mrparkers · mrparkers · Sep 7, 2021 · Aug 26, 2021 · Aug 31, 2021 · Sep 7, 2021
diff --git a/keycloak/saml_client.go b/keycloak/saml_client.go
@@ -14,6 +14,7 @@ type SamlClientAttributes struct {
 	ForceNameIdFormat       *string `json:"saml_force_name_id_format"`
 	// attributes above are actually booleans, but the Keycloak API expects strings
 	SignatureAlgorithm              string  `json:"saml.signature.algorithm"`
+	SignatureKeyName                string  `json:"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer"`
 	NameIdFormat                    string  `json:"saml_name_id_format"`
 	SigningCertificate              *string `json:"saml.signing.certificate,omitempty"`
 	SigningPrivateKey               *string `json:"saml.signing.private.key"`

diff --git a/provider/data_source_keycloak_saml_client.go b/provider/data_source_keycloak_saml_client.go
@@ -50,6 +50,10 @@ func dataSourceKeycloakSamlClient() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"signature_key_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"force_post_binding": {
 				Type:     schema.TypeBool,
 				Computed: true,

diff --git a/provider/data_source_keycloak_saml_client_test.go b/provider/data_source_keycloak_saml_client_test.go
@@ -2,9 +2,10 @@ package provider
 
 import (
 	"fmt"
+	"testing"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
-	"testing"
 )
 
 func TestAccKeycloakDataSourceSamlClient_basic(t *testing.T) {
@@ -29,6 +30,7 @@ func TestAccKeycloakDataSourceSamlClient_basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(dataSourceName, "sign_assertions", resourceName, "sign_assertions"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "encrypt_assertions", resourceName, "encrypt_assertions"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "client_signature_required", resourceName, "client_signature_required"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "signature_key_name", resourceName, "signature_key_name"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "force_post_binding", resourceName, "force_post_binding"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "front_channel_logout", resourceName, "front_channel_logout"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "force_name_id_format", resourceName, "force_name_id_format"),

diff --git a/provider/resource_keycloak_saml_client.go b/provider/resource_keycloak_saml_client.go
@@ -13,6 +13,7 @@ import (
 var (
 	keycloakSamlClientNameIdFormats       = []string{"username", "email", "transient", "persistent"}
 	keycloakSamlClientSignatureAlgorithms = []string{"RSA_SHA1", "RSA_SHA256", "RSA_SHA512", "DSA_SHA1"}
+	keycloakSamlClientSignatureKeyName    = []string{"NONE", "KEY_ID", "CERT_SUBJECT"}
 )
 
 func resourceKeycloakSamlClient() *schema.Resource {
@@ -93,6 +94,12 @@ func resourceKeycloakSamlClient() *schema.Resource {
 				Optional:     true,
 				ValidateFunc: validation.StringInSlice(keycloakSamlClientSignatureAlgorithms, false),
 			},
+			"signature_key_name": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ValidateFunc: validation.StringInSlice(keycloakSamlClientSignatureKeyName, false),
+			},
 			"name_id_format": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -219,6 +226,7 @@ func mapToSamlClientFromData(data *schema.ResourceData) *keycloak.SamlClient {
 
 	samlAttributes := &keycloak.SamlClientAttributes{
 		SignatureAlgorithm:              data.Get("signature_algorithm").(string),
+		SignatureKeyName:                data.Get("signature_key_name").(string),
 		NameIdFormat:                    data.Get("name_id_format").(string),
 		IDPInitiatedSSOURLName:          data.Get("idp_initiated_sso_url_name").(string),
 		IDPInitiatedSSORelayState:       data.Get("idp_initiated_sso_relay_state").(string),
@@ -403,6 +411,7 @@ func mapToDataFromSamlClient(data *schema.ResourceData, client *keycloak.SamlCli
 	data.Set("base_url", client.BaseUrl)
 	data.Set("master_saml_processing_url", client.MasterSamlProcessingUrl)
 	data.Set("signature_algorithm", client.Attributes.SignatureAlgorithm)
+	data.Set("signature_key_name", client.Attributes.SignatureKeyName)
 	data.Set("name_id_format", client.Attributes.NameIdFormat)
 	data.Set("idp_initiated_sso_url_name", client.Attributes.IDPInitiatedSSOURLName)
 	data.Set("idp_initiated_sso_relay_state", client.Attributes.IDPInitiatedSSORelayState)

diff --git a/provider/resource_keycloak_saml_client_test.go b/provider/resource_keycloak_saml_client_test.go
@@ -113,6 +113,7 @@ func TestAccKeycloakSamlClient_keycloakDefaults(t *testing.T) {
 					testAccCheckKeycloakSamlClientHasDefaultBooleanAttributes("keycloak_saml_client.saml_client"),
 					TestCheckResourceAttrNot("keycloak_saml_client.saml_client", "signing_certificate", ""),
 					TestCheckResourceAttrNot("keycloak_saml_client.saml_client", "signing_private_key", ""),
+					TestCheckResourceAttrNot("keycloak_saml_client.saml_client", "signature_key_name", "KEY_ID"),
 				),
 			},
 		},
@@ -161,6 +162,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
 			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
+			SignatureKeyName:                randomStringInSlice(keycloakSamlClientSignatureKeyName),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateBefore,
 			SigningCertificate:              &signingCertificateBefore,
@@ -200,6 +202,7 @@ func TestAccKeycloakSamlClient_updateInPlace(t *testing.T) {
 			ForcePostBinding:                randomBoolAsStringPointer(),
 			ForceNameIdFormat:               randomBoolAsStringPointer(),
 			SignatureAlgorithm:              randomStringInSlice(keycloakSamlClientSignatureAlgorithms),
+			SignatureKeyName:                randomStringInSlice(keycloakSamlClientSignatureKeyName),
 			NameIdFormat:                    randomStringInSlice(keycloakSamlClientNameIdFormats),
 			EncryptionCertificate:           &encryptionCertificateAfter,
 			SigningCertificate:              &signingCertificateAfter,
@@ -613,6 +616,7 @@ resource "keycloak_saml_client" "saml_client" {
 
 	front_channel_logout       = %t
 	signature_algorithm        = "%s"
+	signature_key_name         = "%s"
 	name_id_format             = "%s"
 	root_url                   = "%s"
 	valid_redirect_uris        = %s
@@ -645,6 +649,7 @@ resource "keycloak_saml_client" "saml_client" {
 		*client.Attributes.ForceNameIdFormat,
 		client.FrontChannelLogout,
 		client.Attributes.SignatureAlgorithm,
+		client.Attributes.SignatureKeyName,
 		client.Attributes.NameIdFormat,
 		client.RootUrl,
 		arrayOfStringsForTerraformResource(client.ValidRedirectUris),