keycloak: Manage Keycloakkeycloak::config: Private class.keycloak::install: Private class.keycloak::service: Private class.keycloak::sssd: Private class.
keycloak::db::mariadb: Manage MySQL DBkeycloak::db::mysql: Manage MySQL DBkeycloak::db::postgres: Manage postgres DBkeycloak::resources: Define Keycloak resources
keycloak::client_scope::oidc: Manage Keycloak OpenID Connect client scope using built-in mapperskeycloak::client_scope::saml: Manage Keycloak SAML client scope using built-in mapperskeycloak::freeipa_ldap_mappers: setup FreeIPA LDAP mappers for Keycloakkeycloak::freeipa_user_provider: setup IPA as an LDAP user provider for Keycloakkeycloak::partial_import: Perform partialImport using CLIkeycloak::spi_deployment: Manage Keycloak SPI deploymentkeycloak::truststore::host: Add host to Keycloak truststore
keycloak_api: Type that configures API connection parameters for other keycloak types that use the Keycloak API.keycloak_client: Manage Keycloak clientskeycloak_client_protocol_mapper: Manage Keycloak protocol mapperskeycloak_client_scope: Manage Keycloak client scopeskeycloak_conn_validator: Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prekeycloak_flow: Manage a Keycloak flow Autorequires *keycloak_realmdefined forrealmparameter *keycloak_flowofflow_aliasif `top_level=falskeycloak_flow_execution: Manage a Keycloak flow Autorequires *keycloak_realmdefined forrealmparameter *keycloak_flowof value defined forflow_aliaskeycloak_identity_provider: Manage Keycloak identity providerskeycloak_ldap_mapper: Manage Keycloak LDAP attribute mapperskeycloak_ldap_user_provider: Manage Keycloak LDAP user providerskeycloak_protocol_mapper: Manage Keycloak client scope protocol mapperskeycloak_realm: Manage Keycloak realmskeycloak_required_action: Manage Keycloak required actionskeycloak_resource_validator: Verify that a specific Keycloak resource is availablekeycloak_role_mapping: Attach realm roles to users and groupskeycloak_sssd_user_provider: Manage Keycloak SSSD user providers
Manage Keycloak
include ::keycloakThe following parameters are available in the keycloak class:
manage_installversionpackage_urlinstall_dirjava_package_dependenciesjava_declare_methodjava_packagejava_homejava_alternative_pathjava_alternativeservice_nameservice_ensureservice_enablejava_optsstart_commandservice_extra_optsservice_environment_fileconf_dir_modeconf_dir_purgeconf_dir_purge_ignoreconfigsextra_configshostnamehttp_enabledhttp_hosthttp_porthttps_porthttp_relative_pathmanage_useruseruser_shellgroupuser_uidgroup_gidsystem_useradmin_useradmin_user_passwordmanage_dbmanage_db_serverdbdb_url_hostdb_url_portdb_urldb_url_databasedb_usernamedb_passworddb_charsetdb_collatedb_encodingfeaturesfeatures_disabledtruststoretruststore_hoststruststore_passwordproxyrealmsrealms_mergeoidc_client_scopesoidc_client_scopes_mergesaml_client_scopessaml_client_scopes_mergeidentity_providersidentity_providers_mergeclient_protocol_mappersclient_scopesclient_scopes_mergeprotocol_mappersprotocol_mappers_mergeclientsclients_mergeflowsflows_mergeflow_executionsflow_executions_mergerequired_actionsrequired_actions_mergeldap_mappersldap_mappers_mergeldap_user_providersldap_user_providers_mergewith_sssd_supportlibunix_dbus_java_sourceinstall_libunix_dbus_java_build_dependencieslibunix_dbus_java_build_dependencieslibunix_dbus_java_libdirjna_package_namemanage_sssd_configsssd_ifp_user_attributesrestart_sssdspi_deploymentspartial_importsproviders_purgecustom_config_contentcustom_config_sourcevalidator_test_url
Data type: Boolean
Install Keycloak from upstream Keycloak tarball. Set to false to manage installation of Keycloak outside this module and set $install_dir to match. Defaults to true.
Default value: true
Data type: String
Version of Keycloak to install and manage.
Default value: '22.0.0'
Data type: Optional[Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]]
URL of the Keycloak download. Default is based on version.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
The directory of where to install Keycloak.
Default is /opt/keycloak-${version}.
Default value: undef
Data type: Array[String[1]]
Packages to install before Java
Default value: []
Data type: Enum['include','class']
How to declare the Java class within this module
The include value only includes the java class
The class method defines the Java class and passes necessary parameters
For RedHat base systems this defaults to class, other OSes default to include
Default value: 'class'
Data type: String[1]
Java package name, only used when java_declare_method is class
Default value: 'java-17-openjdk-devel'
Data type: Stdlib::Absolutepath
Java home path. This value is used when java_declare_method is class
as well as to set JAVA_HOME environment variable for the Keycloak service.
Default value: '/usr/lib/jvm/java-17-openjdk'
Data type: Stdlib::Absolutepath
Java alternative path, only used when java_declare_method is class
Default value: '/usr/lib/jvm/java-17-openjdk/bin/java'
Data type: String[1]
Java alternative, only used when java_declare_method is class
Default value: '/usr/lib/jvm/java-17-openjdk/bin/java'
Data type: String
Keycloak service name.
Default is keycloak.
Default value: 'keycloak'
Data type: String
Keycloak service ensure property.
Default is running.
Default value: 'running'
Data type: Boolean
Keycloak service enable property.
Default is true.
Default value: true
Data type: Optional[Variant[String, Array]]
Sets additional options to Java virtual machine environment variable.
Default value: undef
Data type: Enum['start','start-dev']
The start command to use to run Keycloak
Default value: 'start'
Data type: Optional[String]
Additional options added to the end of the service command-line.
Default value: undef
Data type: Optional[Stdlib::Absolutepath]
Path to the file with environment variables for the systemd service
Default value: undef
Data type: Stdlib::Filemode
The mode for the configuration directory
Default value: '0755'
Data type: Boolean
Purge unmanaged files in configuration directory
Default value: true
Data type: Array
The files to ignore when unmanaged files are purged from the configuration directory
Default value: ['cache-ispn.xml', 'README.md', 'truststore.jks']
Data type: Keycloak::Configs
Define additional configs for keycloak.conf
Default value: {}
Data type: Hash[String, Variant[String[1],Boolean,Array]]
Additional configs for keycloak.conf
Default value: {}
Data type: Variant[Stdlib::Host, Enum['unset','UNSET']]
hostname to set in keycloak.conf
Set to unset or UNSET to not define this in keycloak.conf
Default value: $facts['networking']['fqdn']
Data type: Boolean
Whether to enable HTTP
Default value: true
Data type: Stdlib::IP::Address
HTTP host
Default value: '0.0.0.0'
Data type: Stdlib::Port
HTTP port
Default value: 8080
Data type: Stdlib::Port
HTTPS port
Default value: 8443
Data type: Pattern[/^\/.*/]
Set the path relative to '/' for serving resources. The path must start with a '/'.
Default value: '/'
Data type: Boolean
Defines if the module should manage the Linux user for Keycloak installation
Default value: true
Data type: String
Keycloak user name.
Default is keycloak.
Default value: 'keycloak'
Data type: Stdlib::Absolutepath
Keycloak user shell.
Default value: '/sbin/nologin'
Data type: String
Keycloak user group name.
Default is keycloak.
Default value: 'keycloak'
Data type: Optional[Integer]
Keycloak user UID.
Default is undef.
Default value: undef
Data type: Optional[Integer]
Keycloak user group GID.
Default is undef.
Default value: undef
Data type: Boolean
If keycloak user should be a system user with lower uid and gid.
Default is true
Default value: true
Data type: String
Keycloak administrative username.
Default is admin.
Default value: 'admin'
Data type: String
Keycloak administrative user password.
Default is changeme.
Default value: 'changeme'
Data type: Boolean
Boolean that determines if configured database will be managed.
Default value: true
Data type: Boolean
Include the DB server class for postgres, mariadb or mysql
Default value: true
Data type: Enum['dev-file', 'dev-mem', 'mariadb', 'mysql', 'oracle', 'postgres']
Database driver to use for Keycloak.
Default value: 'dev-file'
Data type: Optional[Stdlib::Host]
Database host.
Default value: undef
Data type: Optional[Stdlib::Port]
Database port.
Default value: undef
Data type: Optional[String[1]]
Database url.
Default value: undef
Data type: String[1]
Database name.
Default value: 'keycloak'
Data type: String[1]
Database user name.
Default value: 'keycloak'
Data type: String[1]
Database user password.
Default value: 'changeme'
Data type: String
MySQL and MariaDB database charset
Default value: 'utf8'
Data type: String
MySQL and MariaDB database collate
Default value: 'utf8_general_ci'
Data type: String
PostgreSQL database encoding
Default value: 'UTF8'
Data type: Optional[Array[String[1]]]
Keycloak features to enable
Default value: undef
Data type: Optional[Array[String[1]]]
Keycloak features to disable
Default value: undef
Data type: Boolean
Boolean that sets if truststore should be used.
Default is false.
Default value: false
Data type: Hash
Hash that is used to define keycloak::turststore::host resources.
Default is {}.
Default value: {}
Data type: String
Truststore password.
Default is keycloak.
Default value: 'keycloak'
Data type: Enum['edge','reencrypt','passthrough','none']
Type of proxy to use for Keycloak
Default value: 'none'
Data type: Hash
Hash that is used to define keycloak_realm resources.
Default is {}.
Default value: {}
Data type: Boolean
Boolean that sets if realms should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak::client_scope::oidc resources.
Default is {}.
Default value: {}
Data type: Boolean
Boolean that sets if oidc_client_scopes should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak::client_scope::saml resources.
Default is {}.
Default value: {}
Data type: Boolean
Boolean that sets if saml_client_scopes should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_identity_provider resources.
Default value: {}
Data type: Boolean
Boolean that sets if identity_providers should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_client_protocol_mapper resources.
Default value: {}
Data type: Hash
Hash that is used to define keycloak_client_scope resources.
Default value: {}
Data type: Boolean
Boolean that sets if client_scopes should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_protocol_mapper resources.
Default value: {}
Data type: Boolean
Boolean that sets if protocol_mappers should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_client resources.
Default value: {}
Data type: Boolean
Boolean that sets if clients should be merged from Hiera.
Default value: false
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
Data type: Boolean
Boolean that sets if flows should be merged from Hiera.
Default value: false
Data type: Hash
Hash taht is used to define keycloak_flow resources.
Default value: {}
Data type: Boolean
Boolean that sets if flows should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_required_action resources.
Default value: {}
Data type: Boolean
Boolean that sets if required_actions should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_ldap_mapper resources.
Default value: {}
Data type: Boolean
Boolean that sets if ldap_mappers should be merged from Hiera.
Default value: false
Data type: Hash
Hash that is used to define keycloak_ldap_user_provider resources.
Default value: {}
Data type: Boolean
Boolean that sets if ldap_user_providers should be merged from Hiera.
Default value: false
Data type: Boolean
Boolean that determines if SSSD user provider support should be available
Default value: false
Data type: Variant[Stdlib::HTTPUrl, Stdlib::HTTPSUrl]
Source URL of libunix-dbus-java
Default value: 'https://github.com/keycloak/libunix-dbus-java/archive/libunix-dbus-java-0.8.0.tar.gz'
Data type: Boolean
Boolean that determines of libunix-dbus-java build dependencies are managed by this module
Default value: true
Data type: Array
Packages needed to build libunix-dbus-java
Default value: []
Data type: Stdlib::Absolutepath
Path to directory to install libunix-dbus-java libraries
Default value: '/usr/lib64'
Data type: String
Package name for jna
Default value: 'jna'
Data type: Boolean
Boolean that determines if SSSD ifp config for Keycloak is managed
Default value: true
Data type: Array
user_attributes to define for SSSD ifp service
Default value: []
Data type: Boolean
Boolean that determines if SSSD should be restarted
Default value: true
Data type: Hash
Hash used to define keycloak::spi_deployment resources
Default value: {}
Data type: Hash
Hash used to define keycloak::partial_import resources
Default value: {}
Data type: Boolean
Purge the providers directory of unmanaged SPIs
Default value: true
Data type: Optional[String]
Custom configuration content to be added to keycloak.conf
Default value: undef
Data type: Optional[Variant[String, Array]]
Custom configuration source file to be added to keycloak.conf
Default value: undef
Data type: String
The URL path for validator testing Only necessary to set if the URL path to Keycloak is modified
Default value: '/realms/master/.well-known/openid-configuration'
Private class.
Private class.
Private class.
Private class.
Manage Keycloak OpenID Connect client scope using built-in mappers
keycloak::client_scope::oidc { 'oidc-clients':
realm => 'test',
}The following parameters are available in the keycloak::client_scope::oidc defined type:
Data type: String
Realm of the client scope.
Data type: String
Name of the client scope resource
Default value: $name
Manage Keycloak SAML client scope using built-in mappers
keycloak::client_scope::saml { 'saml-clients':
realm => 'test',
}The following parameters are available in the keycloak::client_scope::saml defined type:
Data type: String
Realm of the client scope.
Data type: String
Name of the client scope resource
Default value: $name
setup FreeIPA LDAP mappers for Keycloak
keycloak::freeipa_ldap_mappers { 'ipa.example.org':
realm => 'EXAMPLE.ORG',
groups_dn => 'cn=groups,cn=accounts,dc=example,dc=org',
roles_dn => 'cn=groups,cn=accounts,dc=example,dc=org'
}The following parameters are available in the keycloak::freeipa_ldap_mappers defined type:
Data type: String
Keycloak realm
Data type: String
Groups DN
Data type: String
Roles DN
Data type: String
Used to identify the parent LDAP user provider, name used with keycloak::freeipa_user_provider
Default value: $title
setup IPA as an LDAP user provider for Keycloak
keycloak::freeipa_user_provider { 'ipa.example.org':
ensure => 'present',
realm => 'EXAMPLE.ORG',
bind_dn => 'uid=ldapproxy,cn=sysaccounts,cn=etc,dc=example,dc=org',
bind_credential => 'secret',
users_dn => 'cn=users,cn=accounts,dc=example,dc=org',
priority => 10,
}The following parameters are available in the keycloak::freeipa_user_provider defined type:
ensureidipa_hostrealmbind_dnbind_credentialusers_dnpriorityldapsfull_sync_periodchanged_sync_period
Data type: Enum['present', 'absent']
LDAP user provider status
Default value: 'present'
Data type: Optional[String]
ID to use for user provider
Default value: undef
Data type: Stdlib::Host
Hostname of the FreeIPA server (e.g. ipa.example.org)
Default value: $title
Data type: String
Keycloak realm
Data type: String
LDAP bind dn
Data type: String
LDAP bind password
Data type: String
The DN for user search
Data type: Integer
Priority for this user provider
Default value: 10
Data type: Boolean
Use LDAPS protocol instead of LDAP
Default value: false
Data type: Optional[Integer]
Synchronize all users this often (fullSyncPeriod)
Default value: undef
Data type: Optional[Integer]
Synchronize changed users this often (changedSyncPeriod)
Default value: undef
Perform partialImport using CLI
keycloak::partial_import { 'mysettings':
realm => 'test',
if_resource_exists => 'SKIP',
source => 'puppet:///modules/profile/keycloak/mysettings.json',
}The following parameters are available in the keycloak::partial_import defined type:
Data type: String[1]
The Keycloak Realm
Data type: Enum['FAIL','SKIP','OVERWRITE']
Behavior for when resources exist
Data type: Optional[Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]]
The import JSON source
Default value: undef
Data type: Optional[String[1]]
The import JSON content
Default value: undef
Data type: String[1]
The filename of the stored JSON
Default value: $name
Data type: Boolean
Determines whether to require the Keycloak_realm resource
Default value: true
Data type: Boolean
Determines whether to define the Keycloak_realm resource
Default value: false
}
keycloak::spi_deployment { 'duo-spi':
ensure => 'present',
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
}keycloak::spi_deployment { 'duo-spi':
deployed_name => 'keycloak-duo-spi-jar-with-dependencies.jar',
source => 'file:///path/to/source/keycloak-duo-spi-jar-with-dependencies.jar',
test_url => 'authentication/authenticator-providers',
test_key => 'id',
test_value => 'duo-mfa-authenticator',
test_realm => 'test',
before => Keycloak_flow_execution['duo-mfa-authenticator under form-browser-with-duo on test'],The following parameters are available in the keycloak::spi_deployment defined type:
Data type: Enum['present', 'absent']
State of the deployment
Default value: 'present'
Data type: String[1]
Name of the file to be deployed. Defaults to $name.
Default value: $name
Data type: Variant[Stdlib::Filesource, Stdlib::HTTPSUrl]
Source of the deployment, supports 'file://', 'puppet://', 'https://' or 'http://'
Data type: Optional[String]
URL to test for existance of resources created by this SPI
Default value: undef
Data type: Optional[String]
Key of resource when testing for resource created by this SPI
Default value: undef
Data type: Optional[String]
Value of the test_key when testing for resources created by this SPI
Default value: undef
Data type: Optional[String]
Realm to query when looking for resources created by this SPI
Default value: undef
Data type: Optional[Array]
Setup autorequires for validator dependent resources
Default value: undef
Add host to Keycloak truststore
keycloak::truststore::host { 'ldap1.example.com':
certificate => '/etc/openldap/certs/0a00000.0',
}The following parameters are available in the keycloak::truststore::host defined type:
Data type: String
Path to host certificate
Data type: Enum['latest', 'present', 'absent']
Host ensure value passed to java_ks resource.
Default value: 'latest'
Type that configures API connection parameters for other keycloak types that use the Keycloak API.
keycloak_api { 'keycloak'
install_dir => '/opt/keycloak',
server => 'http://localhost:8080',
realm => 'master',
user => 'admin',
password => 'changeme',
}The following parameters are available in the keycloak_api type.
Install location of Keycloak
Default value: /opt/keycloak
namevar
Keycloak API config
Password for authentication
Default value: changeme
Realm for authentication
Default value: master
Auth URL for Keycloak server
Default value: http://localhost:8080
Valid values: true, false
Boolean that determines if kcadm_wrapper.sh should be used
Default value: false
User for authentication
Default value: admin
Manage Keycloak clients
keycloak_client { 'www.example.com':
ensure => 'present',
realm => 'test',
redirect_uris => [
"https://www.example.com/oidc",
"https://www.example.com",
],
default_client_scopes => ['profile','email'],
secret => 'supersecret',
}The following properties are available in the keycloak_client type.
access.token.lifespan
adminUrl
Valid values: true, false
authorizationServicesEnabled
Default value: false
backchannel.logout.url
baseUrl
Valid values: true, false
bearerOnly
Default value: false
authenticationFlowBindingOverrides.browser (Use flow alias, not ID)
Default value: absent
clientAuthenticatorType
Default value: client-secret
defaultClientScopes
Default value: []
Valid values: true, false
enabled
Default value: true
authenticationFlowBindingOverrides.direct_grant (Use flow alias, not ID)
Default value: absent
Valid values: true, false
enabled
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Valid values: true, false
fullScopeAllowed
Default value: true
Valid values: true, false
implicitFlowEnabled
Default value: false
login_theme
Default value: absent
optionalClientScopes
Default value: []
Valid values: openid-connect, saml
protocol
Default value: openid-connect
Valid values: true, false
enabled
Default value: false
redirectUris
Default value: []
roles
Default value: []
rootUrl
saml_artifact_binding_url
saml_assertion_consumer_url_post
saml.assertion.signature
saml.encrypt
saml.encryption.certificate
saml_name_id_format
saml.signing.certificate
saml.signing.private.key
saml_single_logout_service_url_redirect
secret
Valid values: true, false
serviceAccountsEnabled
Default value: false
Valid values: true, false
standardFlowEnabled
Default value: true
webOrigins
Default value: []
The following parameters are available in the keycloak_client type.
clientId. Defaults to name.
Id. Defaults to client_id
namevar
The client name
The specific backend to use for this keycloak_client resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
realm
Manage Keycloak protocol mappers
keycloak_client_protocol_mapper { "email for test.example.com on test":
claim_name => 'email',
user_attribute => 'email',
}The following properties are available in the keycloak_client_protocol_mapper type.
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
attribute.name Default to resource_name for type saml-user-property-mapper.
attribute.nameformat
claim.name
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
friendly.name. Default to resource_name for type saml-user-property-mapper.
Valid values: true, false
full.path. Default to false for type oidc-group-membership-mapper.
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
included.client.audience Required for type of oidc-audience-mapper
json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.
Valid values: true, false
multivalued
Valid values: openid-connect, saml
protocol
Default value: openid-connect
Valid values: true, false
single. Default to false for type saml-role-list-mapper.
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.
usermodel.clientRoleMapping.clientId for type oidc-usermodel-client-role-mapper
The following parameters are available in the keycloak_client_protocol_mapper type.
client
Id.
namevar
The protocol mapper name
The specific backend to use for this keycloak_client_protocol_mapper resource. You will seldom need to specify this
--- Puppet will usually discover the appropriate provider for your platform.
realm
The protocol mapper name. Defaults to name.
Valid values: oidc-usermodel-client-role-mapper, oidc-usermodel-property-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-user-property-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
Manage Keycloak client scopes
keycloak_client_scope { 'email on test':
protocol => 'openid-connect',
}The following properties are available in the keycloak_client_scope type.
consent.screen.text
Valid values: true, false
display.on.consent.screen
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Valid values: openid-connect, saml
protocol
Default value: openid-connect
The following parameters are available in the keycloak_client_scope type.
Id. Defaults to resource_name.
namevar
The client scope name
The specific backend to use for this keycloak_client_scope resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
The client scope name. Defaults to name.
Verify that a connection can be successfully established between a node and the keycloak server. Its primary use is as a precondition to prevent configuration changes from being applied if the keycloak server cannot be reached, but it could potentially be used for other purposes such as monitoring.
The following properties are available in the keycloak_conn_validator type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the keycloak_conn_validator type.
The port that the keycloak server should be listening on.
Default value: 8080
The DNS name or IP address of the server where keycloak should be running.
Default value: localhost
namevar
An arbitrary name used as the identity of the resource.
The specific backend to use for this keycloak_conn_validator resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
URL relative path that is used by Keycloak
Default value: /
URL to use for testing if the Keycloak database is up
Default value: /realms/master/.well-known/openid-configuration
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
Whether the connection will be attemped using https
Default value: false
Manage a Keycloak flow Autorequires
keycloak_realmdefined forrealmparameterkeycloak_flowofflow_aliasiftop_level=falsekeycloak_flowofflow_aliasif otherindexis lower and iftop_level=falsekeycloak_flow_executionifflow_aliasis the same and otherindexis lower and iftop_level=false
keycloak_flow { 'browser-with-duo':
ensure => 'present',
realm => 'test',
}keycloak_flow { 'form-browser-with-duo under browser-with-duo on test':
ensure => 'present',
index => 2,
requirement => 'ALTERNATIVE',
top_level => false,
}The following properties are available in the keycloak_flow type.
description
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
execution index, only applied to top_level=false, required for top_level=false
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement, only applied to top_level=false and defaults to DISABLED
The following parameters are available in the keycloak_flow type.
Alias. Default to name.
flowAlias, required for top_level=false
Id. Default to $alias-$realm when top_level is true. Only applies to top_level=true
namevar
The flow name
The specific backend to use for this keycloak_flow resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Valid values: basic-flow, form-flow
providerId
Default value: basic-flow
realm
Valid values: true, false
topLevel
Default value: true
sub-flow execution provider, default to registration-page-form for top_level=false and does not apply to
top_level=true
Manage a Keycloak flow Autorequires
keycloak_realmdefined forrealmparameterkeycloak_flowof value defined forflow_aliaskeycloak_flowif they share sameflow_aliasvalue and the other resourceindexis lowerkeycloak_flow_executionifflow_aliasis the same and otherindexis lower
keycloak_flow_execution { 'auth-cookie under browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Cookie',
index => 0,
requirement => 'ALTERNATIVE',
}keycloak_flow_execution { 'auth-username-password-form under form-browser-with-duo on test':
ensure => 'present',
configurable => false,
display_name => 'Username Password Form',
index => 0,
requirement => 'REQUIRED',
}keycloak_flow_execution { 'duo-mfa-authenticator under form-browser-with-duo on test':
ensure => 'present',
configurable => true,
display_name => 'Duo MFA',
alias => 'Duo',
config => {
"duomfa.akey" => "foo-akey",
"duomfa.apihost" => "api-foo.duosecurity.com",
"duomfa.skey" => "secret",
"duomfa.ikey" => "foo-ikey",
"duomfa.groups" => "duo"
},
requirement => 'REQUIRED',
index => 1,
}The following properties are available in the keycloak_flow_execution type.
execution config
Valid values: true, false
configurable
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
execution index
Valid values: DISABLED, ALTERNATIVE, REQUIRED, CONDITIONAL, disabled, alternative, required, conditional
requirement
Default value: DISABLED
The following parameters are available in the keycloak_flow_execution type.
alias
read-only config ID
displayName
flowAlias
read-only Id
namevar
The flow execution name
The specific backend to use for this keycloak_flow_execution resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
provider
realm
Manage Keycloak identity providers
keycloak_identity_provider { 'cilogon on test':
ensure => 'present',
display_name => 'CILogon',
provider_id => 'oidc',
first_broker_login_flow_alias => 'browser',
client_id => 'cilogon:/client_id/foobar',
client_secret => 'supersecret',
user_info_url => 'https://cilogon.org/oauth2/userinfo',
token_url => 'https://cilogon.org/oauth2/token',
authorization_url => 'https://cilogon.org/authorize',
}The following properties are available in the keycloak_identity_provider type.
Valid values: true, false
addReadTokenRoleOnCreate
Default value: false
allowedClockSkew
Valid values: true, false
authenticateByDefault
Default value: false
authorizationUrl
Valid values: true, false
backchannelSupported
Default value: false
Valid values: client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt
clientAuthMethod
Default value: client_secret_post
clientId
clientSecret
default_scope
Valid values: true, false
disableUserInfo
Default value: false
displayName
Valid values: true, false
enabled
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
firstBrokerLoginFlowAlias
Default value: first broker login
forwardParameters
guiOrder
Valid values: true, false
hideOnLoginPage
Default value: false
issuer
jwksUrl
Valid values: true, false
linkOnly
Default value: false
Valid values: true, false
loginHint
Default value: false
logoutUrl
postBrokerLoginFlowAlias
Valid values: none, consent, login, select_account
prompt
Valid values: true, false
storeToken
Default value: false
Valid values: IMPORT, LEGACY, FORCE
syncMode
Default value: IMPORT
tokenUrl
Valid values: true, false
trustEmail
Default value: false
Valid values: true, false
uiLocales
Default value: false
Valid values: on, off
updateProfileFirstLoginMode
Default value: on
Valid values: true, false
useJwksUrl
Default value: true
userInfoUrl
Valid values: true, false
validateSignature
Default value: false
The following parameters are available in the keycloak_identity_provider type.
The identity provider name. Defaults to name.
internalId. Defaults to "alias-realm"
namevar
The identity provider name
The specific backend to use for this keycloak_identity_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Valid values: oidc, keycloak-oidc
providerId
Default value: oidc
realm
Manage Keycloak LDAP attribute mappers
keycloak_ldap_mapper { 'full name for LDAP-test on test:
ensure => 'present',
type => 'full-name-ldap-mapper',
ldap_attribute => 'gecos',
}The following properties are available in the keycloak_ldap_mapper type.
Valid values: true, false
always.read.value.from.ldap. Defaults to true if type is user-attribute-ldap-mapper.
client.id, only for type of role-ldap-mapper
Valid values: true, false
drop.non.existing.groups.during.sync, only for type of group-ldap-mapper
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
group.name.ldap.attribute, only for type of group-ldap-mapper
group.object.classes, only for type of group-ldap-mapper
groups.dn, only for type of group-ldap-mapper
groups.ldap.filter, only for type of group-ldap-mapper
Valid values: true, false
ignore.missing.groups, only for type of group-ldap-mapper
is.mandatory.in.ldap. Defaults to false unless type is full-name-ldap-mapper.
ldap.attribute
mapped.group.attributes, only for type of group-ldap-mapper
memberof.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
Valid values: DN, UID
membership.attribute.type, only for type of group-ldap-mapper and role-ldap-mapper
membership.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
membership.user.ldap.attribute, only for type of group-ldap-mapper and role-ldap-mapper
Valid values: READ_ONLY, LDAP_ONLY
mode, only for type of group-ldap-mapper and role-ldap-mapper
Valid values: true, false
preserve.group.inheritance, only for type of group-ldap-mapper
Valid values: true, false
read.only
role.name.ldap.attribute, only for type of role-ldap-mapper
role.object.classes, only for type of role-ldap-mapper
roles.dn, only for type of role-ldap-mapper
roles.ldap.filter, only for type of role-ldap-mapper
Valid values: true, false
use.realm.roles.mapping, only for type of role-ldap-mapper
user.model.attribute
Valid values: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE, GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY, LOAD_ROLES_BY_MEMBER_ATTRIBUTE, GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE, LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY
user.roles.retrieve.strategy, only for type of group-ldap-mapper and role-ldap-mapper
Valid values: true, false
write.only. Defaults to false if type is full-name-ldap-mapper.
The following parameters are available in the keycloak_ldap_mapper type.
Id.
Name of parent keycloak_ldap_user_provider resource
namevar
The LDAP mapper name
parentId
The specific backend to use for this keycloak_ldap_mapper resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
The LDAP mapper name. Defaults to name
Valid values: user-attribute-ldap-mapper, full-name-ldap-mapper, group-ldap-mapper, role-ldap-mapper
providerId
Default value: user-attribute-ldap-mapper
Manage Keycloak LDAP user providers
keycloak_ldap_user_provider { 'LDAP on test':
ensure => 'present',
users_dn => 'ou=People,dc=example,dc=com',
connection_url => 'ldaps://ldap1.example.com:636 ldaps://ldap2.example.com:636',
import_enabled => false,
use_truststore_spi => 'never',
}The following properties are available in the keycloak_ldap_user_provider type.
Valid values: true, false
allowKerberosAuthentication
Valid values: none, simple
authType
Default value: none
batchSizeForSync
Default value: 1000
bindCredential
bindDn
Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE
cachePolicy
Default value: DEFAULT
changedSyncPeriod
Default value: -1
connectionUrl
Valid values: %r{.*}, absent
customUserSearchFilter
Default value: absent
Valid values: READ_ONLY, WRITABLE, UNSYNCED
editMode
Default value: READ_ONLY
Valid values: true, false
enabled
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
fullSyncPeriod
Default value: -1
Valid values: true, false
importEnabled
Default value: true
kerberosRealm
keyTab
priority
Default value: 0
rdnLdapAttribute
Default value: uid
Valid values: one, one_level, subtree, 1, 2, 1, 2
searchScope
serverPrincipal
Valid values: true, false
syncRegistrations
Default value: false
Valid values: true, false
trustEmail
Default value: false
Valid values: true, false
useKerberosForPasswordAuthentication
Valid values: always, never
useTruststoreSpi
Default value: always
userObjectClasses
Default value: ['inetOrgPerson', 'organizationalPerson']
usernameLdapAttribute
Default value: uid
usersDn
uuidLdapAttribute
Default value: entryUUID
Valid values: ad, rhds, tivoli, eDirectory, other
vendor
Default value: other
The following parameters are available in the keycloak_ldap_user_provider type.
Id
namevar
The LDAP user provider name
The specific backend to use for this keycloak_ldap_user_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
parentId
The LDAP user provider name. Defaults to name.
Manage Keycloak client scope protocol mappers
keycloak_protocol_mapper { "email for oidc-clients on test":
claim_name => 'email',
user_attribute => 'email',
}The following properties are available in the keycloak_protocol_mapper type.
Valid values: true, false
access.token.claim. Default to true for protocol openid-connect.
attribute.name Default to resource_name for type saml-user-property-mapper.
attribute.nameformat
claim.name
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
friendly.name. Default to resource_name for type saml-user-property-mapper.
Valid values: true, false
full.path. Default to false for type oidc-group-membership-mapper.
Valid values: true, false
id.token.claim. Default to true for protocol openid-connect.
included.client.audience Required for type of oidc-audience-mapper
json.type.label. Default to String for type oidc-usermodel-property-mapper and oidc-group-membership-mapper.
Valid values: openid-connect, saml
protocol
Default value: openid-connect
Valid values: true, false
single. Default to false for type saml-role-list-mapper.
user.attribute. Default to resource_name for type oidc-usermodel-property-mapper or saml-user-property-mapper
Valid values: true, false
userinfo.token.claim. Default to true for protocol openid-connect except type of oidc-audience-mapper.
The following parameters are available in the keycloak_protocol_mapper type.
client scope
Id.
namevar
The protocol mapper name
The specific backend to use for this keycloak_protocol_mapper resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
realm
The protocol mapper name. Defaults to name.
Valid values: oidc-usermodel-property-mapper, oidc-usermodel-attribute-mapper, oidc-full-name-mapper, oidc-group-membership-mapper, oidc-audience-mapper, saml-group-membership-mapper, saml-user-property-mapper, saml-user-attribute-mapper, saml-role-list-mapper
protocolMapper.
Default is oidc-usermodel-property-mapper for protocol openid-connect and
saml-user-property-mapper for protocol saml.
Manage Keycloak realms
keycloak_realm { 'test':
ensure => 'present',
remember_me => true,
login_with_email_allowed => false,
login_theme => 'my_theme',
}The following properties are available in the keycloak_realm type.
accessCodeLifespan
accessCodeLifespanLogin
accessCodeLifespanUserAction
accessTokenLifespan
accessTokenLifespanForImplicitFlow
accountTheme
Default value: keycloak
actionTokenGeneratedByAdminLifespan
actionTokenGeneratedByUserLifespan
Valid values: true, false
adminEventsDetailsEnabled
Default value: false
Valid values: true, false
adminEventsEnabled
Default value: false
adminTheme
Default value: keycloak
browserFlow
Default value: browser
Valid values: true, false
bruteForceProtected
clientAuthenticationFlow
Default value: clients
contentSecurityPolicy
Default value: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
custom properties to pass as realm configurations
Default Client Scopes
defaultLocale
directGrantFlow
Default value: direct grant
displayName
displayNameHtml
dockerAuthenticationFlow
Default value: docker auth
Valid values: true, false
duplicateEmailsAllowed
Default value: false
Valid values: true, false
editUsernameAllowed
Default value: false
emailTheme
Default value: keycloak
Valid values: true, false
enabled
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Valid values: true, false
eventsEnabled
Default value: false
eventsExpiration
eventsListeners
Default value: ['jboss-logging']
Valid values: true, false
internationalizationEnabled
Default value: false
loginTheme
Default value: keycloak
Valid values: true, false
loginWithEmailAllowed
Default value: true
offlineSessionIdleTimeout
offlineSessionMaxLifespan
Valid values: true, false
offlineSessionMaxLifespanEnabled
Default value: false
Optional Client Scopes
Valid values: true, false
registrationAllowed
Default value: false
registrationFlow
Default value: registration
Valid values: true, false
rememberMe
Default value: false
resetCredentialsFlow
Default value: reset credentials
Valid values: true, false
resetPasswordAllowed
Default value: false
roles
Default value: ['offline_access', 'uma_authorization']
Valid values: true, false
smtpServer auth
smtpServer envelope_from
smtpServer from
smtpServer fromDisplayName
smtpServer host
smtpServer password
smtpServer port
smtpServer replyto
smtpServer replyToDisplayName
Valid values: true, false
smtpServer ssl
Valid values: true, false
smtpServer starttls
smtpServer user
Valid values: none, all, external
sslRequired
Default value: external
ssoSessionIdleTimeout
ssoSessionIdleTimeoutRememberMe
ssoSessionMaxLifespan
ssoSessionMaxLifespanRememberMe
Supported Locales
Valid values: true, false
userManagedAccessAllowed
Default value: false
Valid values: true, false
verifyEmail
Default value: false
The following parameters are available in the keycloak_realm type.
Id. Default to name.
Valid values: true, false
Manage realm roles
Default value: true
namevar
The realm name
The specific backend to use for this keycloak_realm resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
Manage Keycloak required actions
keycloak_required_action { 'webauthn-register on master':
ensure => present,
alias => 'webauthn-register',
provider_id => 'webauthn-register',
display_name => 'Webauthn Register',
default => true,
enabled => true,
priority => 1,
config => {
'something' => 'true', # keep in mind that keycloak only supports strings for both keys and values
'smth else' => '1',
},
}
@example Minimal example to enable email verification without making it default
keycloak_required_action { 'VERIFY_EMAIL on master':
ensure => present,
}The following properties are available in the keycloak_required_action type.
Required action config
Valid values: true, false
If the required action is a default one. Default to false
Default value: false
Displayed name.
Valid values: true, false
If the required action is enabled. Default to true.
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
Required action priority
The following parameters are available in the keycloak_required_action type.
Alias.
namevar
The required action name
The specific backend to use for this keycloak_required_action resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
providerId of the required action. Default to alias
realm
Verify that a specific Keycloak resource is available
The following properties are available in the keycloak_resource_validator type.
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
The following parameters are available in the keycloak_resource_validator type.
Resources that should autorequire this validator, eg: Keycloak_flow_execution[foobar]
namevar
An arbitrary name used as the identity of the resource.
The specific backend to use for this keycloak_resource_validator resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
Realm to query
Key to lookup
URL to use for testing if the Keycloak database is up
Value to lookup
The max number of seconds that the validator should wait before giving up and deciding that keycloak is not running; defaults to 15 seconds.
Default value: 30
Attach realm roles to users and groups
keycloak_role_mapping { 'john-offline_access':
realm => 'test',
name => 'john',
realm_roles => ['offline_access'],
}The following properties are available in the keycloak_role_mapping type.
realm roles
Default value: []
The following parameters are available in the keycloak_role_mapping type.
Valid values: true, false
is this a group instead of a user
Default value: false
namevar
--uusername/--gname
The specific backend to use for this keycloak_role_mapping resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
realm
Manage Keycloak SSSD user providers
keycloak_sssd_user_provider { 'SSSD on test':
ensure => 'present',
}The following properties are available in the keycloak_sssd_user_provider type.
Valid values: DEFAULT, EVICT_DAILY, EVICT_WEEKLY, MAX_LIFESPAN, NO_CACHE
cachePolicy
Default value: DEFAULT
Valid values: true, false
enabled
Default value: true
Valid values: present, absent
The basic property that the resource should be in.
Default value: present
evictionDay
evictionHour
evictionMinute
maxLifespan
priority
Default value: 0
The following parameters are available in the keycloak_sssd_user_provider type.
Id. Defaults to "resource_name-realm"
namevar
The SSSD user provider name
The specific backend to use for this keycloak_sssd_user_provider resource. You will seldom need to specify this ---
Puppet will usually discover the appropriate provider for your platform.
parentId
The SSSD user provider name. Defaults to name.
https://www.keycloak.org/server/all-config
Alias of
Struct[{
Optional['cache'] => Enum['local', 'ispn'],
Optional['cache-config-file'] => String[1],
Optional['cache-stack'] => Enum['tcp','udp','kubernetes','ec2','azure','google'],
Optional['db'] => Enum['dev-file','dev-mem','mariadb','mysql','oracle','postgres'],
Optional['db-password'] => String[1],
Optional['db-pool-initial-size'] => Integer,
Optional['db-pool-max-size'] => Integer,
Optional['db-pool-min-size'] => Integer,
Optional['db-schema'] => String[1],
Optional['db-url'] => String[1],
Optional['db-url-database'] => String[1],
Optional['db-url-host'] => Stdlib::Host,
Optional['db-url-port'] => Stdlib::Port,
Optional['db-url-properties'] => String[1],
Optional['db-username'] => String[1],
Optional['transaction-xa-enabled'] => Boolean,
Optional['features'] => Array[String[1]],
Optional['features-disabled'] => Array[String[1]],
Optional['hostname'] => Stdlib::Host,
Optional['hostname-admin'] => Stdlib::Host,
Optional['hostname-admin-url'] => String[1],
Optional['hostname-path'] => String[1],
Optional['hostname-port'] => Stdlib::Port,
Optional['hostname-strict'] => Boolean,
Optional['hostname-strict-backchannel'] => Boolean,
Optional['hostname-strict-https'] => Boolean,
Optional['hostname-url'] => String[1],
Optional['http-enabled'] => Boolean,
Optional['http-host'] => Stdlib::Host,
Optional['http-port'] => Stdlib::Port,
Optional['http-relative-path'] => String[1],
Optional['https-certificate-file'] => Stdlib::Absolutepath,
Optional['https-certificate-key-file'] => Stdlib::Absolutepath,
Optional['https-cipher-suites'] => Array[String[1]],
Optional['https-client-auth'] => Enum['none','request','required'],
Optional['https-key-store-file'] => Stdlib::Absolutepath,
Optional['https-key-store-password'] => String[1],
Optional['https-key-store-type'] => String[1],
Optional['https-port'] => Stdlib::Port,
Optional['https-protocols'] => Array[String[1]],
Optional['https-trust-store-file'] => Stdlib::Absolutepath,
Optional['https-trust-store-password'] => String[1],
Optional['https-trust-store-type'] => String[1],
Optional['health-enabled'] => Boolean,
Optional['metrics-enabled'] => Boolean,
Optional['proxy'] => Enum['edge','reencrypt','passthrough','none'],
Optional['vault'] => Enum['file','hashicorp'],
Optional['vault-dir'] => Stdlib::Absolutepath,
Optional['log'] => Array[Enum['console','file','gelf']],
Optional['log-console-color'] => Boolean,
Optional['log-console-format'] => String[1],
Optional['log-console-output'] => Enum['default','json'],
Optional['log-file'] => Stdlib::Absolutepath,
Optional['log-file-format'] => String[1],
Optional['log-file-output'] => Enum['default','json'],
Optional['log-level'] => String[1],
Optional['log-gelf-facility'] => String[1],
Optional['log-gelf-host'] => Stdlib::Host,
Optional['log-gelf-include-location'] => Boolean,
Optional['log-gelf-include-message-parameters'] => Boolean,
Optional['log-gelf-include-stack-trace'] => Boolean,
Optional['log-gelf-level'] => String[1],
Optional['log-gelf-max-message-size'] => Integer,
Optional['log-gelf-port'] => Stdlib::Port,
Optional['log-gelf-timestamp-format'] => String[1],
Optional['log-level'] => String[1],
}]