keycloak
: Manage Keycloakkeycloak::config
: Private class.keycloak::install
: Private class.keycloak::service
: Private class.keycloak::sssd
: Private class.
keycloak::db::mariadb
: Manage MySQL DBkeycloak::db::mysql
: Manage MySQL DBkeycloak::db::postgres
: Manage postgres DBkeycloak::resources
: Define Keycloak resources
keycloak::client_scope::oidc
: Manage Keycloak OpenID Connect client scope using built-in mapperskeycloak::client_scope::saml
: Manage Keycloak SAML client scope using built-in mapperskeycloak::freeipa_ldap_mappers
: setup FreeIPA LDAP mappers for Keycloakkeycloak::freeipa_user_provider
: setup IPA as an LDAP user provider for Keycloakkeycloak::partial_import
: Perform partialImport using CLIkeycloak::spi_deployment
: Manage Keycloak SPI deploymentkeycloak::truststore::host
: Add host to Keycloak truststore
keycloak_api
: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client
: Manage Keycloak clientskeycloak_client_protocol_mapper
: Manage Keycloak protocol mapperskeycloak_client_scope
: Manage Keycloak client scopeskeycloak_conn_validator
: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_flow
: Manage a Keycloak flow Autorequires *keycloak_realm
defined forrealm
parameter *keycloak_flow
offlow_alias
if `top_level=falskeycloak_flow_execution
: Manage a Keycloak flow Autorequires *keycloak_realm
defined forrealm
parameter *keycloak_flow
of value defined forflow_alias
keycloak_identity_provider
: Manage Keycloak identity providerskeycloak_ldap_mapper
: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider
: Manage Keycloak LDAP user providerskeycloak_protocol_mapper
: Manage Keycloak client scope protocol mapperskeycloak_realm
: Manage Keycloak realmskeycloak_required_action
: Manage Keycloak required actionskeycloak_resource_validator
: Verify that a specific Keycloak resource is availablekeycloak_role_mapping
: Attach realm roles to users and groupskeycloak_sssd_user_provider
: Manage Keycloak SSSD user providers
Manage Keycloak
include ::keycloak
The following parameters are available in the keycloak
class:
manage_install
version
package_url
install_dir
java_package_dependencies
java_declare_method
java_package
java_home
java_alternative_path
java_alternative
service_name
service_ensure
service_enable
java_opts
start_command
service_extra_opts
service_environment_file
conf_dir_mode
conf_dir_purge
conf_dir_purge_ignore
configs
extra_configs
hostname
http_enabled
http_host
http_port
https_port
http_relative_path
manage_user
user
user_shell
group
user_uid
group_gid
system_user
admin_user
admin_user_password
manage_db
manage_db_server
db
db_url_host
db_url_port
db_url
db_url_database
db_username
db_password
db_charset
db_collate
db_encoding
features
features_disabled
truststore
truststore_hosts
truststore_password
proxy
realms
realms_merge
oidc_client_scopes
oidc_client_scopes_merge
saml_client_scopes
saml_client_scopes_merge
identity_providers
identity_providers_merge
client_protocol_mappers
client_scopes
client_scopes_merge
protocol_mappers
protocol_mappers_merge
clients
clients_merge
flows
flows_merge
flow_executions
flow_executions_merge
required_actions
required_actions_merge
ldap_mappers
ldap_mappers_merge
ldap_user_providers
ldap_user_providers_merge
with_sssd_support
libunix_dbus_java_source
install_libunix_dbus_java_build_dependencies
libunix_dbus_java_build_dependencies
libunix_dbus_java_libdir
jna_package_name
manage_sssd_config
sssd_ifp_user_attributes
restart_sssd
spi_deployments
partial_imports
providers_purge
custom_config_content
custom_config_source
validator_test_url
Data type: Boolean
Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.
Default value: true
Data type: String
Version of Keycloak to install and manage.
Default value: '22.0.0'
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
URL of the Keycloak download. Default is based on version.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
The directory of where to install Keycloak.
Default is /opt/keycloak-${version}
.
Default value: undef
Data type: Array[String[1]]
Packages to install before Java
Default value: []
Data type: Enum['include','class']
How to declare the Java class within this module
The include
value only includes the java class
The class
method defines the Java class and passes necessary parameters
For RedHat base systems this defaults to class
, other OSes default to include
Default value: 'class'
Data type: String[1]
Java package name, only used when java_declare_method
is class
Default value: 'java-17-openjdk-devel'
Data type: Stdlib::Absolutepath
Java home path. This value is used when java_declare_method
is class
as well as to set JAVA_HOME environment variable for the Keycloak service.
Default value: '/usr/lib/jvm/java-17-openjdk'
Data type: Stdlib::Absolutepath
Java alternative path, only used when java_declare_method
is class
Default value: '/usr/lib/jvm/java-17-openjdk/bin/java'
Data type: String[1]
Java alternative, only used when java_declare_method
is class
Default value: '/usr/lib/jvm/java-17-openjdk/bin/java'
Data type: String
Keycloak service name.
Default is keycloak
.
Default value: 'keycloak'
Data type: String
Keycloak service ensure property.
Default is running
.
Default value: 'running'
Data type: Boolean
Keycloak service enable property.
Default is true
.
Default value: true
Data type: Optional[Variant[String, Array]]
Sets additional options to Java virtual machine environment variable.
Default value: undef
Data type: Enum['start','start-dev']
The start command to use to run Keycloak
Default value: 'start'
Data type: Optional[String]
Additional options added to the end of the service command-line.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the file with environment variables for the systemd service
Default value: undef
Data type: Stdlib::Filemode
The mode for the configuration directory
Default value: '0755'
Data type: Boolean
Purge unmanaged files in configuration directory
Default value: true
Data type: Array
The files to ignore when unmanaged files are purged from the configuration directory
Default value: ['cache-ispn.xml', 'README.md', 'truststore.jks']
Data type: Keycloak::Configs
Define additional configs for keycloak.conf
Default value: {}
Data type: Hash[String, Variant[String[1],Boolean,Array]]
Additional configs for keycloak.conf
Default value: {}
Data type: Variant[Stdlib::Host, Enum['unset','UNSET']]
hostname to set in keycloak.conf
Set to unset
or UNSET
to not define this in keycloak.conf
Default value: $facts['networking']['fqdn']
Data type: Boolean
Whether to enable HTTP
Default value: true
Data type: Stdlib::IP::Address
HTTP host
Default value: '0.0.0.0'
Data type: Stdlib::Port
HTTP port
Default value: 8080
Data type: Stdlib::Port
HTTPS port
Default value: 8443
Data type: Pattern[/^\/.*/]
Set the path relative to '/' for serving resources. The path must start with a '/'.
Default value: '/'
Data type: Boolean
Defines if the module should manage the Linux user for Keycloak installation
Default value: true
Data type: String
Keycloak user name.
Default is keycloak
.
Default value: 'keycloak'
Data type: Stdlib::Absolutepath
Keycloak user shell.
Default value: '/sbin/nologin'
Data type: String
Keycloak user group name.
Default is keycloak
.
Default value: 'keycloak'
Data type: Optional[Integer]
Keycloak user UID.
Default is undef
.
Default value: undef
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef
.
Default value: undef
Data type: Boolean
If keycloak user should be a system user with lower uid and gid.
Default is true
Default value: true
Data type: String
Keycloak administrative username.
Default is admin
.
Default value: 'admin'
Data type: String
Keycloak administrative user password.
Default is changeme
.
Default value: 'changeme'
Data type: Boolean
Boolean that determines if configured database will be managed.
Default value: true
Data type: Boolean
Include the DB server class for postgres, mariadb or mysql
Default value: true
Data type: Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres']
Database driver to use for Keycloak.
Default value: 'dev-file'
Data type: Optional[Stdlib::Host]
Database host.
Default value: undef
Data type: Optional[Stdlib::Port]
Database port.
Default value: undef
Data type: Optional[String[1]]
Database url.
Default value: undef
Data type: String[1]
Database name.
Default value: 'keycloak'
Data type: String[1]
Database user name.
Default value: 'keycloak'
Data type: String[1]
Database user password.
Default value: 'changeme'
Data type: String
MySQL and MariaDB database charset
Default value: 'utf8'
Data type: String
MySQL and MariaDB database collate
Default value: 'utf8_general_ci'
Data type: String
PostgreSQL database encoding
Default value: 'UTF8'
Data type: Optional[Array[String[1]]]
Keycloak features to enable
Default value: undef
Data type: Optional[Array[String[1]]]
Keycloak features to disable
Default value: undef
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false
.
Default value: false
Data type: Hash
Hash that is used to define keycloak::turststore::host
resources.
Default is {}
.
Default value: {}
Data type: String
Truststore password.
Default is keycloak
.
Default value: 'keycloak'
Data type: Enum['edge','reencrypt','passthrough','none']
Type of proxy to use for Keycloak
Default value: 'none'
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}
.
Default value: {}
Data type: Boolean
Boolean that sets if realms
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak::client_scope::oidc resources.
Default is {}
.
Default value: {}
Data type: Boolean
Boolean that sets if oidc_client_scopes
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak::client_scope::saml resources.
Default is {}
.
Default value: {}
Data type: Boolean
Boolean that sets if saml_client_scopes
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_identity_provider resources.
Default value: {}
Data type: Boolean
Boolean that sets if identity_providers
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_client_protocol_mapper resources.
Default value: {}
Data type: Hash
Hash that is used to define keycloak_client_scope resources.
Default value: {}
Data type: Boolean
Boolean that sets if client_scopes
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_protocol_mapper resources.
Default value: {}
Data type: Boolean
Boolean that sets if protocol_mappers
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_client resources.
Default value: {}
Data type: Boolean
Boolean that sets if clients
should be merged from Hiera.
Default value: false
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
Data type: Boolean
Boolean that sets if flows
should be merged from Hiera.
Default value: false
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
Data type: Boolean
Boolean that sets if flows
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_required_action resources.
Default value: {}
Data type: Boolean
Boolean that sets if required_actions
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_ldap_mapper resources.
Default value: {}
Data type: Boolean
Boolean that sets if ldap_mappers
should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: {}
Data type: Boolean
Boolean that sets if ldap_user_providers
should be merged from Hiera.
Default value: false
Data type: Boolean
Boolean that determines if SSSD user provider support should be available
Default value: false
Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
Source URL of libunix-dbus-java
Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'
Data type: Boolean
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: true
Data type: Array
Packages needed to build libunix-dbus-java
Default value: []
Data type: Stdlib::Absolutepath
Path to directory to install libunix-dbus-java libraries
Default value: '/usr/lib64'
Data type: String
Package name for jna
Default value: 'jna'
Data type: Boolean
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: true
Data type: Array
user_attributes to define for SSSD ifp service
Default value: []
Data type: Boolean
Boolean that determines if SSSD should be restarted
Default value: true
Data type: Hash
Hash used to define keycloak::spi_deployment resources
Default value: {}
Data type: Hash
Hash used to define keycloak::partial_import resources
Default value: {}
Data type: Boolean
Purge the providers directory of unmanaged SPIs
Default value: true
Data type: Optional[String]
Custom configuration content to be added to keycloak.conf
Default value: undef
Data type: Optional[Variant[String, Array]]
Custom configuration source file to be added to keycloak.conf
Default value: undef
Data type: String
The URL path for validator testing Only necessary to set if the URL path to Keycloak is modified
Default value: '/realms/master/.well-known/openid-configuration'
Private class.
Private class.
Private class.
Private class.
Manage Keycloak OpenID Connect client scope using built-in mappers
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}
The following parameters are available in the keycloak::client_scope::oidc
defined type:
Data type: String
Realm of the client scope.
Data type: String
Name of the client scope resource
Default value: $name
Manage Keycloak SAML client scope using built-in mappers
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}
The following parameters are available in the keycloak::client_scope::saml
defined type:
Data type: String
Realm of the client scope.
Data type: String
Name of the client scope resource
Default value: $name
setup FreeIPA LDAP mappers for Keycloak
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}
The following parameters are available in the keycloak::freeipa_ldap_mappers
defined type:
Data type: String
Keycloak realm
Data type: String
Groups DN
Data type: String
Roles DN
Data type: String
Used to identify the parent LDAP user provider, name used with keycloak::freeipa_user_provider
Default value: $title
setup IPA as an LDAP user provider for Keycloak
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}
The following parameters are available in the keycloak::freeipa_user_provider
defined type:
ensure
id
ipa_host
realm
bind_dn
bind_credential
users_dn
priority
ldaps
full_sync_period
changed_sync_period
Data type: Enum['present', 'absent']
LDAP user provider status
Default value: 'present'
Data type: Optional[String]
ID to use for user provider
Default value: undef
Data type: Stdlib::Host
Hostname of the FreeIPA server (e.g. ipa.example.org)
Default value: $title
Data type: String
Keycloak realm
Data type: String
LDAP bind dn
Data type: String
LDAP bind password
Data type: String
The DN for user search
Data type: Integer
Priority for this user provider
Default value: 10
Data type: Boolean
Use LDAPS protocol instead of LDAP
Default value: false
Data type: Optional[Integer]
Synchronize all users this often (fullSyncPeriod)
Default value: undef
Data type: Optional[Integer]
Synchronize changed users this often (changedSyncPeriod)
Default value: undef
Perform partialImport using CLI
keycloak::partial_import { 'mysettings':
realm => 'test',
if_resource_exists => 'SKIP',
source => 'puppet:///modules/profile/keycloak/mysettings.json',
}
The following parameters are available in the keycloak::partial_import
defined type:
Data type: String[1]
The Keycloak Realm
Data type: Enum['FAIL','SKIP','OVERWRITE']
Behavior for when resources exist
Data type: Optional[Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]]
The import JSON source
Default value: undef
Data type: Optional[String[1]]
The import JSON content
Default value: undef
Data type: String[1]
The filename of the stored JSON
Default value: $name
Data type: Boolean
Determines whether to require the Keycloak_realm resource
Default value: true
Data type: Boolean
Determines whether to define the Keycloak_realm resource
Default value: false
}
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}
keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],
The following parameters are available in the keycloak::spi_deployment
defined type:
Data type: Enum['present', 'absent']
State of the deployment
Default value: 'present'
Data type: String[1]
Name of the file to be deployed. Defaults to $name
.
Default value: $name
Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
Data type: Optional[String]
URL to test for existance of resources created by this SPI
Default value: undef
Data type: Optional[String]
Key of resource when testing for resource created by this SPI
Default value: undef
Data type: Optional[String]
Value of the test_key
when testing for resources created by this SPI
Default value: undef
Data type: Optional[String]
Realm to query when looking for resources created by this SPI
Default value: undef
Data type: Optional[Array]
Setup autorequires for validator dependent resources
Default value: undef
Add host to Keycloak truststore
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}
The following parameters are available in the keycloak::truststore::host
defined type:
Data type: String
Path to host certificate
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks
resource.
Default value: 'latest'
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080',
realm => 'master',
user => 'admin',
password => 'changeme',
}
The following parameters are available in the keycloak_api
type.
Install location of Keycloak
Default value: /opt/keycloak
namevar
Keycloak API config
Password for authentication
Default value: changeme
Realm for authentication
Default value: master
Auth URL for Keycloak server
Default value: http://localhost:8080
Valid values: true
, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
User for authentication
Default value: admin
Manage Keycloak clients
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}
The following properties are available in the keycloak_client
type.
access.token.lifespan
adminUrl
Valid values: true
, false
authorizationServicesEnabled
Default value: false
backchannel.logout.url
baseUrl
Valid values: true
, false
bearerOnly
Default value: false
authenticationFlowBindingOverrides.browser (Use flow alias, not ID)
Default value: absent
clientAuthenticatorType
Default value: client-secret
defaultClientScopes
Default value: []
Valid values: true
, false
enabled
Default value: true
authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)
Default value: absent
Valid values: true
, false
enabled
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Valid values: true
, false
fullScopeAllowed
Default value: true
Valid values: true
, false
implicitFlowEnabled
Default value: false
login_theme
Default value: absent
optionalClientScopes
Default value: []
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
Valid values: true
, false
enabled
Default value: false
redirectUris
Default value: []
roles
Default value: []
rootUrl
saml_artifact_binding_url
saml_assertion_consumer_url_post
saml.assertion.signature
saml.encrypt
saml.encryption.certificate
saml_name_id_format
saml.signing.certificate
saml.signing.private.key
saml_single_logout_service_url_redirect
secret
Valid values: true
, false
serviceAccountsEnabled
Default value: false
Valid values: true
, false
standardFlowEnabled
Default value: true
webOrigins
Default value: []
The following parameters are available in the keycloak_client
type.
clientId. Defaults to name
.
Id. Defaults to client_id
namevar
The client name
The specific backend to use for this keycloak_client
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
realm
Manage Keycloak protocol mappers
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}
The following properties are available in the keycloak_client_protocol_mapper
type.
Valid values: true
, false
access.token.claim. Default to true
for protocol
openid-connect
.
attribute.name Default to resource_name
for type
saml-user-property-mapper
.
attribute.nameformat
claim.name
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
friendly.name. Default to resource_name
for type
saml-user-property-mapper
.
Valid values: true
, false
full.path. Default to false
for type
oidc-group-membership-mapper
.
Valid values: true
, false
id.token.claim. Default to true
for protocol
openid-connect
.
included.client.audience Required for type
of oidc-audience-mapper
json.type.label. Default to String
for type
oidc-usermodel-property-mapper
and oidc-group-membership-mapper
.
Valid values: true
, false
multivalued
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
Valid values: true
, false
single. Default to false
for type
saml-role-list-mapper
.
user.attribute. Default to resource_name
for type
oidc-usermodel-property-mapper
or saml-user-property-mapper
Valid values: true
, false
userinfo.token.claim. Default to true
for protocol
openid-connect
except type
of oidc-audience-mapper
.
usermodel.clientRoleMapping.clientId for type
oidc-usermodel-client-role-mapper
The following parameters are available in the keycloak_client_protocol_mapper
type.
client
Id.
namevar
The protocol mapper name
The specific backend to use for this keycloak_client_protocol_mapper
resource. You will seldom need to specify this
--- Puppet will usually discover the appropriate provider for your platform.
realm
The protocol mapper name. Defaults to name
.
Valid values: oidc-usermodel-client-role-mapper
, oidc-usermodel-property-mapper
, oidc-full-name-mapper
, oidc-group-membership-mapper
, oidc-audience-mapper
, saml-user-property-mapper
, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper
for protocol
openid-connect
and
saml-user-property-mapper
for protocol
saml
.
Manage Keycloak client scopes
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}
The following properties are available in the keycloak_client_scope
type.
consent.screen.text
Valid values: true
, false
display.on.consent.screen
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
The following parameters are available in the keycloak_client_scope
type.
Id. Defaults to resource_name
.
namevar
The client scope name
The specific backend to use for this keycloak_client_scope
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
The client scope name. Defaults to name
.
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
The following properties are available in the keycloak_conn_validator
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the keycloak_conn_validator
type.
The port that the keycloak server should be listening on.
Default value: 8080
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
namevar
An arbitrary name used as the identity of the resource.
The specific backend to use for this keycloak_conn_validator
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
URL relative path that is used by Keycloak
Default value: /
URL to use for testing if the Keycloak database is up
Default value: /realms/master/.well-known/openid-configuration
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
Whether the connection will be attemped using https
Default value: false
Manage a Keycloak flow Autorequires
keycloak_realm
defined forrealm
parameterkeycloak_flow
offlow_alias
iftop_level=false
keycloak_flow
offlow_alias
if otherindex
is lower and iftop_level=false
keycloak_flow_execution
ifflow_alias
is the same and otherindex
is lower and iftop_level=false
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}
keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}
The following properties are available in the keycloak_flow
type.
description
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
execution index, only applied to top_level=false, required for top_level=false
Valid values: DISABLED
, ALTERNATIVE
, REQUIRED
, CONDITIONAL
, disabled
, alternative
, required
, conditional
requirement, only applied to top_level=false and defaults to DISABLED
The following parameters are available in the keycloak_flow
type.
Alias. Default to name
.
flowAlias, required for top_level=false
Id. Default to $alias-$realm
when top_level is true. Only applies to top_level=true
namevar
The flow name
The specific backend to use for this keycloak_flow
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Valid values: basic-flow
, form-flow
providerId
Default value: basic-flow
realm
Valid values: true
, false
topLevel
Default value: true
sub-flow execution provider, default to registration-page-form
for top_level=false and does not apply to
top_level=true
Manage a Keycloak flow Autorequires
keycloak_realm
defined forrealm
parameterkeycloak_flow
of value defined forflow_alias
keycloak_flow
if they share sameflow_alias
value and the other resourceindex
is lowerkeycloak_flow_execution
ifflow_alias
is the same and otherindex
is lower
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}
keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}
keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}
The following properties are available in the keycloak_flow_execution
type.
execution config
Valid values: true
, false
configurable
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
execution index
Valid values: DISABLED
, ALTERNATIVE
, REQUIRED
, CONDITIONAL
, disabled
, alternative
, required
, conditional
requirement
Default value: DISABLED
The following parameters are available in the keycloak_flow_execution
type.
alias
read-only config ID
displayName
flowAlias
read-only Id
namevar
The flow execution name
The specific backend to use for this keycloak_flow_execution
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
provider
realm
Manage Keycloak identity providers
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}
The following properties are available in the keycloak_identity_provider
type.
Valid values: true
, false
addReadTokenRoleOnCreate
Default value: false
allowedClockSkew
Valid values: true
, false
authenticateByDefault
Default value: false
authorizationUrl
Valid values: true
, false
backchannelSupported
Default value: false
Valid values: client_secret_post
, client_secret_basic
, client_secret_jwt
, private_key_jwt
clientAuthMethod
Default value: client_secret_post
clientId
clientSecret
default_scope
Valid values: true
, false
disableUserInfo
Default value: false
displayName
Valid values: true
, false
enabled
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
firstBrokerLoginFlowAlias
Default value: first broker login
forwardParameters
guiOrder
Valid values: true
, false
hideOnLoginPage
Default value: false
issuer
jwksUrl
Valid values: true
, false
linkOnly
Default value: false
Valid values: true
, false
loginHint
Default value: false
logoutUrl
postBrokerLoginFlowAlias
Valid values: none
, consent
, login
, select_account
prompt
Valid values: true
, false
storeToken
Default value: false
Valid values: IMPORT
, LEGACY
, FORCE
syncMode
Default value: IMPORT
tokenUrl
Valid values: true
, false
trustEmail
Default value: false
Valid values: true
, false
uiLocales
Default value: false
Valid values: on
, off
updateProfileFirstLoginMode
Default value: on
Valid values: true
, false
useJwksUrl
Default value: true
userInfoUrl
Valid values: true
, false
validateSignature
Default value: false
The following parameters are available in the keycloak_identity_provider
type.
The identity provider name. Defaults to name
.
internalId. Defaults to "alias
-realm
"
namevar
The identity provider name
The specific backend to use for this keycloak_identity_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Valid values: oidc
, keycloak-oidc
providerId
Default value: oidc
realm
Manage Keycloak LDAP attribute mappers
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}
The following properties are available in the keycloak_ldap_mapper
type.
Valid values: true
, false
always.read.value.from.ldap. Defaults to true
if type
is user-attribute-ldap-mapper
.
client.id, only for type
of role-ldap-mapper
Valid values: true
, false
drop.non.existing.groups.during.sync, only for type
of group-ldap-mapper
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
group.name.ldap.attribute, only for type
of group-ldap-mapper
group.object.classes, only for type
of group-ldap-mapper
groups.dn, only for type
of group-ldap-mapper
groups.ldap.filter, only for type
of group-ldap-mapper
Valid values: true
, false
ignore.missing.groups, only for type
of group-ldap-mapper
is.mandatory.in.ldap. Defaults to false
unless type
is full-name-ldap-mapper
.
ldap.attribute
mapped.group.attributes, only for type
of group-ldap-mapper
memberof.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
Valid values: DN
, UID
membership.attribute.type, only for type
of group-ldap-mapper
and role-ldap-mapper
membership.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
membership.user.ldap.attribute, only for type
of group-ldap-mapper
and role-ldap-mapper
Valid values: READ_ONLY
, LDAP_ONLY
mode, only for type
of group-ldap-mapper
and role-ldap-mapper
Valid values: true
, false
preserve.group.inheritance, only for type
of group-ldap-mapper
Valid values: true
, false
read.only
role.name.ldap.attribute, only for type
of role-ldap-mapper
role.object.classes, only for type
of role-ldap-mapper
roles.dn, only for type
of role-ldap-mapper
roles.ldap.filter, only for type
of role-ldap-mapper
Valid values: true
, false
use.realm.roles.mapping, only for type
of role-ldap-mapper
user.model.attribute
Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE
, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE
, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY
, LOAD_ROLES_BY_MEMBER_ATTRIBUTE
, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE
, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY
user.roles.retrieve.strategy, only for type
of group-ldap-mapper
and role-ldap-mapper
Valid values: true
, false
write.only. Defaults to false
if type
is full-name-ldap-mapper
.
The following parameters are available in the keycloak_ldap_mapper
type.
Id.
Name of parent keycloak_ldap_user_provider
resource
namevar
The LDAP mapper name
parentId
The specific backend to use for this keycloak_ldap_mapper
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
The LDAP mapper name. Defaults to name
Valid values: user-attribute-ldap-mapper
, full-name-ldap-mapper
, group-ldap-mapper
, role-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
Manage Keycloak LDAP user providers
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}
The following properties are available in the keycloak_ldap_user_provider
type.
Valid values: true
, false
allowKerberosAuthentication
Valid values: none
, simple
authType
Default value: none
batchSizeForSync
Default value: 1000
bindCredential
bindDn
Valid values: DEFAULT
, EVICT_DAILY
, EVICT_WEEKLY
, MAX_LIFESPAN
, NO_CACHE
cachePolicy
Default value: DEFAULT
changedSyncPeriod
Default value: -1
connectionUrl
Valid values: %r{.*}
, absent
customUserSearchFilter
Default value: absent
Valid values: READ_ONLY
, WRITABLE
, UNSYNCED
editMode
Default value: READ_ONLY
Valid values: true
, false
enabled
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
fullSyncPeriod
Default value: -1
Valid values: true
, false
importEnabled
Default value: true
kerberosRealm
keyTab
priority
Default value: 0
rdnLdapAttribute
Default value: uid
Valid values: one
, one_level
, subtree
, 1
, 2
, 1
, 2
searchScope
serverPrincipal
Valid values: true
, false
syncRegistrations
Default value: false
Valid values: true
, false
trustEmail
Default value: false
Valid values: true
, false
useKerberosForPasswordAuthentication
Valid values: always
, never
useTruststoreSpi
Default value: always
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
usernameLdapAttribute
Default value: uid
usersDn
uuidLdapAttribute
Default value: entryUUID
Valid values: ad
, rhds
, tivoli
, eDirectory
, other
vendor
Default value: other
The following parameters are available in the keycloak_ldap_user_provider
type.
Id
namevar
The LDAP user provider name
The specific backend to use for this keycloak_ldap_user_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
parentId
The LDAP user provider name. Defaults to name
.
Manage Keycloak client scope protocol mappers
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}
The following properties are available in the keycloak_protocol_mapper
type.
Valid values: true
, false
access.token.claim. Default to true
for protocol
openid-connect
.
attribute.name Default to resource_name
for type
saml-user-property-mapper
.
attribute.nameformat
claim.name
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
friendly.name. Default to resource_name
for type
saml-user-property-mapper
.
Valid values: true
, false
full.path. Default to false
for type
oidc-group-membership-mapper
.
Valid values: true
, false
id.token.claim. Default to true
for protocol
openid-connect
.
included.client.audience Required for type
of oidc-audience-mapper
json.type.label. Default to String
for type
oidc-usermodel-property-mapper
and oidc-group-membership-mapper
.
Valid values: openid-connect
, saml
protocol
Default value: openid-connect
Valid values: true
, false
single. Default to false
for type
saml-role-list-mapper
.
user.attribute. Default to resource_name
for type
oidc-usermodel-property-mapper
or saml-user-property-mapper
Valid values: true
, false
userinfo.token.claim. Default to true
for protocol
openid-connect
except type
of oidc-audience-mapper
.
The following parameters are available in the keycloak_protocol_mapper
type.
client scope
Id.
namevar
The protocol mapper name
The specific backend to use for this keycloak_protocol_mapper
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
The protocol mapper name. Defaults to name
.
Valid values: oidc-usermodel-property-mapper
, oidc-usermodel-attribute-mapper
, oidc-full-name-mapper
, oidc-group-membership-mapper
, oidc-audience-mapper
, saml-group-membership-mapper
, saml-user-property-mapper
, saml-user-attribute-mapper
, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper
for protocol
openid-connect
and
saml-user-property-mapper
for protocol
saml
.
Manage Keycloak realms
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}
The following properties are available in the keycloak_realm
type.
accessCodeLifespan
accessCodeLifespanLogin
accessCodeLifespanUserAction
accessTokenLifespan
accessTokenLifespanForImplicitFlow
accountTheme
Default value: keycloak
actionTokenGeneratedByAdminLifespan
actionTokenGeneratedByUserLifespan
Valid values: true
, false
adminEventsDetailsEnabled
Default value: false
Valid values: true
, false
adminEventsEnabled
Default value: false
adminTheme
Default value: keycloak
browserFlow
Default value: browser
Valid values: true
, false
bruteForceProtected
clientAuthenticationFlow
Default value: clients
contentSecurityPolicy
Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
custom properties to pass as realm configurations
Default Client Scopes
defaultLocale
directGrantFlow
Default value: direct grant
displayName
displayNameHtml
dockerAuthenticationFlow
Default value: docker auth
Valid values: true
, false
duplicateEmailsAllowed
Default value: false
Valid values: true
, false
editUsernameAllowed
Default value: false
emailTheme
Default value: keycloak
Valid values: true
, false
enabled
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Valid values: true
, false
eventsEnabled
Default value: false
eventsExpiration
eventsListeners
Default value: ['jboss-logging']
Valid values: true
, false
internationalizationEnabled
Default value: false
loginTheme
Default value: keycloak
Valid values: true
, false
loginWithEmailAllowed
Default value: true
offlineSessionIdleTimeout
offlineSessionMaxLifespan
Valid values: true
, false
offlineSessionMaxLifespanEnabled
Default value: false
Optional Client Scopes
Valid values: true
, false
registrationAllowed
Default value: false
registrationFlow
Default value: registration
Valid values: true
, false
rememberMe
Default value: false
resetCredentialsFlow
Default value: reset credentials
Valid values: true
, false
resetPasswordAllowed
Default value: false
roles
Default value: ['offline_access', 'uma_authorization']
Valid values: true
, false
smtpServer auth
smtpServer envelope_from
smtpServer from
smtpServer fromDisplayName
smtpServer host
smtpServer password
smtpServer port
smtpServer replyto
smtpServer replyToDisplayName
Valid values: true
, false
smtpServer ssl
Valid values: true
, false
smtpServer starttls
smtpServer user
Valid values: none
, all
, external
sslRequired
Default value: external
ssoSessionIdleTimeout
ssoSessionIdleTimeoutRememberMe
ssoSessionMaxLifespan
ssoSessionMaxLifespanRememberMe
Supported Locales
Valid values: true
, false
userManagedAccessAllowed
Default value: false
Valid values: true
, false
verifyEmail
Default value: false
The following parameters are available in the keycloak_realm
type.
Id. Default to name
.
Valid values: true
, false
Manage realm roles
Default value: true
namevar
The realm name
The specific backend to use for this keycloak_realm
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Manage Keycloak required actions
keycloak_required_action { 'webauthn-register on master':
ensure => present,
alias => 'webauthn-register',
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
}
The following properties are available in the keycloak_required_action
type.
Required action config
Valid values: true
, false
If the required action is a default one. Default to false
Default value: false
Displayed name.
Valid values: true
, false
If the required action is enabled. Default to true.
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
Required action priority
The following parameters are available in the keycloak_required_action
type.
Alias.
namevar
The required action name
The specific backend to use for this keycloak_required_action
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
providerId of the required action. Default to alias
realm
Verify that a specific Keycloak resource is available
The following properties are available in the keycloak_resource_validator
type.
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the keycloak_resource_validator
type.
Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]
namevar
An arbitrary name used as the identity of the resource.
The specific backend to use for this keycloak_resource_validator
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Realm to query
Key to lookup
URL to use for testing if the Keycloak database is up
Value to lookup
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
Attach realm roles to users and groups
keycloak_role_mapping { 'john-offline_access':
realm => 'test',
name => 'john',
realm_roles => ['offline_access'],
}
The following properties are available in the keycloak_role_mapping
type.
realm roles
Default value: []
The following parameters are available in the keycloak_role_mapping
type.
Valid values: true
, false
is this a group instead of a user
Default value: false
namevar
--uusername/--gname
The specific backend to use for this keycloak_role_mapping
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
Manage Keycloak SSSD user providers
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}
The following properties are available in the keycloak_sssd_user_provider
type.
Valid values: DEFAULT
, EVICT_DAILY
, EVICT_WEEKLY
, MAX_LIFESPAN
, NO_CACHE
cachePolicy
Default value: DEFAULT
Valid values: true
, false
enabled
Default value: true
Valid values: present
, absent
The basic property that the resource should be in.
Default value: present
evictionDay
evictionHour
evictionMinute
maxLifespan
priority
Default value: 0
The following parameters are available in the keycloak_sssd_user_provider
type.
Id. Defaults to "resource_name
-realm
"
namevar
The SSSD user provider name
The specific backend to use for this keycloak_sssd_user_provider
resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
parentId
The SSSD user provider name. Defaults to name
.
https://www.keycloak.org/server/all-config
Alias of
Struct[{
Optional['cache'] => Enum['local', 'ispn'],
Optional['cache-config-file'] => String[1],
Optional['cache-stack'] => Enum['tcp','udp','kubernetes','ec2','azure','google'],
Optional['db'] => Enum['dev-file','dev-mem','mariadb','mysql','oracle','postgres'],
Optional['db-password'] => String[1],
Optional['db-pool-initial-size'] => Integer,
Optional['db-pool-max-size'] => Integer,
Optional['db-pool-min-size'] => Integer,
Optional['db-schema'] => String[1],
Optional['db-url'] => String[1],
Optional['db-url-database'] => String[1],
Optional['db-url-host'] => Stdlib::Host,
Optional['db-url-port'] => Stdlib::Port,
Optional['db-url-properties'] => String[1],
Optional['db-username'] => String[1],
Optional['transaction-xa-enabled'] => Boolean,
Optional['features'] => Array[String[1]],
Optional['features-disabled'] => Array[String[1]],
Optional['hostname'] => Stdlib::Host,
Optional['hostname-admin'] => Stdlib::Host,
Optional['hostname-admin-url'] => String[1],
Optional['hostname-path'] => String[1],
Optional['hostname-port'] => Stdlib::Port,
Optional['hostname-strict'] => Boolean,
Optional['hostname-strict-backchannel'] => Boolean,
Optional['hostname-strict-https'] => Boolean,
Optional['hostname-url'] => String[1],
Optional['http-enabled'] => Boolean,
Optional['http-host'] => Stdlib::Host,
Optional['http-port'] => Stdlib::Port,
Optional['http-relative-path'] => String[1],
Optional['https-certificate-file'] => Stdlib::Absolutepath,
Optional['https-certificate-key-file'] => Stdlib::Absolutepath,
Optional['https-cipher-suites'] => Array[String[1]],
Optional['https-client-auth'] => Enum['none','request','required'],
Optional['https-key-store-file'] => Stdlib::Absolutepath,
Optional['https-key-store-password'] => String[1],
Optional['https-key-store-type'] => String[1],
Optional['https-port'] => Stdlib::Port,
Optional['https-protocols'] => Array[String[1]],
Optional['https-trust-store-file'] => Stdlib::Absolutepath,
Optional['https-trust-store-password'] => String[1],
Optional['https-trust-store-type'] => String[1],
Optional['health-enabled'] => Boolean,
Optional['metrics-enabled'] => Boolean,
Optional['proxy'] => Enum['edge','reencrypt','passthrough','none'],
Optional['vault'] => Enum['file','hashicorp'],
Optional['vault-dir'] => Stdlib::Absolutepath,
Optional['log'] => Array[Enum['console','file','gelf']],
Optional['log-console-color'] => Boolean,
Optional['log-console-format'] => String[1],
Optional['log-console-output'] => Enum['default','json'],
Optional['log-file'] => Stdlib::Absolutepath,
Optional['log-file-format'] => String[1],
Optional['log-file-output'] => Enum['default','json'],
Optional['log-level'] => String[1],
Optional['log-gelf-facility'] => String[1],
Optional['log-gelf-host'] => Stdlib::Host,
Optional['log-gelf-include-location'] => Boolean,
Optional['log-gelf-include-message-parameters'] => Boolean,
Optional['log-gelf-include-stack-trace'] => Boolean,
Optional['log-gelf-level'] => String[1],
Optional['log-gelf-max-message-size'] => Integer,
Optional['log-gelf-port'] => Stdlib::Port,
Optional['log-gelf-timestamp-format'] => String[1],
Optional['log-level'] => String[1],
}]