1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
|
consoleTitle=Keycloak Admin Console
# Common messages
enabled=Enabled
hidden=Hidden
link-only-column=Link only
name=Name
displayName=Display name
displayNameHtml=HTML Display name
save=Save
cancel=Cancel
next=Next
onText=ON
offText=OFF
client=Client
clients=Clients
clear=Clear
selectOne=Select One...
true=True
false=False
endpoints=Endpoints
# Realm settings
realm-detail.enabled.tooltip=Users and clients can only access a realm if it's enabled
realm-detail.protocol-endpoints.tooltip=Shows the configuration of the protocol endpoints
realm-detail.protocol-endpoints.oidc=OpenID Endpoint Configuration
realm-detail.protocol-endpoints.saml=SAML 2.0 Identity Provider Metadata
realm-detail.userManagedAccess.tooltip=If enabled, users are allowed to manage their resources and permissions using the Account Management Console.
userManagedAccess=User-Managed Access
registrationAllowed=User registration
registrationAllowed.tooltip=Enable/disable the registration page. A link for registration will show on login page too.
registrationEmailAsUsername=Email as username
registrationEmailAsUsername.tooltip=If enabled then username field is hidden from registration form and email is used as username for new user.
editUsernameAllowed=Edit username
editUsernameAllowed.tooltip=If enabled, the username field is editable, readonly otherwise.
resetPasswordAllowed=Forgot password
resetPasswordAllowed.tooltip=Show a link on login page for user to click on when they have forgotten their credentials.
rememberMe=Remember Me
rememberMe.tooltip=Show checkbox on login page to allow user to remain logged in between browser restarts until session expires.
loginWithEmailAllowed=Login with email
loginWithEmailAllowed.tooltip=Allow users to log in with their email address.
duplicateEmailsAllowed=Duplicate emails
duplicateEmailsAllowed.tooltip=Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses.
verifyEmail=Verify email
verifyEmail.tooltip=Require users to verify their email address after initial login or after address changes are submitted.
sslRequired=Require SSL
sslRequired.option.all=all requests
sslRequired.option.external=external requests
sslRequired.option.none=none
sslRequired.tooltip=Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses.
publicKeys=Public keys
publicKey=Public key
privateKey=Private key
gen-new-keys=Generate new keys
certificate=Certificate
host=Host
smtp-host=SMTP Host
port=Port
smtp-port=SMTP Port (defaults to 25)
smtp-password.tooltip=SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format.
from=From
fromDisplayName=From Display Name
fromDisplayName.tooltip=A user-friendly name for the 'From' address (optional).
replyTo=Reply To
replyToDisplayName=Reply To Display Name
replyToDisplayName.tooltip=A user-friendly name for the 'Reply-To' address (optional).
envelopeFrom=Envelope From
envelopeFrom.tooltip=An email address used for bounces (optional).
sender-email-addr=Sender Email Address
sender-email-addr-display=Display Name for Sender Email Address
reply-to-email-addr=Reply To Email Address
reply-to-email-addr-display=Display Name for Reply To Email Address
sender-envelope-email-addr=Sender Envelope Email Address
enable-ssl=Enable SSL
enable-start-tls=Enable StartTLS
enable-auth=Enable Authentication
username=Username
login-username=Login Username
password=Password
login-password=Login Password
login-theme=Login Theme
login-theme.tooltip=Select theme for login, OTP, grant, registration, and forgot password pages.
account-theme=Account Theme
account-theme.tooltip=Select theme for user account management pages.
admin-console-theme=Admin Console Theme
select-theme-admin-console=Select theme for admin console.
email-theme=Email Theme
select-theme-email=Select theme for emails that are sent by the server.
i18n-enabled=Internationalization Enabled
supported-locales=Supported Locales
supported-locales.placeholder=Type a locale and enter
default-locale=Default Locale
realm-cache-clear=Realm Cache
realm-cache-clear.tooltip=Clears all entries from the realm cache (this will clear entries for all realms)
user-cache-clear=User Cache
user-cache-clear.tooltip=Clears all entries from the user cache (this will clear entries for all realms)
keys-cache-clear=Keys Cache
keys-cache-clear.tooltip=Clears all entries from the cache of external public keys. These are keys of external clients or identity providers. (this will clear entries for all realms)
default-signature-algorithm=Default Signature Algorithm
default-signature-algorithm.tooltip=Default algorithm used to sign tokens for the realm
revoke-refresh-token=Revoke Refresh Token
revoke-refresh-token.tooltip=If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times.
refresh-token-max-reuse=Refresh Token Max Reuse
refresh-token-max-reuse.tooltip=Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate.
sso-session-idle=SSO Session Idle
seconds=Seconds
minutes=Minutes
hours=Hours
days=Days
sso-session-max=SSO Session Max
sso-session-idle.tooltip=Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired.
sso-session-max.tooltip=Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.
sso-session-idle-remember-me=SSO Session Idle Remember Me
sso-session-idle-remember-me.tooltip=Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.
sso-session-max-remember-me=SSO Session Max Remember Me
sso-session-max-remember-me.tooltip=Max time before a session is expired when the user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set, it uses the standard SSO Session Max value.
offline-session-idle=Offline Session Idle
offline-session-idle.tooltip=Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.
realm-detail.hostname=Hostname
realm-detail.hostname.tooltip=Set the hostname for the realm. Use in combination with the fixed hostname provider to override the server hostname for a specific realm.
realm-detail.frontendUrl=Frontend URL
realm-detail.frontendUrl.tooltip=Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm.
## KEYCLOAK-7688 Offline Session Max for Offline Token
offline-session-max-limited=Offline Session Max Limited
offline-session-max-limited.tooltip=Enable Offline Session Max.
offline-session-max=Offline Session Max
offline-session-max.tooltip=Max time before an offline session is expired regardless of activity.
client-session-idle=Client Session Idle
client-session-idle.tooltip=Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.
client-session-max=Client Session Max
client-session-max.tooltip=Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value.
access-token-lifespan=Access Token Lifespan
access-token-lifespan.tooltip=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
access-token-lifespan-for-implicit-flow=Access Token Lifespan For Implicit Flow
access-token-lifespan-for-implicit-flow.tooltip=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'.
action-token-generated-by-admin-lifespan=Default Admin-Initiated Action Lifespan
action-token-generated-by-admin-lifespan.tooltip=Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token.
action-token-generated-by-user-lifespan=User-Initiated Action Lifespan
action-token-generated-by-user-lifespan.tooltip=Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly.
saml-assertion-lifespan=Assertion Lifespan
saml-assertion-lifespan.tooltip=Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The "SessionNotOnOrAfter" attribute is not modified and continue using the "SSO Session Max" time defined at realm level.
action-token-generated-by-user.execute-actions=Execute Actions
action-token-generated-by-user.idp-verify-account-via-email=IdP Account E-mail Verification
action-token-generated-by-user.reset-credentials=Forgot Password
action-token-generated-by-user.verify-email=E-mail Verification
action-token-generated-by-user.tooltip=Override default settings of maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired for specific action. This value is recommended to be short because it is expected that the user would react to self-created action quickly.
action-token-generated-by-user.reset=Reset
action-token-generated-by-user.operation=Override User-Initiated Action Lifespan
client-login-timeout=Client login timeout
client-login-timeout.tooltip=Max time a client has to finish the access token protocol. This should normally be 1 minute.
login-timeout=Login timeout
login-timeout.tooltip=Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more.
login-action-timeout=Login action timeout
login-action-timeout.tooltip=Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more.
headers=Headers
brute-force-detection=Brute Force Detection
x-frame-options=X-Frame-Options
x-frame-options-tooltip=Default value prevents pages from being included by non-origin iframes (click label for more information)
content-sec-policy=Content-Security-Policy
content-sec-policy-tooltip=Default value prevents pages from being included by non-origin iframes (click label for more information)
content-sec-policy-report-only=Content-Security-Policy-Report-Only
content-sec-policy-report-only-tooltip=For testing Content Security Policies
content-type-options=X-Content-Type-Options
content-type-options-tooltip=Default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type (click label for more information)
robots-tag=X-Robots-Tag
robots-tag-tooltip=Prevent pages from appearing in search engines (click label for more information)
x-xss-protection=X-XSS-Protection
x-xss-protection-tooltip=This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behavior, the browser will prevent rendering of the page when a XSS attack is detected (click label for more information)
strict-transport-security=HTTP Strict Transport Security (HSTS)
strict-transport-security-tooltip=The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains.
permanent-lockout=Permanent Lockout
permanent-lockout.tooltip=Lock the user permanently when the user exceeds the maximum login failures.
max-login-failures=Max Login Failures
max-login-failures.tooltip=How many failures before wait is triggered.
wait-increment=Wait Increment
wait-increment.tooltip=When failure threshold has been met, how much time should the user be locked out?
quick-login-check-millis=Quick Login Check Milli Seconds
quick-login-check-millis.tooltip=If a failure happens concurrently too quickly, lock out the user.
min-quick-login-wait=Minimum Quick Login Wait
min-quick-login-wait.tooltip=How long to wait after a quick login failure.
max-wait=Max Wait
max-wait.tooltip=Max time a user will be locked out.
failure-reset-time=Failure Reset Time
failure-reset-time.tooltip=When will failure count be reset?
realm-tab-login=Login
realm-tab-keys=Keys
realm-tab-email=Email
realm-tab-themes=Themes
realm-tab-cache=Cache
realm-tab-tokens=Tokens
realm-tab-client-registration=Client Registration
realm-tab-security-defenses=Security Defenses
realm-tab-general=General
add-realm=Add realm
#Session settings
realm-sessions=Realm Sessions
revocation=Revocation
logout-all=Logout all
active-sessions=Active Sessions
offline-sessions=Offline Sessions
sessions=Sessions
not-before=Not Before
not-before.tooltip=Revoke any tokens issued before this date.
set-to-now=Set to now
push=Push
push.tooltip=For every client that has an admin URL, notify them of the new revocation policy.
#Protocol Mapper
usermodel.prop.label=Property
usermodel.prop.tooltip=Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method.
usermodel.attr.label=User Attribute
usermodel.attr.tooltip=Name of stored user attribute which is the name of an attribute within the UserModel.attribute map.
userSession.modelNote.label=User Session Note
userSession.modelNote.tooltip=Name of stored user session note within the UserSessionModel.note map.
multivalued.label=Multivalued
multivalued.tooltip=Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim
aggregate.attrs.label=Aggregate attribute values
aggregate.attrs.tooltip=Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option.
selectRole.label=Select Role
selectRole.tooltip=Enter role in the textbox to the left, or click this button to browse and select the role you want.
tokenClaimName.label=Token Claim Name
tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.).
jsonType.label=Claim JSON Type
jsonType.tooltip=JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values.
includeInIdToken.label=Add to ID token
includeInIdToken.tooltip=Should the claim be added to the ID token?
includeInAccessToken.label=Add to access token
includeInAccessToken.tooltip=Should the claim be added to the access token?
includeInUserInfo.label=Add to userinfo
includeInUserInfo.tooltip=Should the claim be added to the userinfo?
usermodel.clientRoleMapping.clientId.label=Client ID
usermodel.clientRoleMapping.clientId.tooltip=Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token.
usermodel.clientRoleMapping.rolePrefix.label=Client Role prefix
usermodel.clientRoleMapping.rolePrefix.tooltip=A prefix for each client role (optional).
usermodel.clientRoleMapping.tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.). The special token ${client_id} can be used and this will be replaced by the actual client ID. Example usage is 'resource_access.${client_id}.roles'. This is useful especially when you are adding roles from all the clients (Hence 'Client ID' switch is unset) and you want client roles of each client stored separately.
usermodel.realmRoleMapping.rolePrefix.label=Realm Role prefix
usermodel.realmRoleMapping.rolePrefix.tooltip=A prefix for each Realm Role (optional).
sectorIdentifierUri.label=Sector Identifier URI
sectorIdentifierUri.tooltip=Providers that use pairwise sub values and support Dynamic Client Registration SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names. It also provides a way for Clients to change redirect_uri domains without having to reregister all their users.
pairwiseSubAlgorithmSalt.label=Salt
pairwiseSubAlgorithmSalt.tooltip=Salt used when calculating the pairwise subject identifier. If left blank, a salt will be generated.
addressClaim.street.label=User Attribute Name for Street
addressClaim.street.tooltip=Name of User Attribute, which will be used to map to 'street_address' subclaim inside 'address' token claim. Defaults to 'street' .
addressClaim.locality.label=User Attribute Name for Locality
addressClaim.locality.tooltip=Name of User Attribute, which will be used to map to 'locality' subclaim inside 'address' token claim. Defaults to 'locality' .
addressClaim.region.label=User Attribute Name for Region
addressClaim.region.tooltip=Name of User Attribute, which will be used to map to 'region' subclaim inside 'address' token claim. Defaults to 'region' .
addressClaim.postal_code.label=User Attribute Name for Postal Code
addressClaim.postal_code.tooltip=Name of User Attribute, which will be used to map to 'postal_code' subclaim inside 'address' token claim. Defaults to 'postal_code' .
addressClaim.country.label=User Attribute Name for Country
addressClaim.country.tooltip=Name of User Attribute, which will be used to map to 'country' subclaim inside 'address' token claim. Defaults to 'country' .
addressClaim.formatted.label=User Attribute Name for Formatted Address
addressClaim.formatted.tooltip=Name of User Attribute, which will be used to map to 'formatted' subclaim inside 'address' token claim. Defaults to 'formatted' .
included.client.audience.label=Included Client Audience
included.client.audience.tooltip=The Client ID of the specified audience client will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences.
included.custom.audience.label=Included Custom Audience
included.custom.audience.tooltip=This is used just if 'Included Client Audience' is not filled. The specified value will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences.
# client details
clients.tooltip=Clients are trusted browser apps and web services in a realm. These clients can request a login. You can also define client specific roles.
search.placeholder=Search...
search.loading=Searching...
create=Create
import=Import
client-id=Client ID
base-url=Base URL
actions=Actions
not-defined=Not defined
edit=Edit
delete=Delete
no-results=No results
no-clients-available=No clients available
add-client=Add Client
select-file=Select file
view-details=View details
clear-import=Clear import
client-id.tooltip=Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests
client.name.tooltip=Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example\: ${my_client}
client.enabled.tooltip=Disabled clients cannot initiate a login or have obtain access tokens.
alwaysDisplayInConsole=Always Display in Console
alwaysDisplayInConsole.tooltip=Always list this client in the Account Console, even if the user does not have an active session.
consent-required=Consent Required
consent-required.tooltip=If enabled, users have to consent to client access.
client.display-on-consent-screen=Display Client On Consent Screen
client.display-on-consent-screen.tooltip=Applicable just if Consent Required is on. If this switch is off, consent screen will contain just the consents corresponding to configured client scopes. If on, there will be also one item on consent screen about this client itself
client.consent-screen-text=Client Consent Screen Text
client.consent-screen-text.tooltip=Applicable just if 'Display Client On Consent Screen' is on for this client. Contains the text, which will be on consent screen about permissions specific just for this client
client-protocol=Client Protocol
client-protocol.tooltip='OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.
access-type=Access Type
access-type.tooltip='Confidential' clients require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' clients are web services that never initiate a login.
standard-flow-enabled=Standard Flow Enabled
standard-flow-enabled.tooltip=This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.
implicit-flow-enabled=Implicit Flow Enabled
implicit-flow-enabled.tooltip=This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.
direct-access-grants-enabled=Direct Access Grants Enabled
direct-access-grants-enabled.tooltip=This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.
service-accounts-enabled=Service Accounts Enabled
service-accounts-enabled.tooltip=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.
include-authnstatement=Include AuthnStatement
include-authnstatement.tooltip=Should a statement specifying the method and timestamp be included in login responses?
include-onetimeuse-condition=Include OneTimeUse Condition
include-onetimeuse-condition.tooltip=Should a OneTimeUse Condition be included in login responses?
sign-documents=Sign Documents
sign-documents.tooltip=Should SAML documents be signed by the realm?
sign-documents-redirect-enable-key-info-ext=Optimize REDIRECT signing key lookup
sign-documents-redirect-enable-key-info-ext.tooltip=When signing SAML documents in REDIRECT binding for SP that is secured by Keycloak adapter, should the ID of the signing key be included in SAML protocol message in <Extensions> element? This optimizes validation of the signature as the validating party uses a single key instead of trying every known key for validation.
sign-assertions=Sign Assertions
sign-assertions.tooltip=Should assertions inside SAML documents be signed? This setting is not needed if document is already being signed.
signature-algorithm=Signature Algorithm
signature-algorithm.tooltip=The signature algorithm to use to sign documents.
canonicalization-method=Canonicalization Method
canonicalization-method.tooltip=Canonicalization Method for XML signatures.
encrypt-assertions=Encrypt Assertions
encrypt-assertions.tooltip=Should SAML assertions be encrypted with client's public key using AES?
client-signature-required=Client Signature Required
client-signature-required.tooltip=Will the client sign their saml requests and responses? And should they be validated?
force-post-binding=Force POST Binding
force-post-binding.tooltip=Always use POST binding for responses.
front-channel-logout=Front Channel Logout
front-channel-logout.tooltip=When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.
force-name-id-format=Force Name ID Format
force-name-id-format.tooltip=Ignore requested NameID subject format and use admin console configured one.
name-id-format=Name ID Format
name-id-format.tooltip=The name ID format to use for the subject.
root-url=Root URL
root-url.tooltip=Root URL appended to relative URLs
valid-redirect-uris=Valid Redirect URIs
valid-redirect-uris.tooltip=Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
base-url.tooltip=Default URL to use when the auth server needs to redirect or link back to the client.
admin-url=Admin URL
admin-url.tooltip=URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client.
master-saml-processing-url=Master SAML Processing URL
master-saml-processing-url.tooltip=If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overriden for each binding and service in the Fine Grain SAML Endpoint Configuration.
idp-sso-url-ref=IDP Initiated SSO URL Name
idp-sso-url-ref.tooltip=URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
idp-sso-url-ref.urlhint=Target IDP initiated SSO URL:
idp-sso-relay-state=IDP Initiated SSO Relay State
idp-sso-relay-state.tooltip=Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
web-origins=Web Origins
web-origins.tooltip=Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'.
fine-oidc-endpoint-conf=Fine Grain OpenID Connect Configuration
fine-oidc-endpoint-conf.tooltip=Expand this section to configure advanced settings of this client related to OpenID Connect protocol
access-token-signed-response-alg=Access Token Signature Algorithm
access-token-signed-response-alg.tooltip=JWA algorithm used for signing access tokens.
id-token-signed-response-alg=ID Token Signature Algorithm
id-token-signed-response-alg.tooltip=JWA algorithm used for signing ID tokens.
id-token-encrypted-response-alg=ID Token Encryption Key Management Algorithm
id-token-encrypted-response-alg.tooltip=JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
id-token-encrypted-response-enc=ID Token Encryption Content Encryption Algorithm
id-token-encrypted-response-enc.tooltip=JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted.
user-info-signed-response-alg=User Info Signed Response Algorithm
user-info-signed-response-alg.tooltip=JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format.
request-object-signature-alg=Request Object Signature Algorithm
request-object-signature-alg.tooltip=JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ).
request-object-required=Request Object Required
request-object-required.tooltip=Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used.
fine-saml-endpoint-conf=Fine Grain SAML Endpoint Configuration
fine-saml-endpoint-conf.tooltip=Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service.
assertion-consumer-post-binding-url=Assertion Consumer Service POST Binding URL
assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
assertion-consumer-redirect-binding-url=Assertion Consumer Service Redirect Binding URL
assertion-consumer-redirect-binding-url.tooltip=SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
logout-service-post-binding-url=Logout Service POST Binding URL
logout-service-post-binding-url.tooltip=SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding
logout-service-redir-binding-url=Logout Service Redirect Binding URL
logout-service-redir-binding-url.tooltip=SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.
saml-signature-keyName-transformer=SAML Signature Key Name
saml-signature-keyName-transformer.tooltip=Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counterparty, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works.
oidc-compatibility-modes=OpenID Connect Compatibility Modes
oidc-compatibility-modes.tooltip=Expand this section to configure settings for backwards compatibility with older OpenID Connect / OAuth2 adapters. It is useful especially if your client uses older version of Keycloak / RH-SSO adapter.
exclude-session-state-from-auth-response=Exclude Session State From Authentication Response
exclude-session-state-from-auth-response.tooltip=If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if your client uses older OIDC / OAuth2 adapter, which does not support 'session_state' parameter.
# client import
import-client=Import Client
format-option=Format Option
select-format=Select a Format
import-file=Import File
# client tabs
settings=Settings
credentials=Credentials
saml-keys=SAML Keys
roles=Roles
mappers=Mappers
mappers.tooltip=Protocol mappers perform transformation on tokens and documents. They can do things like map user data into protocol claims, or just transform any requests going between the client and auth server.
scope=Scope
scope.tooltip=Scope mappings allow you to restrict which user role mappings are included within the access token requested by the client.
sessions.tooltip=View active sessions for this client. Allows you to see which users are active and when they logged in.
offline-access=Offline Access
offline-access.tooltip=View offline sessions for this client. Allows you to see which users retrieve offline token and when they retrieve it. To revoke all tokens for the client, go to the Revocation tab and set Not Before to Now.
clustering=Clustering
installation=Installation
installation.tooltip=Helper utility for generating various client adapter configuration formats which you can download or cut and paste to configure your clients.
service-account-roles=Service Account Roles
service-account-roles.tooltip=Allows you to authenticate role mappings for the service account dedicated to this client.
# client credentials
client-authenticator=Client Authenticator
client-authenticator.tooltip=Client Authenticator used for authentication of this client against Keycloak server
certificate.tooltip=Client Certificate for validate JWT issued by client and signed by Client private key from your keystore.
publicKey.tooltip=Public Key for validate JWT issued by client and signed by Client private key.
no-client-certificate-configured=No client certificate configured
gen-new-keys-and-cert=Generate new keys and certificate
import-certificate=Import Certificate
gen-client-private-key=Generate Client Private Key
generate-private-key=Generate Private Key
kid=Kid
kid.tooltip=KID (Key ID) of the client public key from imported JWKS.
use-jwks-url=Use JWKS URL
use-jwks-url.tooltip=If the switch is on, client public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when client generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when client keypair changes, you always need to import new key (or certificate) to the Keycloak DB as well.
jwks-url=JWKS URL
jwks-url.tooltip=URL where client keys in JWK format are stored. See JWK specification for more details. If you use Keycloak client adapter with "jwt" credential, you can use URL of your app with '/k_jwks' suffix. For example 'http://www.myhost.com/myapp/k_jwks' .
archive-format=Archive Format
archive-format.tooltip=Java keystore or PKCS12 archive format.
key-alias=Key Alias
key-alias.tooltip=Archive alias for your private key and certificate.
key-password=Key Password
key-password.tooltip=Password to access the private key in the archive
store-password=Store Password
store-password.tooltip=Password to access the archive itself
generate-and-download=Generate and Download
client-certificate-import=Client Certificate Import
import-client-certificate=Import Client Certificate
jwt-import.key-alias.tooltip=Archive alias for your certificate.
secret=Secret
regenerate-secret=Regenerate Secret
registrationAccessToken=Registration access token
registrationAccessToken.regenerate=Regenerate registration access token
registrationAccessToken.tooltip=The registration access token provides access for clients to the client registration service.
add-role=Add Role
role-name=Role Name
composite=Composite
description=Description
no-client-roles-available=No client roles available
composite-roles=Composite Roles
composite-roles.tooltip=When this role is (un)assigned to a user any role associated with it will be (un)assigned implicitly.
realm-roles=Realm Roles
available-roles=Available Roles
add-selected=Add selected
associated-roles=Associated Roles
composite.associated-realm-roles.tooltip=Realm level roles associated with this composite role.
composite.available-realm-roles.tooltip=Realm level roles that you can associate to this composite role.
remove-selected=Remove selected
client-roles=Client Roles
select-client-to-view-roles=Select client to view roles for client
available-roles.tooltip=Roles from this client that you can associate to this composite role.
client.associated-roles.tooltip=Client roles associated with this composite role.
add-builtin=Add Builtin
category=Category
type=Type
priority-order=Priority Order
no-mappers-available=No mappers available
add-builtin-protocol-mappers=Add Builtin Protocol Mappers
add-builtin-protocol-mapper=Add Builtin Protocol Mapper
scope-mappings=Scope Mappings
full-scope-allowed=Full Scope Allowed
full-scope-allowed.tooltip=Allows you to disable all restrictions.
scope.available-roles.tooltip=Realm level roles that can be assigned to scope.
assigned-roles=Assigned Roles
assigned-roles.tooltip=Realm level roles assigned to scope.
effective-roles=Effective Roles
realm.effective-roles.tooltip=Assigned realm level roles that may have been inherited from a composite role.
select-client-roles.tooltip=Select client to view roles for client
assign.available-roles.tooltip=Client roles available to be assigned.
client.assigned-roles.tooltip=Assigned client roles.
client.effective-roles.tooltip=Assigned client roles that may have been inherited from a composite role.
basic-configuration=Basic configuration
node-reregistration-timeout=Node Re-registration Timeout
node-reregistration-timeout.tooltip=Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak
registered-cluster-nodes=Registered cluster nodes
register-node-manually=Register node manually
test-cluster-availability=Test cluster availability
last-registration=Last registration
node-host=Node host
no-registered-cluster-nodes=No registered cluster nodes available
cluster-nodes=Cluster Nodes
add-node=Add Node
active-sessions.tooltip=Total number of active user sessions for this client.
show-sessions=Show Sessions
show-sessions.tooltip=Warning, this is a potentially expensive operation depending on the number of active sessions.
user=User
from-ip=From IP
session-start=Session Start
first-page=First Page
previous-page=Previous Page
next-page=Next Page
client-revoke.not-before.tooltip=Revoke any tokens issued before this date for this client.
client-revoke.push.tooltip=If the admin URL is configured for this client, push this policy to that client.
select-a-format=Select a Format
download=Download
offline-tokens=Offline Tokens
offline-tokens.tooltip=Total number of offline tokens for this client.
show-offline-tokens=Show Offline Tokens
show-offline-tokens.tooltip=Warning, this is a potentially expensive operation depending on the number of offline tokens.
token-issued=Token Issued
last-access=Last Access
last-refresh=Last Refresh
key-export=Key Export
key-import=Key Import
export-saml-key=Export SAML Key
import-saml-key=Import SAML Key
realm-certificate-alias=Realm Certificate Alias
realm-certificate-alias.tooltip=Realm certificate is stored in archive too. This is the alias to it.
signing-key=Signing Key
saml-signing-key=SAML Signing Key.
private-key=Private Key
generate-new-keys=Generate new keys
export=Export
encryption-key=Encryption Key
saml-encryption-key.tooltip=SAML Encryption Key.
service-accounts=Service Accounts
service-account.available-roles.tooltip=Realm level roles that can be assigned to service account.
service-account.assigned-roles.tooltip=Realm level roles assigned to service account.
service-account-is-not-enabled-for=Service account is not enabled for {{client}}
create-protocol-mappers=Create Protocol Mappers
create-protocol-mapper=Create Protocol Mapper
protocol=Protocol
protocol.tooltip=Protocol...
id=ID
mapper.name.tooltip=Name of the mapper.
mapper.consent-required.tooltip=When granting temporary access, must the user consent to providing this data to the client?
consent-text=Consent Text
consent-text.tooltip=Text to display on consent page.
mapper-type=Mapper Type
mapper-type.tooltip=Type of the mapper
user-label=User Label
data=Data
show-data=Show data...
position=Position
# realm identity providers
identity-providers=Identity Providers
table-of-identity-providers=Table of identity providers
add-provider.placeholder=Add provider...
provider=Provider
gui-order=GUI order
first-broker-login-flow=First Login Flow
post-broker-login-flow=Post Login Flow
sync-mode=Sync Mode
sync-mode.tooltip=Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider".
sync-mode.inherit=inherit
sync-mode.legacy=legacy
sync-mode.import=import
sync-mode.force=force
sync-mode-override=Sync Mode Override
sync-mode-override.tooltip=Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider" and 'inherit' to use the sync mode defined in the identity provider for this mapper.
redirect-uri=Redirect URI
redirect-uri.tooltip=The redirect uri to use when configuring the identity provider.
alias=Alias
display-name=Display Name
identity-provider.alias.tooltip=The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
identity-provider.display-name.tooltip=Friendly name for Identity Providers.
identity-provider.enabled.tooltip=Enable/disable this identity provider.
authenticate-by-default=Authenticate by Default
identity-provider.authenticate-by-default.tooltip=Indicates if this provider should be tried by default for authentication even before displaying login screen.
store-tokens=Store Tokens
identity-provider.store-tokens.tooltip=Enable/disable if tokens must be stored after authenticating users.
stored-tokens-readable=Stored Tokens Readable
identity-provider.stored-tokens-readable.tooltip=Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
disableUserInfo=Disable User Info
identity-provider.disableUserInfo.tooltip=Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service.
userIp=Use userIp Param
identity-provider.google-userIp.tooltip=Set 'userIp' query parameter when invoking on Google's User Info service. This will use the user's ip address. Useful if Google is throttling access to the User Info service.
offlineAccess=Request refresh token
identity-provider.google-offlineAccess.tooltip=Set 'access_type' query parameter to 'offline' when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser.
hostedDomain=Hosted Domain
identity-provider.google-hostedDomain.tooltip=Set 'hd' query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When '*' is entered, any hosted account can be used.
sandbox=Target Sandbox
identity-provider.paypal-sandbox.tooltip=Target PayPal's sandbox environment
update-profile-on-first-login=Update Profile on First Login
on=On
on-missing-info=On missing info
off=Off
update-profile-on-first-login.tooltip=Define conditions under which a user has to update their profile during first-time login.
trust-email=Trust Email
trust-email.tooltip=If enabled, email provided by this provider is not verified even if verification is enabled for the realm.
link-only=Account Linking Only
link-only.tooltip=If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider
hide-on-login-page=Hide on Login Page
hide-on-login-page.tooltip=If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter.
gui-order.tooltip=Number defining order of the provider in GUI (for example, on Login page).
first-broker-login-flow.tooltip=Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account.
post-broker-login-flow.tooltip=Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.
openid-connect-config=OpenID Connect Config
openid-connect-config.tooltip=OIDC SP and external IDP configuration.
authorization-url=Authorization URL
authorization-url.tooltip=The Authorization Url.
token-url=Token URL
token-url.tooltip=The Token URL.
loginHint=Pass login_hint
loginHint.tooltip=Pass login_hint to identity provider.
uiLocales=Pass current locale
uiLocales.tooltip=Pass the current locale to the identity provider as a ui_locales parameter.
logout-url=Logout URL
identity-provider.logout-url.tooltip=End session endpoint to use to logout user from external IDP.
backchannel-logout=Backchannel Logout
backchannel-logout.tooltip=Does the external IDP support backchannel logout?
user-info-url=User Info URL
user-info-url.tooltip=The User Info Url. This is optional.
client-auth=Client Authentication
client-auth.tooltip=The client authentication method (cfr. https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). In case of JWT signed with private key, the realm private key is used.
client-auth.client_secret_post=Client secret sent as post
client-auth.client_secret_basic=Client secret sent as basic auth
client-auth.client_secret_jwt=Client secret as jwt
client-auth.private_key_jwt=JWT signed with private key
identity-provider.client-id.tooltip=The client or client identifier registered within the identity provider.
client-secret=Client Secret
show-secret=Show secret
hide-secret=Hide secret
client-secret.tooltip=The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use ${vault.ID} format.
issuer=Issuer
issuer.tooltip=The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
default-scopes=Default Scopes
identity-provider.default-scopes.tooltip=The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'.
prompt=Prompt
unspecified.option=unspecified
none.option=none
consent.option=consent
login.option=login
select-account.option=select_account
prompt.tooltip=Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
accepts-prompt-none-forward-from-client=Accepts prompt=none forward from client
accepts-prompt-none-forward-from-client.tooltip=This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider.
validate-signatures=Validate Signatures
identity-provider.validate-signatures.tooltip=Enable/disable signature validation of external IDP signatures.
identity-provider.use-jwks-url.tooltip=If the switch is on, identity provider public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when identity provider generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when the identity provider keypair changes, you always need to import the new key to the Keycloak DB as well.
identity-provider.jwks-url.tooltip=URL where identity provider keys in JWK format are stored. See JWK specification for more details. If you use external Keycloak identity provider, you can use URL like 'http://broker-keycloak:8180/auth/realms/test/protocol/openid-connect/certs' assuming your brokered Keycloak is running on 'http://broker-keycloak:8180' and its realm is 'test' .
validating-public-key=Validating Public Key
identity-provider.validating-public-key.tooltip=The public key in PEM format that must be used to verify external IDP signatures.
validating-public-key-id=Validating Public Key Id
identity-provider.validating-public-key-id.tooltip=Explicit ID of the validating public key given above if the key ID. Leave blank if the key above should be used always, regardless of key ID specified by external IDP; set it if the key should only be used for verifying if the key ID from external IDP matches.
allowed-clock-skew=Allowed clock skew
identity-provider.allowed-clock-skew.tooltip=Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.
forwarded-query-parameters=Forwarded Query Parameters
identity-provider.forwarded-query-parameters.tooltip=Non OpenID Connect/OAuth standard query parameters to be forwarded to external IDP from the initial application request to Authorization Endpoint. Multiple parameters can be entered, separated by comma (,).
import-external-idp-config=Import External IDP Config
import-external-idp-config.tooltip=Allows you to load external IDP metadata from a config file or to download it from a URL.
import-from-url=Import from URL
identity-provider.import-from-url.tooltip=Import metadata from a remote IDP discovery descriptor.
import-from-file=Import from file
identity-provider.import-from-file.tooltip=Import metadata from a downloaded IDP discovery descriptor.
saml-config=SAML Config
identity-provider.saml-config.tooltip=SAML SP and external IDP configuration.
single-signon-service-url=Single Sign-On Service URL
saml.single-signon-service-url.tooltip=The Url that must be used to send authentication requests (SAML AuthnRequest).
single-logout-service-url=Single Logout Service URL
saml.single-logout-service-url.tooltip=The Url that must be used to send logout requests.
nameid-policy-format=NameID Policy Format
nameid-policy-format.tooltip=Specifies the URI reference corresponding to a name identifier format. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
saml.principal-type=Principal Type
saml.principal-type.tooltip=Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute.
saml.principal-attribute=Principal Attribute
saml.principal-attribute.tooltip=Name or Friendly Name of the attribute used to identify external users.
http-post-binding-response=HTTP-POST Binding Response
http-post-binding-response.tooltip=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
http-post-binding-for-authn-request=HTTP-POST Binding for AuthnRequest
http-post-binding-for-authn-request.tooltip=Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
http-post-binding-logout=HTTP-POST Binding Logout
http-post-binding-logout.tooltip=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
want-authn-requests-signed=Want AuthnRequests Signed
want-authn-requests-signed.tooltip=Indicates whether the identity provider expects a signed AuthnRequest.
want-assertions-signed=Want Assertions Signed
want-assertions-signed.tooltip=Indicates whether this service provider expects a signed Assertion.
want-assertions-encrypted=Want Assertions Encrypted
want-assertions-encrypted.tooltip=Indicates whether this service provider expects an encrypted Assertion.
force-authentication=Force Authentication
identity-provider.force-authentication.tooltip=Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
validate-signature=Validate Signature
saml.validate-signature.tooltip=Enable/disable signature validation of SAML responses.
validating-x509-certificate=Validating X509 Certificates
validating-x509-certificate.tooltip=The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,).
saml.import-from-url.tooltip=Import metadata from a remote IDP SAML entity descriptor.
social.client-id.tooltip=The client identifier registered with the identity provider.
social.client-secret.tooltip=The client secret registered with the identity provider. This field is able to obtain its value from vault, use ${vault.ID} format.
social.default-scopes.tooltip=The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value'.
key=Key
stackoverflow.key.tooltip=The Key obtained from Stack Overflow client registration.
openshift.base-url=Base Url
openshift.base-url.tooltip=Base Url to OpenShift Online API
openshift4.base-url=Base Url
openshift4.base-url.tooltip=Base Url to OpenShift Online API
gitlab-application-id=Application Id
gitlab-application-secret=Application Secret
gitlab.application-id.tooltip=Application Id for the application you created in your GitLab Applications account menu
gitlab.application-secret.tooltip=Secret for the application that you created in your GitLab Applications account menu
gitlab.default-scopes.tooltip=Scopes to ask for on login. Will always ask for openid. Additionally adds api if you do not specify anything.
bitbucket-consumer-key=Consumer Key
bitbucket-consumer-secret=Consumer Secret
bitbucket.key.tooltip=Bitbucket OAuth Consumer Key
bitbucket.secret.tooltip=Bitbucket OAuth Consumer Secret
bitbucket.default-scopes.tooltip=Scopes to ask for on login. If you do not specify anything, scope defaults to 'email'.
# User federation
sync-ldap-roles-to-keycloak=Sync LDAP Roles To Keycloak
sync-keycloak-roles-to-ldap=Sync Keycloak Roles To LDAP
sync-ldap-groups-to-keycloak=Sync LDAP Groups To Keycloak
sync-keycloak-groups-to-ldap=Sync Keycloak Groups To LDAP
realms=Realms
realm=Realm
identity-provider-mappers=Identity Provider Mappers
create-identity-provider-mapper=Create Identity Provider Mapper
add-identity-provider-mapper=Add Identity Provider Mapper
client.description.tooltip=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description}
expires=Expires
expiration=Expiration
expiration.tooltip=Specifies how long the token should be valid
count=Count
count.tooltip=Specifies how many clients can be created using the token
remainingCount=Remaining Count
created=Created
back=Back
initial-access-tokens=Initial Access Tokens
add-initial-access-tokens=Add Initial Access Token
initial-access-token=Initial Access Token
initial-access.copyPaste.tooltip=Copy/paste the initial access token before navigating away from this page as it is not possible to retrieve later
continue=Continue
initial-access-token.confirm.title=Copy Initial Access Token
initial-access-token.confirm.text=Please copy and paste the initial access token before confirming as it cannot be retrieved later
no-initial-access-available=No Initial Access Tokens available
client-reg-policies=Client Registration Policies
client-reg-policy.name.tooltip=Display Name of the policy
anonymous-policies=Anonymous Access Policies
anonymous-policies.tooltip=Those Policies are used when the Client Registration Service is invoked by unauthenticated request. This means that the request does not contain Initial Access Token nor Bearer Token.
auth-policies=Authenticated Access Policies
auth-policies.tooltip=Those Policies are used when Client Registration Service is invoked by authenticated request. This means that the request contains Initial Access Token or Bearer Token.
policy-name=Policy Name
no-client-reg-policies-configured=No Client Registration Policies
trusted-hosts.label=Trusted Hosts
trusted-hosts.tooltip=List of Hosts, which are trusted and are allowed to invoke Client Registration Service and/or be used as values of Client URIs. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted.
host-sending-registration-request-must-match.label=Host Sending Client Registration Request Must Match
host-sending-registration-request-must-match.tooltip=If on, any request to Client Registration Service is allowed just if it was sent from some trusted host or domain.
client-uris-must-match.label=Client URIs Must Match
client-uris-must-match.tooltip=If on, all Client URIs (Redirect URIs and others) are allowed just if they match some trusted host or domain.
allowed-protocol-mappers.label=Allowed Protocol Mappers
allowed-protocol-mappers.tooltip=Whitelist of allowed protocol mapper providers. If there is an attempt to register client, which contains some protocol mappers, which were not whitelisted, registration request will be rejected.
consent-required-for-all-mappers.label=Consent Required For Mappers
consent-required-for-all-mappers.tooltip=If on, all newly registered protocol mappers will automatically have consentRequired switch on. This means that user will need to approve consent screen. NOTE: Consent screen is shown just if client has consentRequired switch on. So it is usually good to use this switch together with consent-required policy.
allowed-client-scopes.label=Allowed Client Scopes
allowed-client-scopes.tooltip=Whitelist of the client scopes, which can be used on a newly registered client. Attempt to register client with some client scope, which is not whitelisted, will be rejected. By default, the whitelist is either empty or contains just realm default client scopes (based on 'Allow Default Scopes' configuration property)
allow-default-scopes.label=Allow Default Scopes
allow-default-scopes.tooltip=If on, newly registered clients will be allowed to have client scopes mentioned in realm default client scopes or realm optional client scopes
max-clients.label=Max Clients Per Realm
max-clients.tooltip=It will not be allowed to register a new client if count of existing clients in realm is same or bigger than the configured limit.
client-scopes=Client Scopes
client-scopes.tooltip=Client scopes allow you to define a common set of protocol mappers and roles, which are shared between multiple clients
groups=Groups
group.add-selected.tooltip=Realm roles that can be assigned to the group.
group.assigned-roles.tooltip=Realm roles mapped to the group
group.effective-roles.tooltip=All realm role mappings. Some roles here might be inherited from a mapped composite role.
group.available-roles.tooltip=Assignable roles from this client.
group.assigned-roles-client.tooltip=Role mappings for this client.
group.effective-roles-client.tooltip=Role mappings for this client. Some roles here might be inherited from a mapped composite role.
default-roles=Default Roles
no-realm-roles-available=No realm roles available
users=Users
user.add-selected.tooltip=Realm roles that can be assigned to the user.
user.assigned-roles.tooltip=Realm roles mapped to the user
user.effective-roles.tooltip=All realm role mappings. Some roles here might be inherited from a mapped composite role.
user.available-roles.tooltip=Assignable roles from this client.
user.assigned-roles-client.tooltip=Role mappings for this client.
user.effective-roles-client.tooltip=Role mappings for this client. Some roles here might be inherited from a mapped composite role.
default.available-roles.tooltip=Realm level roles that can be assigned.
realm-default-roles=Realm Default Roles
realm-default-roles.tooltip=Realm level roles assigned to new users.
default.available-roles-client.tooltip=Roles from this client that are assignable as a default.
client-default-roles=Client Default Roles
client-default-roles.tooltip=Roles from this client assigned as a default role.
composite.available-roles.tooltip=Realm level roles that you can associate to this composite role.
composite.associated-roles.tooltip=Realm level roles associated with this composite role.
composite.available-roles-client.tooltip=Roles from this client that you can associate to this composite role.
composite.associated-roles-client.tooltip=Client roles associated with this composite role.
partial-import=Partial Import
partial-import.tooltip=Partial import allows you to import users, clients, and other resources from a previously exported json file.
file=File
exported-json-file=Exported json file
import-from-realm=Import from realm
import-users=Import users
import-groups=Import groups
import-clients=Import clients
import-identity-providers=Import identity providers
import-realm-roles=Import realm roles
import-client-roles=Import client roles
if-resource-exists=If a resource exists
fail=Fail
skip=Skip
overwrite=Overwrite
if-resource-exists.tooltip=Specify what should be done if you try to import a resource that already exists.
partial-export=Partial Export
partial-export.tooltip=Partial export allows you to export realm configuration, and other associated resources into a json file.
export-groups-and-roles=Export groups and roles
export-clients=Export clients
action=Action
role-selector=Role Selector
realm-roles.tooltip=Realm roles that can be selected.
select-a-role=Select a role
select-realm-role=Select realm role
client-roles.tooltip=Client roles that can be selected.
select-client-role=Select client role
client-saml-endpoint=Client SAML Endpoint
add-client-scope=Add client scope
default-client-scopes=Default Client Scopes
default-client-scopes.tooltip=Client Scopes, which will be added automatically to each created client
default-client-scopes.default=Default Client Scopes
default-client-scopes.default.tooltip=Allow to define client scopes, which will be added as default scopes to each created client
default-client-scopes.default.available=Available Client Scopes
default-client-scopes.default.available.tooltip=Client scopes, which are not yet assigned as realm default scopes or realm optional scopes
default-client-scopes.default.assigned=Assigned Default Client Scopes
default-client-scopes.default.assigned.tooltip=Client scopes, which will be added as default scopes to each created client
default-client-scopes.optional=Optional Client Scopes
default-client-scopes.optional.tooltip=Allow to define client scopes, which will be added as optional scopes to each created client
default-client-scopes.optional.available=Available Client Scopes
default-client-scopes.optional.available.tooltip=Client scopes, which are not yet assigned as realm default scopes or realm optional scopes
default-client-scopes.optional.assigned=Assigned Optional Client Scopes
default-client-scopes.optional.assigned.tooltip=Client scopes, which will be added as optional scopes to each created client
client-scopes.setup=Setup
client-scopes.setup.tooltip=Allow to setup client scopes linked to this client
client-scopes.default=Default Client Scopes
client-scopes.default.tooltip=Default client scopes are always applied when issuing tokens for this client. Protocol mappers and role scope mappings are always applied regardless of value of used scope parameter in OIDC Authorization request
client-scopes.default.available=Available Client Scopes
client-scopes.default.available.tooltip=Client scopes, which are not yet assigned as default scopes or optional scopes
client-scopes.default.assigned=Assigned Default Client Scopes
client-scopes.default.assigned.tooltip=Client scopes, which will be used as default scopes when generating tokens for this client
client-scopes.optional=Optional Client Scopes
client-scopes.optional.tooltip=Optional client scopes are applied when issuing tokens for this client, however just in case when they are requested by scope parameter in OIDC Authorization request
client-scopes.optional.available=Available Client Scopes
client-scopes.optional.available.tooltip=Client scopes, which are not yet assigned as default scopes or optional scopes
client-scopes.optional.assigned=Assigned Optional Client Scopes
client-scopes.optional.assigned.tooltip=Client scopes, which may be used as optional scopes when generating tokens for this client
client-scopes.evaluate=Evaluate
client-scopes.evaluate.tooltip=Allow to see all protocol mappers and role scope mapping that will be used in the tokens issued to this client. Also allow to generate example access token based on provided scope parameter
scope-parameter=Scope Parameter
scope-parameter.tooltip=You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client
client-scopes.evaluate.scopes=Client Scopes
client-scopes.evaluate.scopes.tooltip=Allow to select optional client scopes, which may be used when generating token issued for this client
client-scopes.evaluate.scopes.available=Available Optional Client Scopes
client-scopes.evaluate.scopes.available.tooltip=This contains Optional Client Scopes, which can be optionally used when issuing access token for this client
client-scopes.evaluate.scopes.assigned=Selected Optional Client Scopes
client-scopes.evaluate.scopes.assigned.tooltip=Selected Optional Client Scopes, which will be used when issuing access token for this client. You can see above what value of OAuth Scope Parameter needs to be used when you want to have these optional client scopes applied when the initial OpenID Connect Authentication request will be sent from your client adapter
client-scopes.evaluate.scopes.effective=Effective Client Scopes
client-scopes.evaluate.scopes.effective.tooltip=Contains all default client scopes and selected optional scopes. All protocol mappers and role scope mappings of all those client scopes will be used when generating access token issued for your client
client-scopes.evaluate.user.tooltip=Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation
send-evaluation-request=Evaluate
send-evaluation-request.tooltip=Click this to see all protocol mappers and role scope mappings that will be used when issuing an access token for this client. It will also optionally generate example access token in case that some user was selected
evaluated-protocol-mappers=Effective Protocol Mappers
evaluated-protocol-mappers.tooltip=Shows all effective protocol mappers that will be used when issuing token for this client. Also contains protocol mappers of selected optional client scopes. For each protocol mapper, you can see from which client scope it is inherited from
evaluated-roles=Effective Role Scope Mappings
evaluated-roles.tooltip=Shows all effective roles scope mappings that will be used when issuing token for this client. Also contains role scope mappings of selected optional client scopes
parent-client-scope=Parent Client Scope
client-scopes.evaluate.not-granted-roles=Not Granted Roles
client-scopes.evaluate.not-granted-roles.tooltip=Client does not have scope mappings for these roles. Those roles will not be in the access token issued to this client even if the authenticated user is a member of them
client-scopes.evaluate.granted-realm-effective-roles=Granted Effective Realm Roles
client-scopes.evaluate.granted-realm-effective-roles.tooltip=Client has scope mappings for these roles. Those roles will be in the access token issued to this client if the authenticated user is a member of them
client-scopes.evaluate.granted-client-effective-roles=Granted Effective Client Roles
generated-access-token=Generated Access Token
generated-access-token.tooltip=See the example token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself
manage=Manage
authentication=Authentication
user-federation=User Federation
user-storage=User Storage
events=Events
realm-settings=Realm Settings
configure=Configure
select-realm=Select realm
add=Add
client-storage=Client Storage
no-client-storage-providers-configured=No client storage providers configured
client-stores.tooltip=Keycloak can retrieve clients and their details from external stores.
client-scope.name.tooltip=Name of the client scope. Must be unique in the realm. Name should not contain space characters as it is used as value of scope parameter
client-scope.description.tooltip=Description of the client scope
client-scope.protocol.tooltip=Which SSO protocol configuration is being supplied by this client scope
client-scope.display-on-consent-screen=Display On Consent Screen
client-scope.display-on-consent-screen.tooltip=If on, and this client scope is added to some client with consent required, the text specified by 'Consent Screen Text' will be displayed on consent screen. If off, this client scope will not be displayed on the consent screen
client-scope.consent-screen-text=Consent Screen Text
client-scope.consent-screen-text.tooltip=Text that will be shown on the consent screen when this client scope is added to some client with consent required. Defaults to name of client scope if it is not filled
client-scope.gui-order=GUI order
client-scope.gui-order.tooltip=Specify order of the provider in GUI (such as in Consent page) as integer
client-scope.include-in-token-scope=Include In Token Scope
client-scope.include-in-token-scope.tooltip=If on, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. If off, this client scope will be omitted from the token and from the Token Introspection Endpoint response.
add-user-federation-provider=Add user federation provider
add-user-storage-provider=Add user storage provider
required-settings=Required Settings
provider-id=Provider ID
console-display-name=Console Display Name
console-display-name.tooltip=Display name of provider when linked in admin console.
priority=Priority
priority.tooltip=Priority of provider when doing a user lookup. Lowest first.
user-storage.enabled.tooltip=If provider is disabled, it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again.
sync-settings=Sync Settings
periodic-full-sync=Periodic Full Sync
periodic-full-sync.tooltip=Does periodic full synchronization of provider users to Keycloak should be enabled or not
full-sync-period=Full Sync Period
full-sync-period.tooltip=Period for full synchronization in seconds
periodic-changed-users-sync=Periodic Changed Users Sync
periodic-changed-users-sync.tooltip=Does periodic synchronization of changed or newly created provider users to Keycloak should be enabled or not
changed-users-sync-period=Changed Users Sync Period
changed-users-sync-period.tooltip=Period for synchronization of changed or newly created provider users in seconds
synchronize-changed-users=Synchronize changed users
synchronize-all-users=Synchronize all users
remove-imported-users=Remove imported
unlink-users=Unlink users
kerberos-realm=Kerberos Realm
kerberos-realm.tooltip=Name of kerberos realm. For example FOO.ORG
server-principal=Server Principal
server-principal.tooltip=Full name of server principal for HTTP service including server and domain name. For example HTTP/host.foo.org@FOO.ORG
keytab=KeyTab
keytab.tooltip=Location of Kerberos KeyTab file containing the credentials of server principal. For example /etc/krb5.keytab
debug=Debug
debug.tooltip=Enable/disable debug logging to standard output for Krb5LoginModule.
allow-password-authentication=Allow Password Authentication
allow-password-authentication.tooltip=Enable/disable possibility of username/password authentication against Kerberos database
edit-mode=Edit Mode
edit-mode.tooltip=READ_ONLY means that password updates are not allowed and user always authenticates with Kerberos password. UNSYNCED means that the user can change the password in the Keycloak database and this one will be used instead of the Kerberos password
ldap.edit-mode.tooltip=READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP.
update-profile-first-login=Update Profile First Login
update-profile-first-login.tooltip=Update profile on first login
sync-registrations=Sync Registrations
ldap.sync-registrations.tooltip=Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user.
import-enabled=Import Users
ldap.import-enabled.tooltip=If true, LDAP users will be imported into Keycloak DB and synced by the configured sync policies.
vendor=Vendor
ldap.vendor.tooltip=LDAP vendor (provider)
username-ldap-attribute=Username LDAP attribute
ldap-attribute-name-for-username=LDAP attribute name for username
username-ldap-attribute.tooltip=Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
rdn-ldap-attribute=RDN LDAP attribute
ldap-attribute-name-for-user-rdn=LDAP attribute name for user RDN
rdn-ldap-attribute.tooltip=Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute, however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.
uuid-ldap-attribute=UUID LDAP attribute
ldap-attribute-name-for-uuid=LDAP attribute name for UUID
uuid-ldap-attribute.tooltip=Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example for Active directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'.
user-object-classes=User Object Classes
ldap-user-object-classes.placeholder=LDAP User Object Classes (div. by comma)
ldap-connection-url=LDAP connection URL
ldap-users-dn=LDAP Users DN
ldap-bind-dn=LDAP Bind DN
ldap-bind-credentials=LDAP Bind Credentials
ldap-filter=LDAP Filter
ldap.user-object-classes.tooltip=All values of LDAP objectClass attribute for users in LDAP divided by comma. For example: 'inetOrgPerson, organizationalPerson' . Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes.
connection-url=Connection URL
ldap.connection-url.tooltip=Connection URL to your LDAP server
test-connection=Test connection
users-dn=Users DN
ldap.users-dn.tooltip=Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid=john,ou=users,dc=example,dc=com'
authentication-type=Bind Type
ldap.authentication-type.tooltip=Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (Bind credential + Bind password authentication) mechanisms are available
bind-dn=Bind DN
ldap.bind-dn.tooltip=DN of LDAP admin, which will be used by Keycloak to access LDAP server
bind-credential=Bind Credential
ldap.bind-credential.tooltip=Password of LDAP admin. This field is able to obtain its value from vault, use ${vault.ID} format.
test-authentication=Test authentication
custom-user-ldap-filter=Custom User LDAP Filter
ldap.custom-user-ldap-filter.tooltip=Additional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. Make sure that it starts with '(' and ends with ')'
search-scope=Search Scope
ldap.search-scope.tooltip=For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details
use-truststore-spi=Use Truststore SPI
ldap.use-truststore-spi.tooltip=Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. 'Always' means that it will always use it. 'Never' means that it will not use it. 'Only for ldaps' means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used.
validate-password-policy=Validate Password Policy
connection-pooling=Connection Pooling
connection-pooling-settings=Connection Pooling Settings
connection-pooling-authentication=Connection Pooling Authentication
connection-pooling-authentication-default=none simple
connection-pooling-debug=Connection Pool Debug Level
connection-pooling-debug-default=off
connection-pooling-initsize=Connection Pool Initial Size
connection-pooling-initsize-default=1
connection-pooling-maxsize=Connection Pool Maximum Size
connection-pooling-maxsize-default=1000
connection-pooling-prefsize=Connection Pool Preferred Size
connection-pooling-prefsize-default=5
connection-pooling-protocol=Connection Pool Protocol
connection-pooling-protocol-default=plain
connection-pooling-timeout=Connection Pool Timeout
connection-pooling-timeout-default=300000
ldap-connection-timeout=Connection Timeout
ldap.connection-timeout.tooltip=LDAP Connection Timeout in milliseconds
ldap-read-timeout=Read Timeout
ldap.read-timeout.tooltip=LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations
ldap.validate-password-policy.tooltip=Determines if Keycloak should validate the password with the realm password policy before updating it
ldap.connection-pooling.tooltip=Determines if Keycloak should use connection pooling for accessing LDAP server
ldap.connection-pooling.authentication.tooltip=A list of space-separated authentication types of connections that may be pooled. Valid types are "none", "simple", and "DIGEST-MD5".
ldap.connection-pooling.debug.tooltip=A string that indicates the level of debug output to produce. Valid values are "fine" (trace connection creation and removal) and "all" (all debugging information).
ldap.connection-pooling.initsize.tooltip=The string representation of an integer that represents the number of connections per connection identity to create when initially creating a connection for the identity.
ldap.connection-pooling.maxsize.tooltip=The string representation of an integer that represents the maximum number of connections per connection identity that can be maintained concurrently.
ldap.connection-pooling.prefsize.tooltip=The string representation of an integer that represents the preferred number of connections per connection identity that should be maintained concurrently.
ldap.connection-pooling.protocol.tooltip=A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl".
ldap.connection-pooling.timeout.tooltip=The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool.
ldap.pagination.tooltip=Does the LDAP server support pagination.
ldap.startTls.tooltip=Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling.
kerberos-integration=Kerberos Integration
allow-kerberos-authentication=Allow Kerberos authentication
ldap.allow-kerberos-authentication.tooltip=Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server
use-kerberos-for-password-authentication=Use Kerberos For Password Authentication
ldap.use-kerberos-for-password-authentication.tooltip=Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API
batch-size=Batch Size
ldap.batch-size.tooltip=Count of LDAP users to be imported from LDAP to Keycloak within a single transaction.
ldap.periodic-full-sync.tooltip=Does periodic full synchronization of LDAP users to Keycloak should be enabled or not
ldap.periodic-changed-users-sync.tooltip=Does periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not
ldap.changed-users-sync-period.tooltip=Period for synchronization of changed or newly created LDAP users in seconds
user-federation-mappers=User Federation Mappers
create-user-federation-mapper=Create user federation mapper
add-user-federation-mapper=Add user federation mapper
provider-name=Provider Name
no-user-federation-providers-configured=No user federation providers configured
no-user-storage-providers-configured=No user storage providers configured
add-identity-provider=Add identity provider
add-identity-provider-link=Add identity provider link
identity-provider=Identity Provider
identity-provider-user-id=Identity Provider User ID
identity-provider-user-id.tooltip=Unique ID of the user on the Identity Provider side
identity-provider-username=Identity Provider Username
identity-provider-username.tooltip=Username on the Identity Provider side
pagination=Pagination
browser-flow=Browser Flow
browser-flow.tooltip=Select the flow you want to use for browser authentication.
registration-flow=Registration Flow
registration-flow.tooltip=Select the flow you want to use for registration.
direct-grant-flow=Direct Grant Flow
direct-grant-flow.tooltip=Select the flow you want to use for direct grant authentication.
reset-credentials=Reset Credentials
reset-credentials.tooltip=Select the flow you want to use when the user has forgotten their credentials.
client-authentication=Client Authentication
client-authentication.tooltip=Select the flow you want to use for authentication of clients.
docker-auth=Docker Authentication
docker-auth.tooltip=Select the flow you want to use for authentication against a docker client.
new=New
copy=Copy
add-execution=Add execution
add-flow=Add flow
auth-type=Auth Type
requirement=Requirement
config=Config
no-executions-available=No executions available
authentication-flows=Authentication Flows
create-authenticator-config=Create authenticator config
authenticator.alias.tooltip=Name of the configuration
otp-type=OTP Type
time-based=Time Based
counter-based=Counter Based
otp-type.tooltip=totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against.
otp-hash-algorithm=OTP Hash Algorithm
otp-hash-algorithm.tooltip=What hashing algorithm should be used to generate the OTP.
number-of-digits=Number of Digits
otp.number-of-digits.tooltip=How many digits should the OTP have?
look-ahead-window=Look Ahead Window
otp.look-ahead-window.tooltip=How far ahead should the server look just in case the token generator and server are out of time sync or counter sync?
initial-counter=Initial Counter
otp.initial-counter.tooltip=What should the initial counter value be?
otp-token-period=OTP Token Period
otp-token-period.tooltip=How many seconds should an OTP token be valid? Defaults to 30 seconds.
otp-supported-applications=Supported Applications
otp-supported-applications.tooltip=Applications that are known to work with the current OTP policy
table-of-password-policies=Table of Password Policies
add-policy.placeholder=Add policy...
policy-type=Policy Type
policy-value=Policy Value
webauthn-policy=WebAuthn Policy
webauthn-policy.tooltip=Policy for WebAuthn authentication. This one will be used by 'WebAuthn Register' required action and 'WebAuthn Authenticator' authenticator. Typical usage is, when WebAuthn will be used for the two-factor authentication.
webauthn-policy-passwordless=WebAuthn Passwordless Policy
webauthn-policy-passwordless.tooltip=Policy for passwordless WebAuthn authentication. This one will be used by 'Webauthn Register Passwordless' required action and 'WebAuthn Passwordless Authenticator' authenticator. Typical usage is, when WebAuthn will be used as first-factor authentication. Having both 'WebAuthn Policy' and 'WebAuthn Passwordless Policy' allows to use WebAuthn as both first factor and second factor authenticator in the same realm.
webauthn-rp-entity-name=Relying Party Entity Name
webauthn-rp-entity-name.tooltip=Human-readable server name as WebAuthn Relying Party
webauthn-signature-algorithms=Signature Algorithms
webauthn-signature-algorithms.tooltip=What signature algorithms should be used for Authentication Assertion.
webauthn-rp-id=Relying Party ID
webauthn-rp-id.tooltip=This is ID as WebAuthn Relying Party. It must be origin's effective domain.
webauthn-attestation-conveyance-preference=Attestation Conveyance Preference
webauthn-attestation-conveyance-preference.tooltip=Communicates to an authenticator the preference of how to generate an attestation statement.
webauthn-authenticator-attachment=Authenticator Attachment
webauthn-authenticator-attachment.tooltip=Communicates to an authenticator an acceptable attachment pattern.
webauthn-require-resident-key=Require Resident Key
webauthn-require-resident-key.tooltip=It tells an authenticator create a public key credential as Resident Key or not.
webauthn-user-verification-requirement=User Verification Requirement
webauthn-user-verification-requirement.tooltip=Communicates to an authenticator to confirm actually verifying a user.
webauthn-create-timeout=Timeout
webauthn-create-timeout.tooltip=Timeout value for creating user's public key credential in seconds. if set to 0, this timeout option is not adapted.
webauthn-avoid-same-authenticator-register=Avoid Same Authenticator Registration
webauthn-avoid-same-authenticator-register.tooltip=avoid registering the authenticator that has already been registered.
webauthn-acceptable-aaguids=Acceptable AAGUIDs
webauthn-acceptable-aaguids.tooltip=The list of AAGUID of which an authenticator can be registered.
manage-webauthn-authenticator=Manage WebAuthn Authenticator
public-key-credential-id=Public Key Credential ID
public-key-credential-aaguid=Public Key Credential AAGUID
public-key-credential-label=Public Key Credential Label
admin-events=Admin Events
admin-events.tooltip=Displays saved admin events for the realm. Events are related to admin account, for example a realm creation. To enable persisted events go to config.
login-events=Login Events
filter=Filter
update=Update
reset=Reset
operation-types=Operation Types
resource-types=Resource Types
select-operations.placeholder=Select operations...
select-resource-types.placeholder=Select resource types...
resource-path=Resource Path
resource-path.tooltip=Filter by resource path. Supports wildcard '*' (for example 'users/*').
date-(from)=Date (From)
date-(to)=Date (To)
authentication-details=Authentication Details
ip-address=IP Address
time=Time
operation-type=Operation Type
resource-type=Resource Type
auth=Auth
representation=Representation
register=Register
required-action=Required Action
default-action=Default Action
auth.default-action.tooltip=If enabled, any new user will have this required action assigned to it.
no-required-actions-configured=No required actions configured
defaults-to-id=Defaults to id
flows=Flows
bindings=Bindings
client-flow-bindings=Authentication Flow Overrides
client-flow-bindings.tooltip=Override realm authentication flow bindings.
required-actions=Required Actions
password-policy=Password Policy
otp-policy=OTP Policy
user-groups=User Groups
default-groups=Default Groups
groups.default-groups.tooltip=Set of groups that new users will automatically join.
cut=Cut
paste=Paste
create-group=Create group
create-authenticator-execution=Create Authenticator Execution
create-form-action-execution=Create Form Action Execution
create-top-level-form=Create Top Level Form
flow.alias.tooltip=Specifies display name for the flow.
top-level-flow-type=Top Level Flow Type
flow.generic=generic
flow.client=client
top-level-flow-type.tooltip=What kind of top level flow is it? Type 'client' is used for authentication of clients (applications) when generic is for users and everything else
create-execution-flow=Create Execution Flow
flow-type=Flow Type
flow.form.type=form
flow.generic.type=generic
flow-type.tooltip=What kind of form is it
form-provider=Form Provider
default-groups.tooltip=Newly created or registered users will automatically be added to these groups
select-a-type.placeholder=select a type
available-groups=Available Groups
available-groups.tooltip=Select a group you want to add as a default.
value=Value
table-of-group-members=Table of group members
table-of-role-members=Table of role members
last-name=Last Name
first-name=First Name
email=Email
toggle-navigation=Toggle navigation
manage-account=Manage account
sign-out=Sign Out
server-info=Server Info
resource-not-found=Resource <strong>not found</strong>...
resource-not-found.instruction=We could not find the resource you are looking for. Please make sure the URL you entered is correct.
go-to-the-home-page=Go to the home page »
page-not-found=Page <strong>not found</strong>...
page-not-found.instruction=We could not find the page you are looking for. Please make sure the URL you entered is correct.
events.tooltip=Displays saved events for the realm. Events are related to user accounts, for example a user login. To enable persisted events go to config.
select-event-types.placeholder=Select event types...
events-config.tooltip=Displays configuration options to enable persistence of user and admin events.
select-an-action.placeholder=Select an action...
event-listeners.tooltip=Configure what listeners receive events for the realm.
login.save-events.tooltip=If enabled, login events are saved to the database, which makes events available to the admin and account management consoles.
clear-events.tooltip=Deletes all events in the database.
events.expiration.tooltip=Sets the expiration for events. Expired events are periodically deleted from the database.
admin-events-settings=Admin Events Settings
save-events=Save Events
admin.save-events.tooltip=If enabled, admin events are saved to the database, which makes events available to the admin console.
saved-types.tooltip=Configure what event types are saved.
include-representation=Include Representation
include-representation.tooltip=Include JSON representation for create and update requests.
clear-admin-events.tooltip=Deletes all admin events in the database.
server-version=Server Version
server-profile=Server Profile
server-disabled=Disabled Features
server-disabled.tooltip=Features that are not currently enabled. Some features are not enabled by default. This applies to all preview and experimental features.
server-preview=Preview Features
server-preview.tooltip=Preview features are not supported in production use and may be significantly changed or removed in the future.
server-experimental=Experimental Features
server-experimental.tooltip=Experimental features, which may not be fully functional. Never use experimental features in production.
info=Info
providers=Providers
server-time=Server Time
server-uptime=Server Uptime
profile=Profile
memory=Memory
total-memory=Total Memory
free-memory=Free Memory
used-memory=Used Memory
system=System
current-working-directory=Current Working Directory
java-version=Java Version
java-vendor=Java Vendor
java-runtime=Java Runtime
java-vm=Java VM
java-vm-version=Java VM Version
java-home=Java Home
user-name=User Name
user-timezone=User Timezone
user-locale=User Locale
system-encoding=System Encoding
operating-system=Operating System
os-architecture=OS Architecture
spi=SPI
granted-client-scopes=Granted Client Scopes
additional-grants=Additional Grants
consent-created-date=Created
consent-last-updated-date=Last updated
revoke=Revoke
new-password=New Password
password-confirmation=Password Confirmation
reset-password=Reset Password
set-password=Set Password
credentials.temporary.tooltip=If enabled, the user must change the password on next login
remove-totp=Remove OTP
credentials.remove-totp.tooltip=Remove one time password generator for user.
reset-actions=Reset Actions
credentials.reset-actions.tooltip=Set of actions to execute when sending the user a Reset Actions Email. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator.
reset-actions-email=Reset Actions Email
send-email=Send email
credentials.reset-actions-email.tooltip=Sends an email to user with an embedded link. Clicking the link enables the user to execute the reset actions without first logging in. For example, set the action to update password, click this button, and the user can change the password without logging in.
add-user=Add user
created-at=Created At
user-enabled=User Enabled
user-enabled.tooltip=A disabled user cannot login.
user-temporarily-locked=User Temporarily Locked
user-temporarily-locked.tooltip=The user may be locked due to multiple failed attempts to log in.
unlock-user=Unlock user
federation-link=Federation Link
email-verified=Email Verified
email-verified.tooltip=Has the user's email been verified?
required-user-actions=Required User Actions
required-user-actions.tooltip=Require an action when the user logs in. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator.
locale=Locale
select-one.placeholder=Select one...
impersonate=Impersonate
impersonate-user=Impersonate user
impersonate-user.tooltip=Login as this user. If user is in same realm as you, your current login session will be logged out before you are logged in as this user.
identity-provider-alias=Identity Provider Alias
provider-user-id=Provider User ID
provider-username=Provider Username
no-identity-provider-links-available=No identity provider links available
group-membership=Group Membership
leave=Leave
group-membership.tooltip=Groups where the user has membership. To leave a group, select it and click Leave.
membership.available-groups.tooltip=Groups a user can join. Select a group and click Join.
table-of-realm-users=Table of Realm Users
view-all-users=View all users
view-all-groups=View all groups
view-all-roles=View all roles
unlock-users=Unlock users
no-users-available=No users available
users.instruction=Please enter a search, or click on view all users
clients.instruction=Please enter a search
consents=Consents
started=Started
logout-all-sessions=Log out all sessions
logout=Logout
new-name=New Name
ok=Ok
attributes=Attributes
role-mappings=Role Mappings
members=Members
details=Details
identity-provider-links=Identity Provider Links
register-required-action=Register required action
gender=Gender
address=Address
phone=Phone
profile-url=Profile URL
picture-url=Picture URL
website=Website
import-keys-and-cert=Import keys and cert
import-keys-and-cert.tooltip=Upload the client's key pair and cert.
upload-keys=Upload Keys
download-keys-and-cert=Download keys and cert
no-value-assigned.placeholder=No value assigned
remove=Remove
no-group-members=No group members
no-role-members=No role members
temporary=Temporary
join=Join
event-type=Event Type
events-config=Events Config
event-listeners=Event Listeners
login-events-settings=Login Events Settings
clear-events=Clear events
saved-types=Saved Types
clear-admin-events=Clear admin events
clear-changes=Clear changes
error=Error
# Authz
# Authz Common
authz-authorization=Authorization
authz-owner=Owner
authz-uri=URI
authz-uris=URIS
authz-scopes=Scopes
authz-resource=Resource
authz-resource-type=Resource Type
authz-resources=Resources
authz-scope=Scope
authz-authz-scopes=Authorization Scopes
authz-policies=Policies
authz-policy=Policy
authz-permissions=Permissions
authz-users=Users in Role
authz-evaluate=Evaluate
authz-icon-uri=Icon URI
authz-icon-uri.tooltip=An URI pointing to an icon.
authz-select-scope=Select a scope
authz-select-resource=Select a resource
authz-associated-policies=Associated Policies
authz-any-resource=Any resource
authz-any-scope=Any scope
authz-any-role=Any role
authz-policy-evaluation=Policy Evaluation
authz-select-user=Select a user
authz-select-client=Select a client
authz-entitlements=Entitlements
authz-no-resources=No resources
authz-result=Result
authz-authorization-services-enabled=Authorization Enabled
authz-authorization-services-enabled.tooltip=Enable/Disable fine-grained authorization support for a client
authz-required=Required
authz-show-details=Show Details
authz-hide-details=Hide Details
authz-associated-permissions=Associated Permissions
authz-no-permission-associated=No permissions associated
# Authz Settings
authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server.
authz-policy-enforcement-mode=Policy Enforcement Mode
authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
authz-policy-enforcement-mode-enforcing=Enforcing
authz-policy-enforcement-mode-permissive=Permissive
authz-policy-enforcement-mode-disabled=Disabled
authz-remote-resource-management=Remote Resource Management
authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console.
authz-export-settings=Export Settings
authz-export-settings.tooltip=Export and download all authorization settings for this resource server.
authz-server-decision-strategy.tooltip=The decision strategy dictates how permissions are evaluated and how a final decision is obtained. 'Affirmative' means that at least one permission must evaluate to a positive decision in order to grant access to a resource and its scopes. 'Unanimous' means that all permissions must evaluate to a positive decision in order for the final decision to be also positive.
# Authz Resource List
authz-no-resources-available=No resources available.
authz-no-scopes-assigned=No scopes assigned.
authz-no-type-defined=No type defined.
authz-no-uri-defined=No URI defined.
authz-no-permission-assigned=No permission assigned.
authz-no-policy-assigned=No policy assigned.
authz-create-permission=Create Permission
# Authz Resource Detail
authz-add-resource=Add Resource
authz-resource-name.tooltip=A unique name for this resource. The name can be used to uniquely identify a resource, useful when querying for a specific resource.
authz-resource-owner.tooltip=The owner of this resource.
authz-resource-type.tooltip=The type of this resource. It can be used to group different resource instances with the same type.
authz-resource-uri.tooltip=Set of URIs which are protected by resource.
authz-resource-scopes.tooltip=The scopes associated with this resource.
authz-resource-attributes=Resource Attributes
authz-resource-attributes.tooltip=The attributes associated wth the resource.
authz-resource-user-managed-access-enabled=User-Managed Access Enabled
authz-resource-user-managed-access-enabled.tooltip=If enabled, the access to this resource can be managed by the resource owner.
# Authz Scope List
authz-add-scope=Add Scope
authz-no-scopes-available=No scopes available.
# Authz Scope Detail
authz-scope-name.tooltip=A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope.
# Authz Policy List
authz-all-types=All types
authz-create-policy=Create Policy
authz-no-policies-available=No policies available.
# Authz Policy Detail
authz-policy-name.tooltip=The name of this policy.
authz-policy-description.tooltip=A description for this policy.
authz-policy-logic=Logic
authz-policy-logic-positive=Positive
authz-policy-logic-negative=Negative
authz-policy-logic.tooltip=The logic dictates how the policy decision should be made. If 'Positive', the resulting effect (permit or deny) obtained during the evaluation of this policy will be used to perform a decision. If 'Negative', the resulting effect will be negated, in other words, a permit becomes a deny and vice-versa.
authz-policy-apply-policy=Apply Policy
authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission.
authz-policy-decision-strategy=Decision Strategy
authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
authz-policy-decision-strategy-affirmative=Affirmative
authz-policy-decision-strategy-unanimous=Unanimous
authz-policy-decision-strategy-consensus=Consensus
authz-select-a-policy=Select existing policy
authz-no-policies-assigned=No policies assigned.
# Authz Role Policy Detail
authz-add-role-policy=Add Role Policy
authz-no-roles-assigned=No roles assigned.
authz-policy-role-realm-roles.tooltip=Specifies the *realm* roles allowed by this policy.
authz-policy-role-clients.tooltip=Selects a client in order to filter the client roles that can be applied to this policy.
authz-policy-role-client-roles.tooltip=Specifies the client roles allowed by this policy.
# Authz User Policy Detail
authz-add-user-policy=Add User Policy
authz-no-users-assigned=No users assigned.
authz-policy-user-users.tooltip=Specifies which user(s) are allowed by this policy.
# Authz Client Policy Detail
authz-add-client-policy=Add Client Policy
authz-no-clients-assigned=No clients assigned.
authz-policy-client-clients.tooltip=Specifies which client(s) are allowed by this policy.
# Authz Time Policy Detail
authz-add-time-policy=Add Time Policy
authz-policy-time-not-before.tooltip=Defines the time before which the policy MUST NOT be granted. Only granted if current date/time is after or equal to this value.
authz-policy-time-not-on-after=Not On or After
authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.
authz-policy-time-day-month=Day of Month
authz-policy-time-day-month.tooltip=Defines the day of month when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided.
authz-policy-time-month=Month
authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided.
authz-policy-time-year=Year
authz-policy-time-year.tooltip=Defines the year when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided.
authz-policy-time-hour=Hour
authz-policy-time-hour.tooltip=Defines the hour when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided.
authz-policy-time-minute=Minute
authz-policy-time-minute.tooltip=Defines the minute when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided.
# Authz JS Policy Detail
authz-add-js-policy=Add JavaScript Policy
authz-policy-js-code=Code
authz-policy-js-code.tooltip=The JavaScript code providing the conditions for this policy.
# Authz Aggregated Policy Detail
authz-aggregated=Aggregated
authz-add-aggregated-policy=Add Aggregated Policy
# Authz Group Policy Detail
authz-add-group-policy=Add Group Policy
authz-no-groups-assigned=No groups assigned.
authz-policy-group-claim=Groups Claim
authz-policy-group-claim.tooltip=If defined, the policy will fetch user's groups from the given claim within an access token or ID token representing the identity asking permissions. If not defined, user's groups are obtained from your realm configuration.
authz-policy-group-groups.tooltip=Specifies the groups allowed by this policy.
# Authz Permission List
authz-no-permissions-available=No permissions available.
# Authz Permission Detail
authz-permission-name.tooltip=The name of this permission.
authz-permission-description.tooltip=A description for this permission.
# Authz Resource Permission Detail
authz-add-resource-permission=Add Resource Permission
authz-permission-resource-apply-to-resource-type=Apply to Resource Type
authz-permission-resource-apply-to-resource-type.tooltip=Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type.
authz-permission-resource-resource.tooltip=Specifies that this permission must be applied to a specific resource instance.
authz-permission-resource-type.tooltip=Specifies that this permission must be applied to all resources instances of a given type.
# Authz Scope Permission Detail
authz-add-scope-permission=Add Scope Permission
authz-permission-scope-resource.tooltip=Restrict the scopes to those associated with the selected resource. If not selected all scopes would be available.
authz-permission-scope-scope.tooltip=Specifies that this permission must be applied to one or more scopes.
# Authz Evaluation
authz-evaluation-identity-information=Identity Information
authz-evaluation-identity-information.tooltip=The available options to configure the identity information that will be used when evaluating policies.
authz-evaluation-client.tooltip=Select the client making this authorization request. If not provided, authorization requests would be done based on the client you are in.
authz-evaluation-user.tooltip=Select a user whose identity is going to be used to query permissions from the server.
authz-evaluation-role.tooltip=Select the roles you want to associate with the selected user.
authz-evaluation-new=New Evaluation
authz-evaluation-re-evaluate=Re-Evaluate
authz-evaluation-previous=Previous Evaluation
authz-evaluation-contextual-info=Contextual Information
authz-evaluation-contextual-info.tooltip=The available options to configure any contextual information that will be used when evaluating policies.
authz-evaluation-contextual-attributes=Contextual Attributes
authz-evaluation-contextual-attributes.tooltip=Any attribute provided by a running environment or execution context.
authz-evaluation-permissions.tooltip=The available options to configure the permissions to which policies will be applied.
authz-evaluation-evaluate=Evaluate
authz-evaluation-any-resource-with-scopes=Any resource with scope(s)
authz-evaluation-no-result=Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy.
authz-evaluation-no-policies-resource=No policies were found for this resource.
authz-evaluation-result.tooltip=The overall result for this permission request.
authz-evaluation-scopes.tooltip=The list of allowed scopes.
authz-evaluation-policies.tooltip=Details about which policies were evaluated and their decisions.
authz-evaluation-authorization-data=Response
authz-evaluation-authorization-data.tooltip=Represents a token carrying authorization data as a result of the processing of an authorization request. This representation is basically what Keycloak issues to clients asking for permissions. Check the 'authorization' claim for the permissions that were granted based on the current authorization request.
authz-show-authorization-data=Show Authorization Data
keys=Keys
status=Status
keystore=Keystore
keystores=Keystores
add-keystore=Add Keystore
add-keystore.placeholder=Add keystore...
view=View
active=Active
passive=Passive
disabled=Disabled
algorithm=Algorithm
providerHelpText=Provider description
Sunday=Sunday
Monday=Monday
Tuesday=Tuesday
Wednesday=Wednesday
Thursday=Thursday
Friday=Friday
Saturday=Saturday
user-storage-cache-policy=Cache Settings
userStorage.cachePolicy=Cache Policy
userStorage.cachePolicy.option.DEFAULT=DEFAULT
userStorage.cachePolicy.option.EVICT_WEEKLY=EVICT_WEEKLY
userStorage.cachePolicy.option.EVICT_DAILY=EVICT_DAILY
userStorage.cachePolicy.option.MAX_LIFESPAN=MAX_LIFESPAN
userStorage.cachePolicy.option.NO_CACHE=NO_CACHE
userStorage.cachePolicy.tooltip=Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX-LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry.
userStorage.cachePolicy.evictionDay=Eviction Day
userStorage.cachePolicy.evictionDay.tooltip=Day of the week the entry will become invalid on
userStorage.cachePolicy.evictionHour=Eviction Hour
userStorage.cachePolicy.evictionHour.tooltip=Hour of day the entry will become invalid on.
userStorage.cachePolicy.evictionMinute=Eviction Minute
userStorage.cachePolicy.evictionMinute.tooltip=Minute of day the entry will become invalid on.
userStorage.cachePolicy.maxLifespan=Max Lifespan
userStorage.cachePolicy.maxLifespan.tooltip=Max lifespan of cache entry in milliseconds.
user-origin-link=Storage Origin
user-origin.tooltip=UserStorageProvider the user was loaded from
user-link.tooltip=UserStorageProvider this locally stored user was imported from.
client-origin-link=Storage Origin
client-origin.tooltip=Provider the client was loaded from
client-storage-cache-policy=Cache Settings
clientStorage.cachePolicy=Cache Policy
clientStorage.cachePolicy.option.DEFAULT=DEFAULT
clientStorage.cachePolicy.option.EVICT_WEEKLY=EVICT_WEEKLY
clientStorage.cachePolicy.option.EVICT_DAILY=EVICT_DAILY
clientStorage.cachePolicy.option.MAX_LIFESPAN=MAX_LIFESPAN
clientStorage.cachePolicy.option.NO_CACHE=NO_CACHE
clientStorage.cachePolicy.tooltip=Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX-LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry.
clientStorage.cachePolicy.evictionDay=Eviction Day
clientStorage.cachePolicy.evictionDay.tooltip=Day of the week the entry will become invalid on
clientStorage.cachePolicy.evictionHour=Eviction Hour
clientStorage.cachePolicy.evictionHour.tooltip=Hour of day the entry will become invalid on.
clientStorage.cachePolicy.evictionMinute=Eviction Minute
clientStorage.cachePolicy.evictionMinute.tooltip=Minute of day the entry will become invalid on.
clientStorage.cachePolicy.maxLifespan=Max Lifespan
clientStorage.cachePolicy.maxLifespan.tooltip=Max lifespan of cache entry in milliseconds.
client-storage-list-no-entries=Keycloak can federate external client databases. By default, we support Openshift OAuth clients and service accounts. To get started, select a provider from the dropdown below:
disable=Disable
disableable-credential-types=Disableable Types
credentials.disableable.tooltip=List of credential types that you can disable
disable-credential-types=Disable Credential Types
credentials.disable.tooltip=Click button to disable selected credential types
credential-types=Credential Types
manage-user-password=Manage Password
supported-user-storage-credential-types=Supported User Storage Credential Types
supported-user-storage-credential-types.tooltip=Credential types, which are provided by User Storage Provider and which are configured for this user. Validation and eventually update of the credentials of those types can be delegated to the User Storage Provider based on the configuration and implementation of the particular provider.
provided-by=Provided By
manage-credentials=Manage Credentials
manage-credentials.tooltip=Credentials, which are not provided by the user storage. They are saved in the local database.
disable-credentials=Disable Credentials
credential-reset-actions=Credential Reset
credential-reset-actions-timeout=Expires In
credential-reset-actions-timeout.tooltip=Maximum time before the action permit expires.
ldap-mappers=LDAP Mappers
create-ldap-mapper=Create LDAP mapper
map-role-mgmt-scope-description=Policies that decide if an administrator can map this role to a user or group
manage-authz-users-scope-description=Policies that decide if an administrator can manage all users in the realm
view-authz-users-scope-description=Policies that decide if an administrator can view all users in realm
permissions-enabled-role=Permissions Enabled
permissions-enabled-role.tooltip=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up.
manage-permissions-role.tooltip=Fine grained permissions for managing roles. For example, you can define different policies for who is allowed to map a role.
lookup=Lookup
manage-permissions-users.tooltip=Fine grained permissions for managing all users in realm. You can define different policies for who is allowed to manage users in the realm.
permissions-enabled-users=Permissions Enabled
permissions-enabled-users.tooltip=Determines if fined grain permissions are enabled for managing users. Disabling will delete all current permissions that have been set up.
manage-permissions-client.tooltip=Fine grained permissions for administrators that want to manage this client or apply roles defined by this client.
manage-permissions-group.tooltip=Fine grained permissions for administrators that want to manage this group or the members of this group.
manage-authz-group-scope-description=Policies that decide if an administrator can manage this group
view-authz-group-scope-description=Policies that decide if an administrator can view this group
view-members-authz-group-scope-description=Policies that decide if an administrator can manage the members of this group
token-exchange-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client.
token-exchange-authz-idp-scope-description=Policies that decide which clients are allowed exchange tokens for an external token minted by this identity provider.
manage-authz-client-scope-description=Policies that decide if an administrator can manage this client
configure-authz-client-scope-description=Reduced management permissions for administrator. Cannot set scope, template, or protocol mappers.
view-authz-client-scope-description=Policies that decide if an administrator can view this client
map-roles-authz-client-scope-description=Policies that decide if an administrator can map roles defined by this client
map-roles-client-scope-authz-client-scope-description=Policies that decide if an administrator can apply roles defined by this client to the client scope of another client
map-roles-composite-authz-client-scope-description=Policies that decide if an administrator can apply roles defined by this client as a composite to another role
map-role-authz-role-scope-description=Policies that decide if an administrator can map this role to a user or group
map-role-client-scope-authz-role-scope-description=Policies that decide if an administrator can apply this role to the client scope of a client
map-role-composite-authz-role-scope-description=Policies that decide if an administrator can apply this role as a composite to another role
manage-group-membership-authz-users-scope-description=Policies that decide if an administrator can manage group membership for all users in the realm. This is used in conjunction with specific group policy
impersonate-authz-users-scope-description=Policies that decide if administrator can impersonate other users
map-roles-authz-users-scope-description=Policies that decide if administrator can map roles for all users
user-impersonated-authz-users-scope-description=Policies that decide which users can be impersonated. These policies are applied to the user being impersonated.
manage-membership-authz-group-scope-description=Policies that decide if administrator can add or remove users from this group
manage-members-authz-group-scope-description=Policies that decide if an administrator can manage the members of this group
# KEYCLOAK-6771 Certificate Bound Token
# https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3
advanced-client-settings=Advanced Settings
advanced-client-settings.tooltip=Expand this section to configure advanced settings of this client
tls-client-certificate-bound-access-tokens=OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled
tls-client-certificate-bound-access-tokens.tooltip=This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.
subjectdn=Subject DN
subjectdn-tooltip=A regular expression for validating Subject DN in the Client Certificate. Use "(.*?)(?:$)" to match all kind of expressions.
pkce-code-challenge-method=Proof Key for Code Exchange Code Challenge Method
pkce-code-challenge-method.tooltip=Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.
key-not-allowed-here=Key '{{character}}' is not allowed here.
|