Allow configuring SAML Signuture Key Name

keycloak/saml_client.go

@@ -14,6 +14,7 @@ type SamlClientAttributes struct {
 	ForceNameIdFormat       *string `json:"saml_force_name_id_format"`
 	// attributes above are actually booleans, but the Keycloak API expects strings
 	SignatureAlgorithm              string  `json:"saml.signature.algorithm"`
+	SignatureKeyName                string  `json:"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer"`
 	NameIdFormat                    string  `json:"saml_name_id_format"`
 	SigningCertificate              *string `json:"saml.signing.certificate,omitempty"`
 	SigningPrivateKey               *string `json:"saml.signing.private.key"`

provider/resource_keycloak_saml_client.go

@@ -13,6 +13,7 @@ import (
 var (
 	keycloakSamlClientNameIdFormats       = []string{"username", "email", "transient", "persistent"}
 	keycloakSamlClientSignatureAlgorithms = []string{"RSA_SHA1", "RSA_SHA256", "RSA_SHA512", "DSA_SHA1"}
+	keycloakSamlClientSignatureKeyName    = []string{"NONE", "KEY_ID", "CERT_SUBJECT"}
 )
 
 func resourceKeycloakSamlClient() *schema.Resource {
@@ -93,6 +94,12 @@ func resourceKeycloakSamlClient() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validation.StringInSlice(keycloakSamlClientSignatureAlgorithms, false),
 			},
+			"signature_key_name": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: validation.StringInSlice(keycloakSamlClientSignatureKeyName, false),
+			},
 			"name_id_format": {
 				Type:         schema.TypeString,
 				Optional:     true,

provider/resource_keycloak_saml_client_test.go

@@ -161,6 +161,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
 			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
+			SignatureKeyName:                randomStringInSlice(keycloakSamlClientSignatureKeyName),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateBefore,
 			SigningCertificate:              &signingCertificateBefore,
@@ -200,6 +201,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
 			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
+			SignatureKeyName:                randomStringInSlice(keycloakSamlClientSignatureKeyName),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateAfter,
 			SigningCertificate:              &signingCertificateAfter,
@@ -613,6 +615,7 @@ resource "keycloak_saml_client" "saml_client" {
 
 	front_channel_logout       = %t
 	signature_algorithm        = "%s"
+	signature_key_name         = "%s"
 	name_id_format             = "%s"
 	root_url                   = "%s"
 	valid_redirect_uris        = %s
@@ -645,6 +648,7 @@ resource "keycloak_saml_client" "saml_client" {
 		*client.Attributes.ForceNameIdFormat,
 		client.FrontChannelLogout,
 		client.Attributes.SignatureAlgorithm,
+		client.Attributes.SignatureKeyName,
 		client.Attributes.NameIdFormat,
 		client.RootUrl,
 		arrayOfStringsForTerraformResource(client.ValidRedirectUris),