v1alpha1

package
v0.0.0-...-61945a2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 21, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

+kubebuilder:object:generate=true +groupName=saml.keycloak.crossplane.io +versionName=v1alpha1

Index

Constants

View Source
const (
	CRDGroup   = "saml.keycloak.crossplane.io"
	CRDVersion = "v1alpha1"
)

Package type metadata.

Variables

View Source
var (
	// CRDGroupVersion is the API Group Version used to register the objects
	CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var (
	IdentityProvider_Kind             = "IdentityProvider"
	IdentityProvider_GroupKind        = schema.GroupKind{Group: CRDGroup, Kind: IdentityProvider_Kind}.String()
	IdentityProvider_KindAPIVersion   = IdentityProvider_Kind + "." + CRDGroupVersion.String()
	IdentityProvider_GroupVersionKind = CRDGroupVersion.WithKind(IdentityProvider_Kind)
)

Repository type metadata.

Functions

This section is empty.

Types

type IdentityProvider

type IdentityProvider struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.alias) || (has(self.initProvider) && has(self.initProvider.alias))",message="spec.forProvider.alias is a required parameter"
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.entityId) || (has(self.initProvider) && has(self.initProvider.entityId))",message="spec.forProvider.entityId is a required parameter"
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.singleSignOnServiceUrl) || (has(self.initProvider) && has(self.initProvider.singleSignOnServiceUrl))",message="spec.forProvider.singleSignOnServiceUrl is a required parameter"
	Spec   IdentityProviderSpec   `json:"spec"`
	Status IdentityProviderStatus `json:"status,omitempty"`
}

IdentityProvider is the Schema for the IdentityProviders API. +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,keycloak}

func (*IdentityProvider) DeepCopy

func (in *IdentityProvider) DeepCopy() *IdentityProvider

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProvider.

func (*IdentityProvider) DeepCopyInto

func (in *IdentityProvider) DeepCopyInto(out *IdentityProvider)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IdentityProvider) DeepCopyObject

func (in *IdentityProvider) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*IdentityProvider) GetCondition

func (mg *IdentityProvider) GetCondition(ct xpv1.ConditionType) xpv1.Condition

GetCondition of this IdentityProvider.

func (*IdentityProvider) GetConnectionDetailsMapping

func (tr *IdentityProvider) GetConnectionDetailsMapping() map[string]string

GetConnectionDetailsMapping for this IdentityProvider

func (*IdentityProvider) GetDeletionPolicy

func (mg *IdentityProvider) GetDeletionPolicy() xpv1.DeletionPolicy

GetDeletionPolicy of this IdentityProvider.

func (*IdentityProvider) GetID

func (tr *IdentityProvider) GetID() string

GetID returns ID of underlying Terraform resource of this IdentityProvider

func (*IdentityProvider) GetInitParameters

func (tr *IdentityProvider) GetInitParameters() (map[string]any, error)

GetInitParameters of this IdentityProvider

func (*IdentityProvider) GetManagementPolicies

func (mg *IdentityProvider) GetManagementPolicies() xpv1.ManagementPolicies

GetManagementPolicies of this IdentityProvider.

func (*IdentityProvider) GetMergedParameters

func (tr *IdentityProvider) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error)

GetInitParameters of this IdentityProvider

func (*IdentityProvider) GetObservation

func (tr *IdentityProvider) GetObservation() (map[string]any, error)

GetObservation of this IdentityProvider

func (*IdentityProvider) GetParameters

func (tr *IdentityProvider) GetParameters() (map[string]any, error)

GetParameters of this IdentityProvider

func (*IdentityProvider) GetProviderConfigReference

func (mg *IdentityProvider) GetProviderConfigReference() *xpv1.Reference

GetProviderConfigReference of this IdentityProvider.

func (*IdentityProvider) GetPublishConnectionDetailsTo

func (mg *IdentityProvider) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo

GetPublishConnectionDetailsTo of this IdentityProvider.

func (*IdentityProvider) GetTerraformResourceType

func (mg *IdentityProvider) GetTerraformResourceType() string

GetTerraformResourceType returns Terraform resource type for this IdentityProvider

func (*IdentityProvider) GetTerraformSchemaVersion

func (tr *IdentityProvider) GetTerraformSchemaVersion() int

GetTerraformSchemaVersion returns the associated Terraform schema version

func (*IdentityProvider) GetWriteConnectionSecretToReference

func (mg *IdentityProvider) GetWriteConnectionSecretToReference() *xpv1.SecretReference

GetWriteConnectionSecretToReference of this IdentityProvider.

func (*IdentityProvider) Hub

func (tr *IdentityProvider) Hub()

Hub marks this type as a conversion hub.

func (*IdentityProvider) LateInitialize

func (tr *IdentityProvider) LateInitialize(attrs []byte) (bool, error)

LateInitialize this IdentityProvider using its observed tfState. returns True if there are any spec changes for the resource.

func (*IdentityProvider) ResolveReferences

func (mg *IdentityProvider) ResolveReferences(ctx context.Context, c client.Reader) error

ResolveReferences of this IdentityProvider.

func (*IdentityProvider) SetConditions

func (mg *IdentityProvider) SetConditions(c ...xpv1.Condition)

SetConditions of this IdentityProvider.

func (*IdentityProvider) SetDeletionPolicy

func (mg *IdentityProvider) SetDeletionPolicy(r xpv1.DeletionPolicy)

SetDeletionPolicy of this IdentityProvider.

func (*IdentityProvider) SetManagementPolicies

func (mg *IdentityProvider) SetManagementPolicies(r xpv1.ManagementPolicies)

SetManagementPolicies of this IdentityProvider.

func (*IdentityProvider) SetObservation

func (tr *IdentityProvider) SetObservation(obs map[string]any) error

SetObservation for this IdentityProvider

func (*IdentityProvider) SetParameters

func (tr *IdentityProvider) SetParameters(params map[string]any) error

SetParameters for this IdentityProvider

func (*IdentityProvider) SetProviderConfigReference

func (mg *IdentityProvider) SetProviderConfigReference(r *xpv1.Reference)

SetProviderConfigReference of this IdentityProvider.

func (*IdentityProvider) SetPublishConnectionDetailsTo

func (mg *IdentityProvider) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo)

SetPublishConnectionDetailsTo of this IdentityProvider.

func (*IdentityProvider) SetWriteConnectionSecretToReference

func (mg *IdentityProvider) SetWriteConnectionSecretToReference(r *xpv1.SecretReference)

SetWriteConnectionSecretToReference of this IdentityProvider.

type IdentityProviderInitParameters

type IdentityProviderInitParameters struct {

	// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`

	// The unique name of identity provider.
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`

	// Authenticate users by default. Defaults to false.
	// Enable/disable authenticate users by default.
	AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`

	// Ordered list of requested AuthnContext ClassRefs.
	// AuthnContext ClassRefs
	AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`

	// Specifies the comparison method used to evaluate the requested context classes or statements.
	// AuthnContext Comparison
	AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`

	// Ordered list of requested AuthnContext DeclRefs.
	// AuthnContext DeclRefs
	AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`

	// Does the external IDP support backchannel logout?. Defaults to false.
	// Does the external IDP support backchannel logout?
	BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`

	// The display name for the realm that is shown when logging in to the admin console.
	// Friendly name for Identity Providers.
	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`

	// When false, users and clients will not be able to access this realm. Defaults to true.
	// Enable/disable this identity provider.
	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`

	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`

	// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
	// +mapType=granular
	ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`

	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`

	// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
	// Require Force Authn.
	ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`

	// A number defining the order of this identity provider in the GUI.
	// GUI Order
	GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`

	// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
	// Hide On Login Page.
	HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`

	// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
	// If true, users cannot log in through this provider.  They can only link to this provider.  This is useful if you don't want to allow login from the provider, but want to integrate with a provider
	LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`

	// Login Hint.
	LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`

	// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
	// Name ID Policy Format.
	NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`

	// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Authn Request.
	PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Logout.
	PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
	// Post Binding Response.
	PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`

	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`

	// The principal attribute.
	// Principal Attribute
	PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`

	// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
	// Principal Type
	PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`

	// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
	// provider id, is always saml, unless you have a custom implementation
	ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`

	// The name of the realm. This is unique across Keycloak.
	// Realm Name
	// +crossplane:generate:reference:type=github.com/stakater/provider-keycloak/apis/realm/v1alpha1.Realm
	Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`

	// Reference to a Realm in realm to populate realm.
	// +kubebuilder:validation:Optional
	RealmRef *v1.Reference `json:"realmRef,omitempty" tf:"-"`

	// Selector for a Realm in realm to populate realm.
	// +kubebuilder:validation:Optional
	RealmSelector *v1.Selector `json:"realmSelector,omitempty" tf:"-"`

	// Signing Algorithm. Defaults to empty.
	// Signing Algorithm.
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`

	// Signing Certificate.
	// Signing Certificate.
	SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`

	// The Url that must be used to send logout requests.
	// Logout URL.
	SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`

	// The Url that must be used to send authentication requests (SAML AuthnRequest).
	// SSO Logout URL.
	SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`

	// When true, tokens will be stored after authenticating users. Defaults to true.
	// Enable/disable if tokens must be stored after authenticating users.
	StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`

	// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
	// Sync Mode
	SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`

	// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`

	// Enable/disable signature validation of SAML responses.
	// Enable/disable signature validation of SAML responses.
	ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`

	// Indicates whether this service provider expects an encrypted Assertion.
	// Want Assertions Encrypted.
	WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`

	// Indicates whether this service provider expects a signed Assertion.
	// Want Assertions Signed.
	WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`

	// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
	// Sign Key Transformer.
	XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}

func (*IdentityProviderInitParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderInitParameters.

func (*IdentityProviderInitParameters) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityProviderList

type IdentityProviderList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []IdentityProvider `json:"items"`
}

IdentityProviderList contains a list of IdentityProviders

func (*IdentityProviderList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderList.

func (*IdentityProviderList) DeepCopyInto

func (in *IdentityProviderList) DeepCopyInto(out *IdentityProviderList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IdentityProviderList) DeepCopyObject

func (in *IdentityProviderList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*IdentityProviderList) GetItems

func (l *IdentityProviderList) GetItems() []resource.Managed

GetItems of this IdentityProviderList.

type IdentityProviderObservation

type IdentityProviderObservation struct {

	// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`

	// The unique name of identity provider.
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`

	// Authenticate users by default. Defaults to false.
	// Enable/disable authenticate users by default.
	AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`

	// Ordered list of requested AuthnContext ClassRefs.
	// AuthnContext ClassRefs
	AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`

	// Specifies the comparison method used to evaluate the requested context classes or statements.
	// AuthnContext Comparison
	AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`

	// Ordered list of requested AuthnContext DeclRefs.
	// AuthnContext DeclRefs
	AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`

	// Does the external IDP support backchannel logout?. Defaults to false.
	// Does the external IDP support backchannel logout?
	BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`

	// The display name for the realm that is shown when logging in to the admin console.
	// Friendly name for Identity Providers.
	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`

	// When false, users and clients will not be able to access this realm. Defaults to true.
	// Enable/disable this identity provider.
	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`

	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`

	// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
	// +mapType=granular
	ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`

	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`

	// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
	// Require Force Authn.
	ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`

	// A number defining the order of this identity provider in the GUI.
	// GUI Order
	GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`

	// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
	// Hide On Login Page.
	HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`

	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// Internal Identity Provider Id
	InternalID *string `json:"internalId,omitempty" tf:"internal_id,omitempty"`

	// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
	// If true, users cannot log in through this provider.  They can only link to this provider.  This is useful if you don't want to allow login from the provider, but want to integrate with a provider
	LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`

	// Login Hint.
	LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`

	// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
	// Name ID Policy Format.
	NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`

	// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Authn Request.
	PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Logout.
	PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
	// Post Binding Response.
	PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`

	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`

	// The principal attribute.
	// Principal Attribute
	PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`

	// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
	// Principal Type
	PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`

	// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
	// provider id, is always saml, unless you have a custom implementation
	ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`

	// The name of the realm. This is unique across Keycloak.
	// Realm Name
	Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`

	// Signing Algorithm. Defaults to empty.
	// Signing Algorithm.
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`

	// Signing Certificate.
	// Signing Certificate.
	SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`

	// The Url that must be used to send logout requests.
	// Logout URL.
	SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`

	// The Url that must be used to send authentication requests (SAML AuthnRequest).
	// SSO Logout URL.
	SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`

	// When true, tokens will be stored after authenticating users. Defaults to true.
	// Enable/disable if tokens must be stored after authenticating users.
	StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`

	// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
	// Sync Mode
	SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`

	// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`

	// Enable/disable signature validation of SAML responses.
	// Enable/disable signature validation of SAML responses.
	ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`

	// Indicates whether this service provider expects an encrypted Assertion.
	// Want Assertions Encrypted.
	WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`

	// Indicates whether this service provider expects a signed Assertion.
	// Want Assertions Signed.
	WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`

	// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
	// Sign Key Transformer.
	XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}

func (*IdentityProviderObservation) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderObservation.

func (*IdentityProviderObservation) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityProviderParameters

type IdentityProviderParameters struct {

	// When true, new users will be able to read stored tokens. This will automatically assign the broker.read-token role. Defaults to false.
	// Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
	// +kubebuilder:validation:Optional
	AddReadTokenRoleOnCreate *bool `json:"addReadTokenRoleOnCreate,omitempty" tf:"add_read_token_role_on_create,omitempty"`

	// The unique name of identity provider.
	// The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
	// +kubebuilder:validation:Optional
	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`

	// Authenticate users by default. Defaults to false.
	// Enable/disable authenticate users by default.
	// +kubebuilder:validation:Optional
	AuthenticateByDefault *bool `json:"authenticateByDefault,omitempty" tf:"authenticate_by_default,omitempty"`

	// Ordered list of requested AuthnContext ClassRefs.
	// AuthnContext ClassRefs
	// +kubebuilder:validation:Optional
	AuthnContextClassRefs []*string `json:"authnContextClassRefs,omitempty" tf:"authn_context_class_refs,omitempty"`

	// Specifies the comparison method used to evaluate the requested context classes or statements.
	// AuthnContext Comparison
	// +kubebuilder:validation:Optional
	AuthnContextComparisonType *string `json:"authnContextComparisonType,omitempty" tf:"authn_context_comparison_type,omitempty"`

	// Ordered list of requested AuthnContext DeclRefs.
	// AuthnContext DeclRefs
	// +kubebuilder:validation:Optional
	AuthnContextDeclRefs []*string `json:"authnContextDeclRefs,omitempty" tf:"authn_context_decl_refs,omitempty"`

	// Does the external IDP support backchannel logout?. Defaults to false.
	// Does the external IDP support backchannel logout?
	// +kubebuilder:validation:Optional
	BackchannelSupported *bool `json:"backchannelSupported,omitempty" tf:"backchannel_supported,omitempty"`

	// The display name for the realm that is shown when logging in to the admin console.
	// Friendly name for Identity Providers.
	// +kubebuilder:validation:Optional
	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`

	// When false, users and clients will not be able to access this realm. Defaults to true.
	// Enable/disable this identity provider.
	// +kubebuilder:validation:Optional
	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`

	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	// The Entity ID that will be used to uniquely identify this SAML Service Provider.
	// +kubebuilder:validation:Optional
	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`

	// A map of key/value pairs to add extra configuration to this identity provider. Use this attribute at your own risk, as custom attributes may conflict with top-level configuration attributes in future provider updates.
	// +kubebuilder:validation:Optional
	// +mapType=granular
	ExtraConfig map[string]*string `json:"extraConfig,omitempty" tf:"extra_config,omitempty"`

	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account. Defaults to first broker login.
	// Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that there is not yet existing Keycloak account linked with the authenticated identity provider account.
	// +kubebuilder:validation:Optional
	FirstBrokerLoginFlowAlias *string `json:"firstBrokerLoginFlowAlias,omitempty" tf:"first_broker_login_flow_alias,omitempty"`

	// Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
	// Require Force Authn.
	// +kubebuilder:validation:Optional
	ForceAuthn *bool `json:"forceAuthn,omitempty" tf:"force_authn,omitempty"`

	// A number defining the order of this identity provider in the GUI.
	// GUI Order
	// +kubebuilder:validation:Optional
	GuiOrder *string `json:"guiOrder,omitempty" tf:"gui_order,omitempty"`

	// If hidden, then login with this provider is possible only if requested explicitly, e.g. using the 'kc_idp_hint' parameter.
	// Hide On Login Page.
	// +kubebuilder:validation:Optional
	HideOnLoginPage *bool `json:"hideOnLoginPage,omitempty" tf:"hide_on_login_page,omitempty"`

	// When true, users cannot login using this provider, but their existing accounts will be linked when possible. Defaults to false.
	// If true, users cannot log in through this provider.  They can only link to this provider.  This is useful if you don't want to allow login from the provider, but want to integrate with a provider
	// +kubebuilder:validation:Optional
	LinkOnly *bool `json:"linkOnly,omitempty" tf:"link_only,omitempty"`

	// Login Hint.
	// +kubebuilder:validation:Optional
	LoginHint *string `json:"loginHint,omitempty" tf:"login_hint,omitempty"`

	// Specifies the URI reference corresponding to a name identifier format. Defaults to empty.
	// Name ID Policy Format.
	// +kubebuilder:validation:Optional
	NameIDPolicyFormat *string `json:"nameIdPolicyFormat,omitempty" tf:"name_id_policy_format,omitempty"`

	// Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Authn Request.
	// +kubebuilder:validation:Optional
	PostBindingAuthnRequest *bool `json:"postBindingAuthnRequest,omitempty" tf:"post_binding_authn_request,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
	// Post Binding Logout.
	// +kubebuilder:validation:Optional
	PostBindingLogout *bool `json:"postBindingLogout,omitempty" tf:"post_binding_logout,omitempty"`

	// Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used..
	// Post Binding Response.
	// +kubebuilder:validation:Optional
	PostBindingResponse *bool `json:"postBindingResponse,omitempty" tf:"post_binding_response,omitempty"`

	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. Defaults to empty.
	// Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you don't want any additional authenticators to be triggered after login with this identity provider. Also note, that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
	// +kubebuilder:validation:Optional
	PostBrokerLoginFlowAlias *string `json:"postBrokerLoginFlowAlias,omitempty" tf:"post_broker_login_flow_alias,omitempty"`

	// The principal attribute.
	// Principal Attribute
	// +kubebuilder:validation:Optional
	PrincipalAttribute *string `json:"principalAttribute,omitempty" tf:"principal_attribute,omitempty"`

	// The principal type. Can be one of SUBJECT, ATTRIBUTE or FRIENDLY_ATTRIBUTE.
	// Principal Type
	// +kubebuilder:validation:Optional
	PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`

	// The ID of the identity provider to use. Defaults to saml, which should be used unless you have extended Keycloak and provided your own implementation.
	// provider id, is always saml, unless you have a custom implementation
	// +kubebuilder:validation:Optional
	ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`

	// The name of the realm. This is unique across Keycloak.
	// Realm Name
	// +crossplane:generate:reference:type=github.com/stakater/provider-keycloak/apis/realm/v1alpha1.Realm
	// +kubebuilder:validation:Optional
	Realm *string `json:"realm,omitempty" tf:"realm,omitempty"`

	// Reference to a Realm in realm to populate realm.
	// +kubebuilder:validation:Optional
	RealmRef *v1.Reference `json:"realmRef,omitempty" tf:"-"`

	// Selector for a Realm in realm to populate realm.
	// +kubebuilder:validation:Optional
	RealmSelector *v1.Selector `json:"realmSelector,omitempty" tf:"-"`

	// Signing Algorithm. Defaults to empty.
	// Signing Algorithm.
	// +kubebuilder:validation:Optional
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`

	// Signing Certificate.
	// Signing Certificate.
	// +kubebuilder:validation:Optional
	SigningCertificate *string `json:"signingCertificate,omitempty" tf:"signing_certificate,omitempty"`

	// The Url that must be used to send logout requests.
	// Logout URL.
	// +kubebuilder:validation:Optional
	SingleLogoutServiceURL *string `json:"singleLogoutServiceUrl,omitempty" tf:"single_logout_service_url,omitempty"`

	// The Url that must be used to send authentication requests (SAML AuthnRequest).
	// SSO Logout URL.
	// +kubebuilder:validation:Optional
	SingleSignOnServiceURL *string `json:"singleSignOnServiceUrl,omitempty" tf:"single_sign_on_service_url,omitempty"`

	// When true, tokens will be stored after authenticating users. Defaults to true.
	// Enable/disable if tokens must be stored after authenticating users.
	// +kubebuilder:validation:Optional
	StoreToken *bool `json:"storeToken,omitempty" tf:"store_token,omitempty"`

	// The default sync mode to use for all mappers attached to this identity provider. Can be one of IMPORT, FORCE, or LEGACY.
	// Sync Mode
	// +kubebuilder:validation:Optional
	SyncMode *string `json:"syncMode,omitempty" tf:"sync_mode,omitempty"`

	// When true, email addresses for users in this provider will automatically be verified regardless of the realm's email verification policy. Defaults to false.
	// If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
	// +kubebuilder:validation:Optional
	TrustEmail *bool `json:"trustEmail,omitempty" tf:"trust_email,omitempty"`

	// Enable/disable signature validation of SAML responses.
	// Enable/disable signature validation of SAML responses.
	// +kubebuilder:validation:Optional
	ValidateSignature *bool `json:"validateSignature,omitempty" tf:"validate_signature,omitempty"`

	// Indicates whether this service provider expects an encrypted Assertion.
	// Want Assertions Encrypted.
	// +kubebuilder:validation:Optional
	WantAssertionsEncrypted *bool `json:"wantAssertionsEncrypted,omitempty" tf:"want_assertions_encrypted,omitempty"`

	// Indicates whether this service provider expects a signed Assertion.
	// Want Assertions Signed.
	// +kubebuilder:validation:Optional
	WantAssertionsSigned *bool `json:"wantAssertionsSigned,omitempty" tf:"want_assertions_signed,omitempty"`

	// The SAML signature key name. Can be one of NONE, KEY_ID, or CERT_SUBJECT.
	// Sign Key Transformer.
	// +kubebuilder:validation:Optional
	XMLSignKeyInfoKeyNameTransformer *string `json:"xmlSignKeyInfoKeyNameTransformer,omitempty" tf:"xml_sign_key_info_key_name_transformer,omitempty"`
}

func (*IdentityProviderParameters) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderParameters.

func (*IdentityProviderParameters) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityProviderSpec

type IdentityProviderSpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     IdentityProviderParameters `json:"forProvider"`
	// THIS IS A BETA FIELD. It will be honored
	// unless the Management Policies feature flag is disabled.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider IdentityProviderInitParameters `json:"initProvider,omitempty"`
}

IdentityProviderSpec defines the desired state of IdentityProvider

func (*IdentityProviderSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderSpec.

func (*IdentityProviderSpec) DeepCopyInto

func (in *IdentityProviderSpec) DeepCopyInto(out *IdentityProviderSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityProviderStatus

type IdentityProviderStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        IdentityProviderObservation `json:"atProvider,omitempty"`
}

IdentityProviderStatus defines the observed state of IdentityProvider.

func (*IdentityProviderStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderStatus.

func (*IdentityProviderStatus) DeepCopyInto

func (in *IdentityProviderStatus) DeepCopyInto(out *IdentityProviderStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL