community.general.keycloak_identity_provider – Allows administration of Keycloak identity providers via Keycloak API
Note
This plugin is part of the community.general collection (version 3.8.1).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install community.general.
To use it in a playbook, specify: community.general.keycloak_identity_provider.
New in version 3.6.0: of community.general
Synopsis
- This module allows you to add, remove or modify Keycloak identity providers via the Keycloak REST API. It requires access to the REST API via OpenID Connect; the user connecting and the client being used must have the requisite access rights. In a default Keycloak installation, admin-cli and an admin user would work, as would a separate client definition with the scope tailored to your needs and a user having the expected roles.
- The names of module options are snake_cased versions of the camelCase ones found in the Keycloak API and its documentation at https://www.keycloak.org/docs-api/15.0/rest-api/index.html.
Parameters
| Parameter | Choices/Defaults | Comments | |
|---|---|---|---|
| add_read_token_role_on_create
boolean
|
|
Enable/disable whether new users can read any stored tokens. This assigns the
broker.read-token role.
aliases: addReadTokenRoleOnCreate |
|
| alias
string / required
|
The alias uniquely identifies an identity provider and it is also used to build the redirect URI.
|
||
| auth_client_id
string
|
Default:
"admin-cli"
|
OpenID Connect client_id to authenticate to the API with.
|
|
| auth_client_secret
string
|
Client Secret to use in conjunction with auth_client_id (if required).
|
||
| auth_keycloak_url
string / required
|
URL to the Keycloak instance.
aliases: url |
||
| auth_password
string
|
Password to authenticate for API access with.
aliases: password |
||
| auth_realm
string
|
Keycloak realm name to authenticate to for API access.
|
||
| auth_username
string
|
Username to authenticate for API access with.
aliases: username |
||
| authenticate_by_default
boolean
|
|
Specifies if this identity provider should be used by default for authentication even before displaying login screen.
aliases: authenticateByDefault |
|
| config
dictionary
|
Dict specifying the configuration options for the provider; the contents differ depending on the value of providerId. Examples are given below for oidc and saml. It is easiest to obtain valid config values by dumping an already-existing identity provider configuration through check-mode in the existing field.
|
||
| authorizationUrl
string
|
The Authorization URL.
|
||
| backchannelSupported
string
|
Does the external IDP support backchannel logout?
|
||
| clientAuthMethod
string
|
The client authentication method.
|
||
| clientId
string
|
The client or client identifier registered within the identity provider.
|
||
| clientSecret
string
|
The client or client secret registered within the identity provider.
|
||
| defaultScope
string
|
The scopes to be sent when asking for authorization.
|
||
| entityId
string
|
The Entity ID that will be used to uniquely identify this SAML Service Provider.
|
||
| gui_order
integer
|
Number defining order of the provider in GUI (for example, on Login page).
aliases: guiOrder |
||
| hide_on_login_page
boolean
|
|
If hidden, login with this provider is possible only if requested explicitly, for example using the
kc_idp_hint parameter.
aliases: hideOnLoginPage |
|
| issuer
string
|
The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
|
||
| jwksUrl
string
|
URL where identity provider keys in JWK format are stored. See JWK specification for more details.
|
||
| logoutUrl
string
|
End session endpoint to use to logout user from external IDP.
|
||
| nameIDPolicyFormat
string
|
Specifies the URI reference corresponding to a name identifier format.
|
||
| principalType
string
|
Way to identify and track external users from the assertion.
|
||
| singleLogoutServiceUrl
string
|
The URL that must be used to send logout requests.
|
||
| singleSignOnServiceUrl
string
|
The URL that must be used to send authentication requests (SAML AuthnRequest).
|
||
| sync_mode
string
|
Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers.
aliases: syncMode |
||
| tokenUrl
string
|
The Token URL.
|
||
| useJwksUrl
boolean
|
|
If the switch is on, identity provider public keys will be downloaded from given JWKS URL.
|
|
| userInfoUrl
string
|
The User Info URL.
|
||
| validateSignature
boolean
|
|
Enable/disable signature validation of external IDP signatures.
|
|
| display_name
string
|
Friendly name for identity provider.
aliases: displayName |
||
| enabled
boolean
|
|
Enable/disable this identity provider.
|
|
| first_broker_login_flow_alias
string
|
Alias of authentication flow, which is triggered after first login with this identity provider.
aliases: firstBrokerLoginFlowAlias |
||
| link_only
boolean
|
|
If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider.
aliases: linkOnly |
|
| mappers
list / elements=dictionary
|
A list of dicts defining mappers associated with this Identity Provider.
|
||
| config
dictionary
|
Dict specifying the configuration options for the mapper; the contents differ depending on the value of identityProviderMapper.
|
||
| id
string
|
Unique ID of this mapper.
|
||
| identityProviderAlias
string
|
Alias of the identity provider for this mapper.
|
||
| identityProviderMapper
string
|
Type of mapper.
|
||
| name
string
|
Name of the mapper.
|
||
| post_broker_login_flow_alias
string
|
Alias of authentication flow, which is triggered after each login with this identity provider.
aliases: postBrokerLoginFlowAlias |
||
| provider_id
string
|
Protocol used by this provider (supported values are
oidc or saml).
aliases: providerId |
||
| realm
string
|
Default:
"master"
|
The Keycloak realm under which this identity provider resides.
|
|
| state
string
|
|
State of the identity provider.
On
present, the identity provider will be created if it does not yet exist, or updated with the parameters you provide.
On absent, the identity provider will be removed if it exists.
|
|
| store_token
boolean
|
|
Enable/disable whether tokens must be stored after authenticating users.
aliases: storeToken |
|
| token
string
added in 3.0.0 of community.general
|
Authentication token for Keycloak API.
|
||
| trust_email
boolean
|
|
If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
aliases: trustEmail |
|
| validate_certs
boolean
|
|
Verify TLS certificates (do not disable this in production).
|
|
Examples
- name: Create OIDC identity provider, authentication with credentials
community.general.keycloak_identity_provider:
state: present
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: admin
auth_password: admin
realm: myrealm
alias: oidc-idp
display_name: OpenID Connect IdP
enabled: true
provider_id: oidc
config:
issuer: https://idp.example.com
authorizationUrl: https://idp.example.com/auth
tokenUrl: https://idp.example.com/token
userInfoUrl: https://idp.example.com/userinfo
clientAuthMethod: client_secret_post
clientId: my-client
clientSecret: secret
syncMode: FORCE
mappers:
- name: first_name
identityProviderMapper: oidc-user-attribute-idp-mapper
config:
claim: first_name
user.attribute: first_name
syncMode: INHERIT
- name: last_name
identityProviderMapper: oidc-user-attribute-idp-mapper
config:
claim: last_name
user.attribute: last_name
syncMode: INHERIT
- name: Create SAML identity provider, authentication with credentials
community.general.keycloak_identity_provider:
state: present
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: admin
auth_password: admin
realm: myrealm
alias: saml-idp
display_name: SAML IdP
enabled: true
provider_id: saml
config:
entityId: https://auth.example.com/auth/realms/myrealm
singleSignOnServiceUrl: https://idp.example.com/login
wantAuthnRequestsSigned: true
wantAssertionsSigned: true
mappers:
- name: roles
identityProviderMapper: saml-user-attribute-idp-mapper
config:
user.attribute: roles
attribute.friendly.name: User Roles
attribute.name: roles
syncMode: INHERIT
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| end_state
dictionary
|
always |
Representation of identity provider after module execution
Sample:
{'addReadTokenRoleOnCreate': False, 'alias': 'my-idp', 'authenticateByDefault': False, 'config': {'authorizationUrl': 'https://idp.example.com/auth', 'clientAuthMethod': 'client_secret_post', 'clientId': 'my-client', 'clientSecret': '**********', 'issuer': 'https://idp.example.com', 'tokenUrl': 'https://idp.example.com/token', 'userInfoUrl': 'https://idp.example.com/userinfo'}, 'displayName': 'OpenID Connect IdP', 'enabled': True, 'firstBrokerLoginFlowAlias': 'first broker login', 'internalId': '4d28d7e3-1b80-45bb-8a30-5822bf55aa1c', 'linkOnly': False, 'providerId': 'oidc', 'storeToken': False, 'trustEmail': False}
|
| existing
dictionary
|
always |
Representation of existing identity provider
Sample:
{'addReadTokenRoleOnCreate': False, 'alias': 'my-idp', 'authenticateByDefault': False, 'config': {'authorizationUrl': 'https://old.example.com/auth', 'clientAuthMethod': 'client_secret_post', 'clientId': 'my-client', 'clientSecret': '**********', 'issuer': 'https://old.example.com', 'syncMode': 'FORCE', 'tokenUrl': 'https://old.example.com/token', 'userInfoUrl': 'https://old.example.com/userinfo'}, 'displayName': 'OpenID Connect IdP', 'enabled': True, 'firstBrokerLoginFlowAlias': 'first broker login', 'internalId': '4d28d7e3-1b80-45bb-8a30-5822bf55aa1c', 'linkOnly': False, 'providerId': 'oidc', 'storeToken': False, 'trustEmail': False}
|
| msg
string
|
always |
Message as to what action was taken
Sample:
Identity provider my-idp has been created
|
| proposed
dictionary
|
always |
Representation of proposed changes to identity provider
Sample:
{'config': {'authorizationUrl': 'https://idp.example.com/auth', 'clientAuthMethod': 'client_secret_post', 'clientId': 'my-client', 'clientSecret': 'secret', 'issuer': 'https://idp.example.com', 'tokenUrl': 'https://idp.example.com/token', 'userInfoUrl': 'https://idp.example.com/userinfo'}, 'displayName': 'OpenID Connect IdP', 'providerId': 'oidc'}
|
Authors
- Laurent Paumier (@laurpaum)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/keycloak_identity_provider_module.html