ansible-collections/middleware_automation.keycloak
1
0
Fork 0
mirror of https://github.com/ansible-middleware/keycloak.git synced 2025-07-28 07:31:30 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update docs for main

Browse source 
Signed-off-by: ansible-middleware-core <ansible-middleware-core@redhat.com>
This commit is contained in:
ansible-middleware-core 2024-10-14 13:14:59 +00:00
commit 20c47f83b7
64 changed files with 5300 additions and 1100 deletions
Download patch file Download diff file Expand all files Collapse all files

5
main/_sources/CHANGELOG.rst.txt
View file

@ -9,11 +9,6 @@ This changelog describes changes after version 0.2.6.
v2.4.3-devel
============
Release Summary
---------------
Internal release, documentation or test changes only.
v2.4.2
======

16
main/_sources/README.md.txt
View file

@ -3,7 +3,7 @@
<!--start build_status -->
[![Build Status](https://github.com/ansible-middleware/keycloak/workflows/CI/badge.svg?branch=main)](https://github.com/ansible-middleware/keycloak/actions/workflows/ci.yml)
> **_NOTE:_ If you are Red Hat customer, install `redhat.sso` (for Red Hat Single Sign-On) or `redhat.rhbk` (for Red Hat Build of Keycloak) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
> **_NOTE:_ If you are Red Hat customer, install `redhat.rhbk` (for Red Hat Build of Keycloak) or `redhat.sso` (for Red Hat Single Sign-On) from [Automation Hub](https://console.redhat.com/ansible/ansible-dashboard) as the certified version of this collection.**
<!--end build_status -->
<!--start description -->
@ -49,9 +49,10 @@ A requirement file is provided to install:
<!--start roles_paths -->
### Included roles
* [`keycloak`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md): role for installing the service (keycloak <= 19.0).
* [`keycloak_realm`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_realm/README.md): role for configuring a realm, user federation(s), clients and users, in an installed service.
* [`keycloak_quarkus`](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak_quarkus/README.md): role for installing the quarkus variant of keycloak (>= 17.0.0).
* `keycloak_quarkus`: role for installing keycloak (>= 19.0.0, quarkus based).
* `keycloak_realm`: role for configuring a realm, user federation(s), clients and users, in an installed service.
* `keycloak`: role for installing legacy keycloak (<= 19.0, wildfly based).
<!--end roles_paths -->
## Usage
@ -59,9 +60,9 @@ A requirement file is provided to install:
### Install Playbook
<!--start rhbk_playbook -->
* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
* [`playbooks/keycloak_quarkus.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak_quarkus.yml) installs keycloak >= 17 based on the defined variables (using most defaults).
* [`playbooks/keycloak.yml`](https://github.com/ansible-middleware/keycloak/blob/main/playbooks/keycloak.yml) installs keycloak legacy based on the defined variables (using most defaults).
Both playbooks include the `keycloak` role, with different settings, as described in the following sections.
For full service configuration details, refer to the [keycloak role README](https://github.com/ansible-middleware/keycloak/blob/main/roles/keycloak/README.md).
@ -92,7 +93,7 @@ Execute the following command from the source root directory
```
ansible-playbook -i <ansible_hosts> -e @rhn-creds.yml playbooks/keycloak.yml -e keycloak_admin_password=<changeme>
```
```
- `keycloak_admin_password` Password for the administration console user account.
- `ansible_hosts` is the inventory, below is an example inventory for deploying to localhost
@ -143,4 +144,3 @@ Apache License v2.0 or later
<!--start license -->
See [LICENSE](LICENSE) to view the full text.
<!--end license -->

34
main/_sources/developing.md.txt
View file

@ -1,3 +1,37 @@
## Developing
### Build and install locally
Clone the repository, checkout the tag you want to build, or pick the main branch for the development version; then:
ansible-galaxy collection build .
ansible-galaxy collection install middleware_automation-keycloak-*.tar.gz
### Development environment
Make sure your development machine has avilable:
* python 3.11+
* virtualenv
* docker (or podman)
In order to run setup the development environment and run the molecule tests locally, after cloning the repository:
```
# create new virtualenv using python 3
virtualenv $PATH_TO_DEV_VIRTUALENV
# activate the virtual env
source $PATH_TO_DEV_VIRTUALENV/bin/activate
# install ansible and tools onto the virtualenv
pip install yamllint 'molecule>=6.0' 'molecule-plugins[docker]' 'ansible-core>=2.15' ansible-lint
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install python dependencies
pip install -r requirements.txt molecule/requirements.txt
# execute the tests (replace --all with -s subdirectory to run a single test)
molecule test --all
```
## Contributor's Guidelines

16
main/_sources/index.rst.txt
View file

@ -10,31 +10,25 @@ Welcome to Keycloak Collection documentation
README
plugins/index
roles/index
Changelog <CHANGELOG>
.. toctree::
:maxdepth: 2
:caption: Developer documentation
testing
developing
releasing
.. toctree::
:maxdepth: 2
:caption: General
Changelog <CHANGELOG>
Developing <developing>
Testing <testing>
Releasing <releasing>
.. toctree::
:maxdepth: 2
:caption: Middleware collections
Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
Keycloak / Red Hat Single Sign-On <https://ansible-middleware.github.io/keycloak/main/>
Infinispan / Red Hat Data Grid <https://ansible-middleware.github.io/infinispan/main/>
Wildfly / Red Hat JBoss EAP <https://ansible-middleware.github.io/wildfly/main/>
Tomcat / Red Hat JWS <https://ansible-middleware.github.io/jws/main/>
ActiveMQ / Red Hat AMQ Broker <https://ansible-middleware.github.io/amq/main/>
Kafka / Red Hat AMQ Streams <https://ansible-middleware.github.io/amq_streams/main/>
Ansible Middleware utilities <https://ansible-middleware.github.io/common/main/>
Red Hat CSP Download <https://ansible-middleware.github.io/redhat-csp-download/main/>
JCliff <https://ansible-middleware.github.io/ansible_collections_jcliff/main/>

1
main/_sources/plugins/index.rst.txt
View file

@ -6,6 +6,7 @@ Plugin Index
:maxdepth: 0
keycloak_client
keycloak_realm
keycloak_role
keycloak_user_federation

214
main/_sources/plugins/keycloak_client.rst.txt
View file

@ -6,7 +6,7 @@
:trim:
.. meta::
:antsibull-docs: 2.14.0
:antsibull-docs: 2.15.0
.. Anchors
@ -162,7 +162,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of <code class='docutils literal notranslate'>any</code>, <code class='docutils literal notranslate'>none</code>, <code class='docutils literal notranslate'>RS256</code>.</p>
<p>For OpenID-Connect clients, JWA algorithm which the client needs to use when sending OIDC request object. One of <code class="ansible-value literal notranslate">any</code>, <code class="ansible-value literal notranslate">none</code>, <code class="ansible-value literal notranslate">RS256</code>.</p>
</div></td>
</tr>
<tr class="row-even">
@ -266,7 +266,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Signature algorithm used to sign SAML documents. One of <code class='docutils literal notranslate'>RSA_SHA256</code>, <code class='docutils literal notranslate'>RSA_SHA1</code>, <code class='docutils literal notranslate'>RSA_SHA512</code>, or <code class='docutils literal notranslate'>DSA_SHA1</code>.</p>
<p>Signature algorithm used to sign SAML documents. One of <code class="ansible-value literal notranslate">RSA_SHA256</code>, <code class="ansible-value literal notranslate">RSA_SHA1</code>, <code class="ansible-value literal notranslate">RSA_SHA512</code>, or <code class="ansible-value literal notranslate">DSA_SHA1</code>.</p>
</div></td>
</tr>
<tr class="row-even">
@ -344,7 +344,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>For SAML clients, the NameID format to use (one of <code class='docutils literal notranslate'>username</code>, <code class='docutils literal notranslate'>email</code>, <code class='docutils literal notranslate'>transient</code>, or <code class='docutils literal notranslate'>persistent</code>)</p>
<p>For SAML clients, the NameID format to use (one of <code class="ansible-value literal notranslate">username</code>, <code class="ansible-value literal notranslate">email</code>, <code class="ansible-value literal notranslate">transient</code>, or <code class="ansible-value literal notranslate">persistent</code>)</p>
</div></td>
</tr>
<tr class="row-even">
@ -357,7 +357,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>SAML signature canonicalization method. This is one of four values, namely <code class='docutils literal notranslate'>http://www.w3.org/2001/10/xml-exc-c14n#</code> for EXCLUSIVE, <code class='docutils literal notranslate'>http://www.w3.org/2001/10/xml-exc-c14n#WithComments</code> for EXCLUSIVE_WITH_COMMENTS, <code class='docutils literal notranslate'>http://www.w3.org/TR/2001/REC-xml-c14n-20010315</code> for INCLUSIVE, and <code class='docutils literal notranslate'>http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments</code> for INCLUSIVE_WITH_COMMENTS.</p>
<p>SAML signature canonicalization method. This is one of four values, namely <code class="ansible-value literal notranslate">http://www.w3.org/2001/10/xml-exc-c14n#</code> for EXCLUSIVE, <code class="ansible-value literal notranslate">http://www.w3.org/2001/10/xml-exc-c14n#WithComments</code> for EXCLUSIVE_WITH_COMMENTS, <code class="ansible-value literal notranslate">http://www.w3.org/TR/2001/REC-xml-c14n-20010315</code> for INCLUSIVE, and <code class="ansible-value literal notranslate">http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments</code> for INCLUSIVE_WITH_COMMENTS.</p>
</div></td>
</tr>
<tr class="row-odd">
@ -409,7 +409,41 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of <code class='docutils literal notranslate'>RS256</code> or <code class='docutils literal notranslate'>unsigned</code>.</p>
<p>For OpenID-Connect clients, JWA algorithm for signed UserInfo-endpoint responses. One of <code class="ansible-value literal notranslate">RS256</code> or <code class="ansible-value literal notranslate">unsigned</code>.</p>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-attributes/x509.allow.regex.pattern.comparison"></div>
<p class="ansible-option-title"><strong>x509.allow.regex.pattern.comparison</strong></p>
<a class="ansibleOptionLink" href="#parameter-attributes/x509.allow.regex.pattern.comparison" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">boolean</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 9.5.0</em></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>For OpenID-Connect clients, boolean specifying whether to allow <code class='docutils literal notranslate'>x509.subjectdn</code> as regular expression.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">true</code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-attributes/x509.subjectdn"></div>
<p class="ansible-option-title"><strong>x509.subjectdn</strong></p>
<a class="ansibleOptionLink" href="#parameter-attributes/x509.subjectdn" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 9.5.0</em></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>For OpenID-Connect clients, subject which will be used to authenticate the client.</p>
</div></td>
</tr>
@ -515,6 +549,78 @@ Parameters
<p>Override realm authentication flow bindings.</p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/browser"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/browser"></div>
<p class="ansible-option-title"><strong>browser</strong></p>
<a class="ansibleOptionLink" href="#parameter-authentication_flow_binding_overrides/browser" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Flow ID of the browser authentication flow.</p>
<p><code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/browser"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.browser</span></span></a></strong></code> and <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/browser_name"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.browser_name</span></span></a></strong></code> are mutually exclusive.</p>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/browser_name"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/browser_name"></div>
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/browserName"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/browserName"></div>
<p class="ansible-option-title"><strong>browser_name</strong></p>
<a class="ansibleOptionLink" href="#parameter-authentication_flow_binding_overrides/browser_name" title="Permalink to this option"></a>
<p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: browserName</span></p>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 9.1.0</em></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Flow name of the browser authentication flow.</p>
<p><code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/browser"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.browser</span></span></a></strong></code> and <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/browser_name"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.browser_name</span></span></a></strong></code> are mutually exclusive.</p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/direct_grant"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/direct_grant"></div>
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/directGrant"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/directGrant"></div>
<p class="ansible-option-title"><strong>direct_grant</strong></p>
<a class="ansibleOptionLink" href="#parameter-authentication_flow_binding_overrides/direct_grant" title="Permalink to this option"></a>
<p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: directGrant</span></p>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Flow ID of the direct grant authentication flow.</p>
<p><code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/direct_grant"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.direct_grant</span></span></a></strong></code> and <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/direct_grant_name"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.direct_grant_name</span></span></a></strong></code> are mutually exclusive.</p>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/direct_grant_name"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/direct_grant_name"></div>
<div class="ansibleOptionAnchor" id="parameter-authentication_flow_binding_overrides/directGrantName"></div>
<div class="ansibleOptionAnchor" id="parameter-authenticationFlowBindingOverrides/directGrantName"></div>
<p class="ansible-option-title"><strong>direct_grant_name</strong></p>
<a class="ansibleOptionLink" href="#parameter-authentication_flow_binding_overrides/direct_grant_name" title="Permalink to this option"></a>
<p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: directGrantName</span></p>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 9.1.0</em></p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Flow name of the direct grant authentication flow.</p>
<p><code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/direct_grant"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.direct_grant</span></span></a></strong></code> and <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-authentication_flow_binding_overrides/direct_grant_name"><span class="std std-ref"><span class="pre">authentication_flow_binding_overrides.direct_grant_name</span></span></a></strong></code> are mutually exclusive.</p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-authorization_services_enabled"></div>
@ -599,11 +705,13 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>How do clients authenticate with the auth server? Either <code class='docutils literal notranslate'>client-secret</code> or <code class='docutils literal notranslate'>client-jwt</code> can be chosen. When using <code class='docutils literal notranslate'>client-secret</code>, the module parameter <em>secret</em> can set it, while for <code class='docutils literal notranslate'>client-jwt</code>, you can use the keys <code class='docutils literal notranslate'>use.jwks.url</code>, <code class='docutils literal notranslate'>jwks.url</code>, and <code class='docutils literal notranslate'>jwt.credential.certificate</code> in the <em>attributes</em> module parameter to configure its behavior. This is &#x27;clientAuthenticatorType&#x27; in the Keycloak REST API.</p>
<p>How do clients authenticate with the auth server? Either <code class="ansible-value literal notranslate">client-secret</code>, <code class="ansible-value literal notranslate">client-jwt</code>, or <code class="ansible-value literal notranslate">client-x509</code> can be chosen. When using <code class="ansible-value literal notranslate">client-secret</code>, the module parameter <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-secret"><span class="std std-ref"><span class="pre">secret</span></span></a></strong></code> can set it, for <code class="ansible-value literal notranslate">client-jwt</code>, you can use the keys <code class='docutils literal notranslate'>use.jwks.url</code>, <code class='docutils literal notranslate'>jwks.url</code>, and <code class='docutils literal notranslate'>jwt.credential.certificate</code> in the <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-attributes"><span class="std std-ref"><span class="pre">attributes</span></span></a></strong></code> module parameter to configure its behavior. For <code class="ansible-value literal notranslate">client-x509</code> you can use the keys <code class='docutils literal notranslate'>x509.allow.regex.pattern.comparison</code> and <code class='docutils literal notranslate'>x509.subjectdn</code> in the <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-attributes"><span class="std std-ref"><span class="pre">attributes</span></span></a></strong></code> module parameter to configure which certificate(s) to accept.</p>
<p>This is &#x27;clientAuthenticatorType&#x27; in the Keycloak REST API.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;client-secret&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;client-jwt&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;client-x509&#34;</code></p></li>
</ul>
</div></td>
@ -620,7 +728,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or <em>id</em> is required. If you specify both, <em>id</em> takes precedence. This is &#x27;clientId&#x27; in the Keycloak REST API.</p>
<p>Client id of client to be worked on. This is usually an alphanumeric name chosen by you. Either this or <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-id"><span class="std std-ref"><span class="pre">id</span></span></a></strong></code> is required. If you specify both, <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-id"><span class="std std-ref"><span class="pre">id</span></span></a></strong></code> takes precedence. This is &#x27;clientId&#x27; in the Keycloak REST API.</p>
</div></td>
</tr>
<tr class="row-even">
@ -827,7 +935,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Id of client to be worked on. This is usually an UUID. Either this or <em>client_id</em> is required. If you specify both, this takes precedence.</p>
<p>Id of client to be worked on. This is usually an UUID. Either this or <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-client_id"><span class="std std-ref"><span class="pre">client_id</span></span></a></strong></code> is required. If you specify both, this takes precedence.</p>
</div></td>
</tr>
<tr class="row-even">
@ -861,7 +969,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Name of the client (this is not the same as <em>client_id</em>).</p>
<p>Name of the client (this is not the same as <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-client_id"><span class="std std-ref"><span class="pre">client_id</span></span></a></strong></code>).</p>
</div></td>
</tr>
<tr class="row-even">
@ -921,11 +1029,14 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Type of client (either <code class='docutils literal notranslate'>openid-connect</code> or <code class='docutils literal notranslate'>saml</code>.</p>
<p>Type of client.</p>
<p>At creation only, default value will be <code class="ansible-value literal notranslate">openid-connect</code> if <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-protocol"><span class="std std-ref"><span class="pre">protocol</span></span></a></strong></code> is omitted.</p>
<p>The <code class="ansible-value literal notranslate">docker-v2</code> value was added in community.general 8.6.0.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;openid-connect&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;saml&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;docker-v2&#34;</code></p></li>
</ul>
</div></td>
@ -957,7 +1068,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of <em>protocolMapper</em> and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the <em>existing</em> field.</p>
<p>Dict specifying the configuration options for the protocol mapper; the contents differ depending on the value of <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-protocol_mappers/protocolMapper"><span class="std std-ref"><span class="pre">protocol_mappers[].protocolMapper</span></span></a></strong></code> and are not documented other than by the source of the mappers and its parent class(es). An example is given below. It is easiest to obtain valid config values by dumping an already-existing protocol mapper configuration through check-mode in the <code class="ansible-return-value literal notranslate"><a class="reference internal" href="#return-existing"><span class="std std-ref"><span class="pre">existing</span></span></a></code> field.</p>
</div></td>
</tr>
<tr class="row-even">
@ -1033,11 +1144,12 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>This is either <code class='docutils literal notranslate'>openid-connect</code> or <code class='docutils literal notranslate'>saml</code>, this specifies for which protocol this protocol mapper. is active.</p>
<p>This specifies for which protocol this protocol mapper is active.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;openid-connect&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;saml&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;docker-v2&#34;</code></p></li>
</ul>
</div></td>
@ -1053,29 +1165,29 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least</p>
<p><code class='docutils literal notranslate'>docker-v2-allow-all-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-address-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-full-name-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-group-membership-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-hardcoded-claim-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-hardcoded-role-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-role-name-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-script-based-protocol-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-sha256-pairwise-sub-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-usermodel-attribute-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-usermodel-client-role-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-usermodel-property-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-usermodel-realm-role-mapper</code></p>
<p><code class='docutils literal notranslate'>oidc-usersessionmodel-note-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-group-membership-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-hardcode-attribute-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-hardcode-role-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-role-list-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-role-name-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-user-attribute-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-user-property-mapper</code></p>
<p><code class='docutils literal notranslate'>saml-user-session-note-mapper</code></p>
<p>The Keycloak-internal name of the type of this protocol-mapper. While an exhaustive list is impossible to provide since this may be extended through SPIs by the user of Keycloak, by default Keycloak as of 3.4 ships with at least:</p>
<p><code class="ansible-value literal notranslate">docker-v2-allow-all-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-address-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-full-name-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-group-membership-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-hardcoded-claim-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-hardcoded-role-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-role-name-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-script-based-protocol-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-sha256-pairwise-sub-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-usermodel-attribute-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-usermodel-client-role-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-usermodel-property-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-usermodel-realm-role-mapper</code></p>
<p><code class="ansible-value literal notranslate">oidc-usersessionmodel-note-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-group-membership-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-hardcode-attribute-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-hardcode-role-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-role-list-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-role-name-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-user-attribute-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-user-property-mapper</code></p>
<p><code class="ansible-value literal notranslate">saml-user-session-note-mapper</code></p>
<p>An exhaustive list of available mappers on your installation can be obtained on the admin console by going to Server Info -&gt; Providers and looking under &#x27;protocol-mapper&#x27;.</p>
</div></td>
</tr>
@ -1186,7 +1298,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>When using <em>client_authenticator_type</em> <code class='docutils literal notranslate'>client-secret</code> (the default), you can specify a secret here (otherwise one will be generated if it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved).</p>
<p>When using <code class="ansible-option-value literal notranslate"><a class="reference internal" href="#parameter-client_authenticator_type"><span class="std std-ref"><span class="pre">client_authenticator_type=client-secret</span></span></a></code> (the default), you can specify a secret here (otherwise one will be generated if it does not exit). If changing this secret, the module will not register a change currently (but the changed secret will be saved).</p>
</div></td>
</tr>
<tr class="row-odd">
@ -1242,8 +1354,8 @@ Parameters
</div></td>
<td><div class="ansible-option-cell">
<p>State of the client</p>
<p>On <code class='docutils literal notranslate'>present</code>, the client will be created (or updated if it exists already).</p>
<p>On <code class='docutils literal notranslate'>absent</code>, the client will be removed if it exists</p>
<p>On <code class="ansible-value literal notranslate">present</code>, the client will be created (or updated if it exists already).</p>
<p>On <code class="ansible-value literal notranslate">absent</code>, the client will be removed if it exists</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>&#34;present&#34;</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
@ -1299,7 +1411,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Whether or not to use configuration from the <em>client_template</em>. This is &#x27;useTemplateConfig&#x27; in the Keycloak REST API.</p>
<p>Whether or not to use configuration from the <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-client_template"><span class="std std-ref"><span class="pre">client_template</span></span></a></strong></code>. This is &#x27;useTemplateConfig&#x27; in the Keycloak REST API.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
@ -1320,7 +1432,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Whether or not to use mapper configuration from the <em>client_template</em>. This is &#x27;useTemplateMappers&#x27; in the Keycloak REST API.</p>
<p>Whether or not to use mapper configuration from the <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-client_template"><span class="std std-ref"><span class="pre">client_template</span></span></a></strong></code>. This is &#x27;useTemplateMappers&#x27; in the Keycloak REST API.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
@ -1341,7 +1453,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Whether or not to use scope configuration from the <em>client_template</em>. This is &#x27;useTemplateScope&#x27; in the Keycloak REST API.</p>
<p>Whether or not to use scope configuration from the <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-client_template"><span class="std std-ref"><span class="pre">client_template</span></span></a></strong></code>. This is &#x27;useTemplateScope&#x27; in the Keycloak REST API.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
@ -1540,6 +1652,22 @@ Examples
delegate_to: localhost
- name: Create or update a Keycloak client (minimal example), with x509 authentication
middleware_automation.keycloak.keycloak_client:
auth_client_id: admin-cli
auth_keycloak_url: https://auth.example.com/auth
auth_realm: master
auth_username: USERNAME
auth_password: PASSWORD
realm: master
state: present
client_id: test
client_authenticator_type: client-x509
attributes:
x509.subjectdn: "CN=client"
x509.allow.regex.pattern.comparison: false
- name: Create or update a Keycloak client (with all the bells and whistles)
middleware_automation.keycloak.keycloak_client:
auth_client_id: admin-cli
@ -1590,7 +1718,7 @@ Examples
- test01
- test02
authentication_flow_binding_overrides:
browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
browser: 4c90336b-bf1d-4b87-916d-3677ba4e5fbb
protocol_mappers:
- config:
access.token.claim: true

1751
main/_sources/plugins/keycloak_realm.rst.txt Normal file
View file

File diff suppressed because it is too large Load diff

123
main/_sources/plugins/keycloak_role.rst.txt
View file

@ -6,7 +6,7 @@
:trim:
.. meta::
:antsibull-docs: 2.14.0
:antsibull-docs: 2.15.0
.. Anchors
@ -194,6 +194,93 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-composite"></div>
<p class="ansible-option-title"><strong>composite</strong></p>
<a class="ansibleOptionLink" href="#parameter-composite" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">boolean</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 7.1.0</em></p>
</div></td>
<td><div class="ansible-option-cell">
<p>If <code class="ansible-value literal notranslate">true</code>, the role is a composition of other realm and/or client role.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>false</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">true</code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-composites"></div>
<p class="ansible-option-title"><strong>composites</strong></p>
<a class="ansibleOptionLink" href="#parameter-composites" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">list</span>
/ <span class="ansible-option-elements">elements=dictionary</span>
</p>
<p><em class="ansible-option-versionadded">added in middleware_automation.keycloak 7.1.0</em></p>
</div></td>
<td><div class="ansible-option-cell">
<p>List of roles to include to the composite realm role.</p>
<p>If the composite role is a client role, the <code class='docutils literal notranslate'>clientId</code> (not ID of the client) must be specified.</p>
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">[]</code></p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-composites/client_id"></div>
<div class="ansibleOptionAnchor" id="parameter-composites/clientId"></div>
<p class="ansible-option-title"><strong>client_id</strong></p>
<a class="ansibleOptionLink" href="#parameter-composites/client_id" title="Permalink to this option"></a>
<p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: clientId</span></p>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Client ID if the role is a client role. Do not include this option for a REALM role.</p>
<p>Use the client ID you can see in the Keycloak console, not the technical ID of the client.</p>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-composites/name"></div>
<p class="ansible-option-title"><strong>name</strong></p>
<a class="ansibleOptionLink" href="#parameter-composites/name" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
/ <span class="ansible-option-required">required</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Name of the role. This can be the name of a REALM role or a client role.</p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-composites/state"></div>
<p class="ansible-option-title"><strong>state</strong></p>
<a class="ansibleOptionLink" href="#parameter-composites/state" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Create the composite if present, remove it if absent.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>&#34;present&#34;</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;absent&#34;</code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-connection_timeout"></div>
<p class="ansible-option-title"><strong>connection_timeout</strong></p>
@ -208,7 +295,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">10</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-description"></div>
<p class="ansible-option-title"><strong>description</strong></p>
@ -221,7 +308,7 @@ Parameters
<p>The role description.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-http_agent"></div>
<p class="ansible-option-title"><strong>http_agent</strong></p>
@ -236,7 +323,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">&#34;Ansible&#34;</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-name"></div>
<p class="ansible-option-title"><strong>name</strong></p>
@ -251,7 +338,7 @@ Parameters
<p>This parameter is required.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-realm"></div>
<p class="ansible-option-title"><strong>realm</strong></p>
@ -265,7 +352,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">&#34;master&#34;</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-state"></div>
<p class="ansible-option-title"><strong>state</strong></p>
@ -276,8 +363,8 @@ Parameters
</div></td>
<td><div class="ansible-option-cell">
<p>State of the role.</p>
<p>On <code class='docutils literal notranslate'>present</code>, the role will be created if it does not yet exist, or updated with the parameters you provide.</p>
<p>On <code class='docutils literal notranslate'>absent</code>, the role will be removed if it exists.</p>
<p>On <code class="ansible-value literal notranslate">present</code>, the role will be created if it does not yet exist, or updated with the parameters you provide.</p>
<p>On <code class="ansible-value literal notranslate">absent</code>, the role will be removed if it exists.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>&#34;present&#34;</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
@ -286,7 +373,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-token"></div>
<p class="ansible-option-title"><strong>token</strong></p>
@ -300,7 +387,7 @@ Parameters
<p>Authentication token for Keycloak API.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-validate_certs"></div>
<p class="ansible-option-title"><strong>validate_certs</strong></p>
@ -495,14 +582,14 @@ Examples
auth_password: PASSWORD
name: my-new-role
attributes:
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
attrib1: value1
attrib2: value2
attrib3:
- with
- numerous
- individual
- list
- items
delegate_to: localhost

254
main/_sources/plugins/keycloak_user_federation.rst.txt
View file

@ -6,7 +6,7 @@
:trim:
.. meta::
:antsibull-docs: 2.14.0
:antsibull-docs: 2.15.0
.. Anchors
@ -165,6 +165,27 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-bind_credential_update_mode"></div>
<p class="ansible-option-title"><strong>bind_credential_update_mode</strong></p>
<a class="ansibleOptionLink" href="#parameter-bind_credential_update_mode" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>The value of the config parameter <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-config/bindCredential"><span class="std std-ref"><span class="pre">config.bindCredential</span></span></a></strong></code> is redacted in the Keycloak responses. Comparing the redacted value with the desired value always evaluates to not equal. This means the before and desired states are never equal if the parameter is set.</p>
<p>Set to <code class="ansible-value literal notranslate">always</code> to include <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-config/bindCredential"><span class="std std-ref"><span class="pre">config.bindCredential</span></span></a></strong></code> in the comparison of before and desired state. Because of the redacted value returned by Keycloak the module will always detect a change and make an update if a <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-config/bindCredential"><span class="std std-ref"><span class="pre">config.bindCredential</span></span></a></strong></code> value is set.</p>
<p>Set to <code class="ansible-value literal notranslate">only_indirect</code> to exclude <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-config/bindCredential"><span class="std std-ref"><span class="pre">config.bindCredential</span></span></a></strong></code> when comparing the before state with the desired state. The value of <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-config/bindCredential"><span class="std std-ref"><span class="pre">config.bindCredential</span></span></a></strong></code> will only be updated if there are other changes to the user federation that require an update.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>&#34;always&#34;</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;only_indirect&#34;</code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config"></div>
<p class="ansible-option-title"><strong>config</strong></p>
@ -174,11 +195,11 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Dict specifying the configuration options for the provider; the contents differ depending on the value of <em>provider_id</em>. Examples are given below for <code class='docutils literal notranslate'>ldap</code>, <code class='docutils literal notranslate'>kerberos</code> and <code class='docutils literal notranslate'>sssd</code>. It is easiest to obtain valid config values by dumping an already-existing user federation configuration through check-mode in the <em>existing</em> field.</p>
<p>The value <code class='docutils literal notranslate'>sssd</code> has been supported since middleware_automation.keycloak 1.0.0.</p>
<p>Dict specifying the configuration options for the provider; the contents differ depending on the value of <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-provider_id"><span class="std std-ref"><span class="pre">provider_id</span></span></a></strong></code>. Examples are given below for <code class="ansible-value literal notranslate">ldap</code>, <code class="ansible-value literal notranslate">kerberos</code> and <code class="ansible-value literal notranslate">sssd</code>. It is easiest to obtain valid config values by dumping an already-existing user federation configuration through check-mode in the <code class="ansible-return-value literal notranslate"><a class="reference internal" href="#return-existing"><span class="std std-ref"><span class="pre">existing</span></span></a></code> field.</p>
<p>The value <code class="ansible-value literal notranslate">sssd</code> has been supported since middleware_automation.keycloak 2.0.0.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/allowKerberosAuthentication"></div>
<p class="ansible-option-title"><strong>allowKerberosAuthentication</strong></p>
@ -197,7 +218,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/allowPasswordAuthentication"></div>
<p class="ansible-option-title"><strong>allowPasswordAuthentication</strong></p>
@ -216,7 +237,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/authType"></div>
<p class="ansible-option-title"><strong>authType</strong></p>
@ -235,7 +256,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/batchSizeForSync"></div>
<p class="ansible-option-title"><strong>batchSizeForSync</strong></p>
@ -249,7 +270,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">1000</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/bindCredential"></div>
<p class="ansible-option-title"><strong>bindCredential</strong></p>
@ -262,7 +283,7 @@ Parameters
<p>Password of LDAP admin.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/bindDn"></div>
<p class="ansible-option-title"><strong>bindDn</strong></p>
@ -275,7 +296,7 @@ Parameters
<p>DN of LDAP user which will be used by Keycloak to access LDAP server.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/cachePolicy"></div>
<p class="ansible-option-title"><strong>cachePolicy</strong></p>
@ -297,7 +318,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/changedSyncPeriod"></div>
<p class="ansible-option-title"><strong>changedSyncPeriod</strong></p>
@ -311,7 +332,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">-1</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPooling"></div>
<p class="ansible-option-title"><strong>connectionPooling</strong></p>
@ -330,7 +351,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingAuthentication"></div>
<p class="ansible-option-title"><strong>connectionPoolingAuthentication</strong></p>
@ -350,7 +371,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingDebug"></div>
<p class="ansible-option-title"><strong>connectionPoolingDebug</strong></p>
@ -360,10 +381,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>A string that indicates the level of debug output to produce. Example valid values are <code class='docutils literal notranslate'>fine</code> (trace connection creation and removal) and <code class='docutils literal notranslate'>all</code> (all debugging information).</p>
<p>A string that indicates the level of debug output to produce. Example valid values are <code class="ansible-value literal notranslate">fine</code> (trace connection creation and removal) and <code class="ansible-value literal notranslate">all</code> (all debugging information).</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingInitSize"></div>
<p class="ansible-option-title"><strong>connectionPoolingInitSize</strong></p>
@ -376,7 +397,7 @@ Parameters
<p>The number of connections per connection identity to create when initially creating a connection for the identity.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingMaxSize"></div>
<p class="ansible-option-title"><strong>connectionPoolingMaxSize</strong></p>
@ -389,7 +410,7 @@ Parameters
<p>The maximum number of connections per connection identity that can be maintained concurrently.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingPrefSize"></div>
<p class="ansible-option-title"><strong>connectionPoolingPrefSize</strong></p>
@ -402,7 +423,7 @@ Parameters
<p>The preferred number of connections per connection identity that should be maintained concurrently.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingProtocol"></div>
<p class="ansible-option-title"><strong>connectionPoolingProtocol</strong></p>
@ -412,10 +433,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>A list of space-separated protocol types of connections that may be pooled. Valid types are <code class='docutils literal notranslate'>plain</code> and <code class='docutils literal notranslate'>ssl</code>.</p>
<p>A list of space-separated protocol types of connections that may be pooled. Valid types are <code class="ansible-value literal notranslate">plain</code> and <code class="ansible-value literal notranslate">ssl</code>.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionPoolingTimeout"></div>
<p class="ansible-option-title"><strong>connectionPoolingTimeout</strong></p>
@ -428,7 +449,7 @@ Parameters
<p>The number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionTimeout"></div>
<p class="ansible-option-title"><strong>connectionTimeout</strong></p>
@ -441,7 +462,7 @@ Parameters
<p>LDAP Connection Timeout in milliseconds.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/connectionUrl"></div>
<p class="ansible-option-title"><strong>connectionUrl</strong></p>
@ -454,7 +475,7 @@ Parameters
<p>Connection URL to your LDAP server.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/customUserSearchFilter"></div>
<p class="ansible-option-title"><strong>customUserSearchFilter</strong></p>
@ -467,7 +488,7 @@ Parameters
<p>Additional LDAP Filter for filtering searched users. Leave this empty if you don&#x27;t need additional filter.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/debug"></div>
<p class="ansible-option-title"><strong>debug</strong></p>
@ -486,7 +507,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/editMode"></div>
<p class="ansible-option-title"><strong>editMode</strong></p>
@ -496,7 +517,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p><code class='docutils literal notranslate'>READ_ONLY</code> is a read-only LDAP store. <code class='docutils literal notranslate'>WRITABLE</code> means data will be synced back to LDAP on demand. <code class='docutils literal notranslate'>UNSYNCED</code> means user data will be imported, but not synced back to LDAP.</p>
<p><code class="ansible-value literal notranslate">READ_ONLY</code> is a read-only LDAP store. <code class="ansible-value literal notranslate">WRITABLE</code> means data will be synced back to LDAP on demand. <code class="ansible-value literal notranslate">UNSYNCED</code> means user data will be imported, but not synced back to LDAP.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;READ_ONLY&#34;</code></p></li>
@ -506,7 +527,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/enabled"></div>
<p class="ansible-option-title"><strong>enabled</strong></p>
@ -525,7 +546,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/evictionDay"></div>
<p class="ansible-option-title"><strong>evictionDay</strong></p>
@ -538,7 +559,7 @@ Parameters
<p>Day of the week the entry will become invalid on.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/evictionHour"></div>
<p class="ansible-option-title"><strong>evictionHour</strong></p>
@ -551,7 +572,7 @@ Parameters
<p>Hour of day the entry will become invalid on.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/evictionMinute"></div>
<p class="ansible-option-title"><strong>evictionMinute</strong></p>
@ -564,7 +585,7 @@ Parameters
<p>Minute of day the entry will become invalid on.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/fullSyncPeriod"></div>
<p class="ansible-option-title"><strong>fullSyncPeriod</strong></p>
@ -578,7 +599,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">-1</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/importEnabled"></div>
<p class="ansible-option-title"><strong>importEnabled</strong></p>
@ -588,7 +609,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>If <code class='docutils literal notranslate'>true</code>, LDAP users will be imported into Keycloak DB and synced by the configured sync policies.</p>
<p>If <code class="ansible-value literal notranslate">true</code>, LDAP users will be imported into Keycloak DB and synced by the configured sync policies.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
@ -597,7 +618,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/kerberosRealm"></div>
<p class="ansible-option-title"><strong>kerberosRealm</strong></p>
@ -610,7 +631,7 @@ Parameters
<p>Name of kerberos realm.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/keyTab"></div>
<p class="ansible-option-title"><strong>keyTab</strong></p>
@ -620,7 +641,20 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Location of Kerberos KeyTab file containing the credentials of server principal. For example <code class='docutils literal notranslate'>/etc/krb5.keytab</code>.</p>
<p>Location of Kerberos KeyTab file containing the credentials of server principal. For example <code class="ansible-value literal notranslate">/etc/krb5.keytab</code>.</p>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/krbPrincipalAttribute"></div>
<p class="ansible-option-title"><strong>krbPrincipalAttribute</strong></p>
<a class="ansibleOptionLink" href="#parameter-config/krbPrincipalAttribute" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part of his Kerberos principal. For instance, for principal <code class='docutils literal notranslate'>john@KEYCLOAK.ORG</code>, it will assume that LDAP username is <code class="ansible-value literal notranslate">john</code>.</p>
</div></td>
</tr>
<tr class="row-even">
@ -679,7 +713,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it&#x27;s the same as Username LDAP attribute, however it is not required. For example for Active directory, it is common to use <code class='docutils literal notranslate'>cn</code> as RDN attribute when username attribute might be <code class='docutils literal notranslate'>sAMAccountName</code>.</p>
<p>Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it&#x27;s the same as Username LDAP attribute, however it is not required. For example for Active directory, it is common to use <code class="ansible-value literal notranslate">cn</code> as RDN attribute when username attribute might be <code class="ansible-value literal notranslate">sAMAccountName</code>.</p>
</div></td>
</tr>
<tr class="row-even">
@ -696,6 +730,25 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/referral"></div>
<p class="ansible-option-title"><strong>referral</strong></p>
<a class="ansibleOptionLink" href="#parameter-config/referral" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">string</span>
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Specifies if LDAP referrals should be followed or ignored. Please note that enabling referrals can slow down authentication as it allows the LDAP server to decide which other LDAP servers to use. This could potentially include untrusted servers.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;ignore&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;follow&#34;</code></p></li>
</ul>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/searchScope"></div>
<p class="ansible-option-title"><strong>searchScope</strong></p>
@ -714,7 +767,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/serverPrincipal"></div>
<p class="ansible-option-title"><strong>serverPrincipal</strong></p>
@ -724,10 +777,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Full name of server principal for HTTP service including server and domain name. For example <code class='docutils literal notranslate'>HTTP/host.foo.org@FOO.ORG</code>. Use <code class='docutils literal notranslate'>*</code> to accept any service principal in the KeyTab file.</p>
<p>Full name of server principal for HTTP service including server and domain name. For example <code class="ansible-value literal notranslate">HTTP/host.foo.org@FOO.ORG</code>. Use <code class="ansible-value literal notranslate">*</code> to accept any service principal in the KeyTab file.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/startTls"></div>
<p class="ansible-option-title"><strong>startTls</strong></p>
@ -746,7 +799,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/syncRegistrations"></div>
<p class="ansible-option-title"><strong>syncRegistrations</strong></p>
@ -765,7 +818,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/trustEmail"></div>
<p class="ansible-option-title"><strong>trustEmail</strong></p>
@ -784,7 +837,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/updateProfileFirstLogin"></div>
<p class="ansible-option-title"><strong>updateProfileFirstLogin</strong></p>
@ -803,7 +856,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/useKerberosForPasswordAuthentication"></div>
<p class="ansible-option-title"><strong>useKerberosForPasswordAuthentication</strong></p>
@ -822,7 +875,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/usePasswordModifyExtendedOp"></div>
<p class="ansible-option-title"><strong>usePasswordModifyExtendedOp</strong></p>
@ -841,7 +894,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/usernameLDAPAttribute"></div>
<p class="ansible-option-title"><strong>usernameLDAPAttribute</strong></p>
@ -851,10 +904,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be <code class='docutils literal notranslate'>uid</code>. For Active directory it can be <code class='docutils literal notranslate'>sAMAccountName</code> or <code class='docutils literal notranslate'>cn</code>. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.</p>
<p>Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be <code class="ansible-value literal notranslate">uid</code>. For Active directory it can be <code class="ansible-value literal notranslate">sAMAccountName</code> or <code class="ansible-value literal notranslate">cn</code>. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/userObjectClasses"></div>
<p class="ansible-option-title"><strong>userObjectClasses</strong></p>
@ -864,10 +917,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>All values of LDAP objectClass attribute for users in LDAP divided by comma. For example <code class='docutils literal notranslate'>inetOrgPerson, organizationalPerson</code>. Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes.</p>
<p>All values of LDAP objectClass attribute for users in LDAP divided by comma. For example <code class="ansible-value literal notranslate">inetOrgPerson, organizationalPerson</code>. Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/usersDn"></div>
<p class="ansible-option-title"><strong>usersDn</strong></p>
@ -880,7 +933,7 @@ Parameters
<p>Full DN of LDAP tree where your users are. This DN is the parent of LDAP users.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/useTruststoreSpi"></div>
<p class="ansible-option-title"><strong>useTruststoreSpi</strong></p>
@ -890,7 +943,7 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. <code class='docutils literal notranslate'>Always</code> means that it will always use it. <code class='docutils literal notranslate'>Never</code> means that it will not use it. <code class='docutils literal notranslate'>Only for ldaps</code> means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by <code class='docutils literal notranslate'>javax.net.ssl.trustStore</code> property will be used.</p>
<p>Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. <code class="ansible-value literal notranslate">always</code> means that it will always use it. <code class="ansible-value literal notranslate">never</code> means that it will not use it. <code class="ansible-value literal notranslate">ldapsOnly</code> means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by <code class='docutils literal notranslate'>javax.net.ssl.trustStore</code> property will be used.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;always&#34;</code></p></li>
@ -900,7 +953,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/uuidLDAPAttribute"></div>
<p class="ansible-option-title"><strong>uuidLDAPAttribute</strong></p>
@ -910,10 +963,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is <code class='docutils literal notranslate'>entryUUID</code>; however some are different. For example for Active directory it should be <code class='docutils literal notranslate'>objectGUID</code>. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree.</p>
<p>Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is <code class="ansible-value literal notranslate">entryUUID</code>; however some are different. For example for Active directory it should be <code class="ansible-value literal notranslate">objectGUID</code>. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/validatePasswordPolicy"></div>
<p class="ansible-option-title"><strong>validatePasswordPolicy</strong></p>
@ -932,7 +985,7 @@ Parameters
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-config/vendor"></div>
<p class="ansible-option-title"><strong>vendor</strong></p>
@ -943,11 +996,11 @@ Parameters
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>LDAP vendor (provider).</p>
<p>Use short name. For instance, write <code class='docutils literal notranslate'>rhds</code> for "Red Hat Directory Server".</p>
<p>Use short name. For instance, write <code class="ansible-value literal notranslate">rhds</code> for "Red Hat Directory Server".</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-connection_timeout"></div>
<p class="ansible-option-title"><strong>connection_timeout</strong></p>
@ -962,7 +1015,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">10</code></p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-http_agent"></div>
<p class="ansible-option-title"><strong>http_agent</strong></p>
@ -977,7 +1030,7 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">&#34;Ansible&#34;</code></p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-id"></div>
<p class="ansible-option-title"><strong>id</strong></p>
@ -987,10 +1040,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>The unique ID for this user federation. If left empty, the user federation will be searched by its <em>name</em>.</p>
<p>The unique ID for this user federation. If left empty, the user federation will be searched by its <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-name"><span class="std std-ref"><span class="pre">name</span></span></a></strong></code>.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers"></div>
<p class="ansible-option-title"><strong>mappers</strong></p>
@ -1004,7 +1057,7 @@ Parameters
<p>A list of dicts defining mappers associated with this Identity Provider.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/config"></div>
<p class="ansible-option-title"><strong>config</strong></p>
@ -1017,7 +1070,7 @@ Parameters
<p>Dict specifying the configuration options for the mapper; the contents differ depending on the value of <em>identityProviderMapper</em>.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/id"></div>
<p class="ansible-option-title"><strong>id</strong></p>
@ -1030,7 +1083,7 @@ Parameters
<p>Unique ID of this mapper.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/name"></div>
<p class="ansible-option-title"><strong>name</strong></p>
@ -1043,7 +1096,7 @@ Parameters
<p>Name of the mapper. If no ID is given, the mapper will be searched by name.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/parentId"></div>
<p class="ansible-option-title"><strong>parentId</strong></p>
@ -1056,7 +1109,7 @@ Parameters
<p>Unique ID for the parent of this mapper. ID of the user federation will automatically be used if left blank.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/providerId"></div>
<p class="ansible-option-title"><strong>providerId</strong></p>
@ -1066,10 +1119,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell">
<p>The mapper type for this mapper (for instance <code class='docutils literal notranslate'>user-attribute-ldap-mapper</code>).</p>
<p>The mapper type for this mapper (for instance <code class="ansible-value literal notranslate">user-attribute-ldap-mapper</code>).</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-mappers/providerType"></div>
<p class="ansible-option-title"><strong>providerType</strong></p>
@ -1084,7 +1137,7 @@ Parameters
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-name"></div>
<p class="ansible-option-title"><strong>name</strong></p>
@ -1097,7 +1150,7 @@ Parameters
<p>Display name of provider when linked in admin console.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-parent_id"></div>
<div class="ansibleOptionAnchor" id="parameter-parentId"></div>
@ -1112,7 +1165,7 @@ Parameters
<p>Unique ID for the parent of this user federation. Realm ID will be automatically used if left blank.</p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-provider_id"></div>
<div class="ansibleOptionAnchor" id="parameter-providerId"></div>
@ -1124,17 +1177,10 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Provider for this user federation.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;ldap&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;kerberos&#34;</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">&#34;sssd&#34;</code></p></li>
</ul>
<p>Provider for this user federation. Built-in providers are <code class="ansible-value literal notranslate">ldap</code>, <code class="ansible-value literal notranslate">kerberos</code>, and <code class="ansible-value literal notranslate">sssd</code>. Custom user storage providers can also be used.</p>
</div></td>
</tr>
<tr class="row-odd">
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-provider_type"></div>
<div class="ansibleOptionAnchor" id="parameter-providerType"></div>
@ -1146,11 +1192,11 @@ Parameters
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Component type for user federation (only supported value is <code class='docutils literal notranslate'>org.keycloak.storage.UserStorageProvider</code>).</p>
<p>Component type for user federation (only supported value is <code class="ansible-value literal notranslate">org.keycloak.storage.UserStorageProvider</code>).</p>
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">&#34;org.keycloak.storage.UserStorageProvider&#34;</code></p>
</div></td>
</tr>
<tr class="row-even">
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-realm"></div>
<p class="ansible-option-title"><strong>realm</strong></p>
@ -1164,6 +1210,26 @@ Parameters
<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-value literal notranslate ansible-option-default">&#34;master&#34;</code></p>
</div></td>
</tr>
<tr class="row-even">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-remove_unspecified_mappers"></div>
<p class="ansible-option-title"><strong>remove_unspecified_mappers</strong></p>
<a class="ansibleOptionLink" href="#parameter-remove_unspecified_mappers" title="Permalink to this option"></a>
<p class="ansible-option-type-line">
<span class="ansible-option-type">boolean</span>
</p>
</div></td>
<td><div class="ansible-option-cell">
<p>Remove mappers that are not specified in the configuration for this federation.</p>
<p>Set to <code class="ansible-value literal notranslate">false</code> to keep mappers that are not listed in <code class="ansible-option literal notranslate"><strong><a class="reference internal" href="#parameter-mappers"><span class="std std-ref"><span class="pre">mappers</span></span></a></strong></code>.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-choices-entry">false</code></p></li>
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>true</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
</ul>
</div></td>
</tr>
<tr class="row-odd">
<td><div class="ansible-option-cell">
<div class="ansibleOptionAnchor" id="parameter-state"></div>
@ -1175,8 +1241,8 @@ Parameters
</div></td>
<td><div class="ansible-option-cell">
<p>State of the user federation.</p>
<p>On <code class='docutils literal notranslate'>present</code>, the user federation will be created if it does not yet exist, or updated with the parameters you provide.</p>
<p>On <code class='docutils literal notranslate'>absent</code>, the user federation will be removed if it exists.</p>
<p>On <code class="ansible-value literal notranslate">present</code>, the user federation will be created if it does not yet exist, or updated with the parameters you provide.</p>
<p>On <code class="ansible-value literal notranslate">absent</code>, the user federation will be removed if it exists.</p>
<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
<ul class="simple">
<li><p><code class="ansible-value literal notranslate ansible-option-default-bold"><strong>&#34;present&#34;</strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
@ -1398,14 +1464,14 @@ Examples
provider_id: kerberos
provider_type: org.keycloak.storage.UserStorageProvider
config:
priority: 0
enabled: true
cachePolicy: DEFAULT
kerberosRealm: EXAMPLE.COM
serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
keyTab: keytab
allowPasswordAuthentication: false
updateProfileFirstLogin: false
priority: 0
enabled: true
cachePolicy: DEFAULT
kerberosRealm: EXAMPLE.COM
serverPrincipal: HTTP/host.example.com@EXAMPLE.COM
keyTab: keytab
allowPasswordAuthentication: false
updateProfileFirstLogin: false
- name: Create sssd user federation
middleware_automation.keycloak.keycloak_user_federation:

2
main/_sources/roles/keycloak_realm.md.txt
View file

@ -19,7 +19,7 @@ Role Defaults
|`keycloak_management_http_port`| Management port | `9990` |
|`keycloak_auth_client`| Authentication client for configuration REST calls | `admin-cli` |
|`keycloak_client_public`| Configure a public realm client | `True` |
|`keycloak_client_web_origins`| Web origins for realm client | `+` |
|`keycloak_client_web_origins`| Web origins for realm client | `/*` |
|`keycloak_url`| URL for configuration rest calls | `http://{{ keycloak_host }}:{{ keycloak_http_port }}` |
|`keycloak_management_url`| URL for management console rest calls | `http://{{ keycloak_host }}:{{ keycloak_management_http_port }}` |

29
main/_sources/testing.md.txt
View file

@ -4,24 +4,7 @@
The collection is tested with a [molecule](https://github.com/ansible-community/molecule) setup covering the included roles and verifying correct installation and idempotency.
In order to run the molecule tests locally with python 3.9 available, after cloning the repository:
```
pip install yamllint 'molecule[docker]~=3.5.2' ansible-core flake8 ansible-lint voluptuous
molecule test --all
```
## Integration testing
Demo repositories which depend on the collection, and aggregate functionality with other middleware_automation collections, are automatically rebuilt
at every collection release to ensure non-breaking changes and consistent behaviour.
The repository are:
- [Flange demo](https://github.com/ansible-middleware/flange-demo)
A deployment of Wildfly cluster integrated with keycloak and infinispan.
- [CrossDC keycloak demo](https://github.com/ansible-middleware/cross-dc-rhsso-demo)
A clustered multi-regional installation of keycloak with infinispan remote caches.
The test scenarios are available on the source code repository each on his own subdirectory under [molecule/](https://github.com/ansible-middleware/keycloak/molecule).
## Test playbooks
@ -29,15 +12,7 @@ The repository are:
Sample playbooks are provided in the `playbooks/` directory; to run the playbooks locally (requires a rhel system with python 3.9+, ansible, and systemd) the steps are as follows:
```
# setup environment
pip install ansible-core
# clone the repository
git clone https://github.com/ansible-middleware/keycloak
cd keycloak
# install collection dependencies
ansible-galaxy collection install -r requirements.yml
# install collection python deps
pip install -r requirements.txt
# setup environment as in developing
# create inventory for localhost
cat << EOF > inventory
[keycloak]