

Valid values: %r{.*}, absent

customUserSearchFilter

Default value: absent

Parameters

The following parameters are available in the keycloak_ldap_user_provider type.

name

namevar

The LDAP user provider name

resource_name

The LDAP user provider name. Defaults to name.

id

Id. Defaults to "resource_name-realm"

realm

parentId

keycloak_protocol_mapper

Manage Keycloak client scope protocol mappers

Examples

Add email protocol mapper to oidc-client client scope in realm test

keycloak_protocol_mapper { "email for oidc-clients on test":
  claim_name     => 'email',
  user_attribute => 'email',
}

Properties

The following properties are available in the keycloak_protocol_mapper type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

protocol

Valid values: openid-connect, saml

protocol

Default value: openid-connect

user_attribute

user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper

json_type_label

json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.

full_path

Valid values: true, false

full.path. Default to false for type oidc-group-membership-mapper.

friendly_name

friendly.name. Default to resource_name for type saml-user-property-mapper.

attribute_name

attribute.name Default to resource_name for type saml-user-property-mapper.

claim_name

claim.name

id_token_claim

Valid values: true, false

id.token.claim. Default to true for protocol openid-connect.

access_token_claim

Valid values: true, false

access.token.claim. Default to true for protocol openid-connect.

userinfo_token_claim

Valid values: true, false

userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.

attribute_nameformat

attribute.nameformat

single

Valid values: true, false

single. Default to false for type saml-role-list-mapper or saml-javascript-mapper.

script

Script, only valid for type of saml-javascript-mapper'

Array values will be joined with newlines. Strings will be kept unchanged.

included_client_audience

included.client.audience Required for type of oidc-audience-mapper

Parameters

The following parameters are available in the keycloak_protocol_mapper type.

name

namevar

The protocol mapper name

id

Id.

resource_name

The protocol mapper name. Defaults to name.

client_scope

client scope

realm

realm

type

Valid values: oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper

protocolMapper.

Default is oidc-usermodel-property-mapper for protocol openid-connect and saml-user-property-mapper for protocol saml.

keycloak_realm

Manage Keycloak realms

Examples

Add a realm with a custom theme

keycloak_realm { 'test':
  ensure                   => 'present',
  remember_me              => true,
  login_with_email_allowed => false,
  login_theme              => 'my_theme',
}

Properties

The following properties are available in the keycloak_realm type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

display_name

displayName

display_name_html

displayNameHtml

login_theme

loginTheme

Default value: keycloak

account_theme

accountTheme

Default value: keycloak

admin_theme

adminTheme

Default value: keycloak

email_theme

emailTheme

Default value: keycloak

internationalization_enabled

Valid values: true, false

internationalizationEnabled

Default value: false

sso_session_idle_timeout

ssoSessionIdleTimeout

sso_session_max_lifespan

ssoSessionMaxLifespan

access_code_lifespan

accessCodeLifespan

access_code_lifespan_user_action

accessCodeLifespanUserAction

access_token_lifespan

accessTokenLifespan

access_token_lifespan_for_implicit_flow

accessTokenLifespanForImplicitFlow

enabled

Valid values: true, false

enabled

Default value: true

remember_me

Valid values: true, false

rememberMe

Default value: false

login_with_email_allowed

Valid values: true, false

loginWithEmailAllowed

Default value: true

browser_flow

browserFlow

Default value: browser

registration_flow

registrationFlow

Default value: registration

direct_grant_flow

directGrantFlow

Default value: direct grant

reset_credentials_flow

resetCredentialsFlow

Default value: reset credentials

client_authentication_flow

clientAuthenticationFlow

Default value: clients

docker_authentication_flow

dockerAuthenticationFlow

Default value: docker auth

default_client_scopes

Default Client Scopes

optional_client_scopes

Optional Client Scopes

supported_locales

Supported Locales

content_security_policy

contentSecurityPolicy

Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';

events_enabled

Valid values: true, false

eventsEnabled

Default value: false

events_expiration

eventsExpiration

events_listeners

eventsListeners

Default value: ['jboss-logging']

admin_events_enabled

Valid values: true, false

adminEventsEnabled

Default value: false

admin_events_details_enabled

Valid values: true, false

adminEventsDetailsEnabled

Default value: false

smtp_server_user

smtpServer user

smtp_server_password

smtpServer password

smtp_server_host

smtpServer host

smtp_server_port

smtpServer port

smtp_server_auth

Valid values: true, false

smtpServer auth

smtp_server_starttls

Valid values: true, false

smtpServer starttls

smtp_server_ssl

Valid values: true, false

smtpServer ssl

smtp_server_from

smtpServer from

smtp_server_envelope_from

smtpServer envelope_from

smtp_server_from_display_name

smtpServer fromDisplayName

smtp_server_reply_to

smtpServer replyto

smtp_server_reply_to_display_name

smtpServer replyToDisplayName

Parameters

The following parameters are available in the keycloak_realm type.

name

namevar

The realm name

id

Id. Default to name.

keycloak_resource_validator

Verify that a specific Keycloak resource is available

Properties

The following properties are available in the keycloak_resource_validator type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the keycloak_resource_validator type.

name

namevar

An arbitrary name used as the identity of the resource.

test_url

URL to use for testing if the Keycloak database is up

test_key

Key to lookup

test_value

Value to lookup

realm

Realm to query

timeout

The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.

Default value: 30

keycloak_sssd_user_provider

Manage Keycloak SSSD user providers

Examples

Add SSSD user provider to test realm

keycloak_sssd_user_provider { 'SSSD on test':
  ensure => 'present',
}

Properties

The following properties are available in the keycloak_sssd_user_provider type.

ensure

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

enabled

Valid values: true, false

enabled

Default value: true

priority

priority

Default value: 0

cache_policy

Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE

cachePolicy

Default value: DEFAULT

eviction_day

evictionDay

eviction_hour

evictionHour

eviction_minute

evictionMinute

max_lifespan

maxLifespan

Parameters

The following parameters are available in the keycloak_sssd_user_provider type.

name

namevar

The SSSD user provider name

resource_name

The SSSD user provider name. Defaults to name.

id

Id. Defaults to "resource_name-realm"

realm

parentId