consoleTitle=Keycloak Admin Console # Common messages enabled=Enabled hidden=Hidden link-only-column=Link only name=Name displayName=Display name displayNameHtml=HTML Display name save=Save cancel=Cancel next=Next onText=ON offText=OFF client=Client clients=Clients clear=Clear selectOne=Select One... true=True false=False endpoints=Endpoints # Angular date filter format strings: https://docs.angularjs.org/api/ng/filter/date dateFormat=shortDate timeFormat=mediumTime # Realm settings realm-detail.enabled.tooltip=Users and clients can only access a realm if it's enabled realm-detail.protocol-endpoints.tooltip=Shows the configuration of the protocol endpoints realm-detail.protocol-endpoints.oidc=OpenID Endpoint Configuration realm-detail.protocol-endpoints.saml=SAML 2.0 Identity Provider Metadata realm-detail.userManagedAccess.tooltip=If enabled, users are allowed to manage their resources and permissions using the Account Management Console. userManagedAccess=User-Managed Access registrationAllowed=User registration registrationAllowed.tooltip=Enable/disable the registration page. A link for registration will show on login page too. registrationEmailAsUsername=Email as username registrationEmailAsUsername.tooltip=If enabled then username field is hidden from registration form and email is used as username for new user. editUsernameAllowed=Edit username editUsernameAllowed.tooltip=If enabled, the username field is editable, readonly otherwise. resetPasswordAllowed=Forgot password resetPasswordAllowed.tooltip=Show a link on login page for user to click on when they have forgotten their credentials. rememberMe=Remember Me rememberMe.tooltip=Show checkbox on login page to allow user to remain logged in between browser restarts until session expires. loginWithEmailAllowed=Login with email loginWithEmailAllowed.tooltip=Allow users to log in with their email address. duplicateEmailsAllowed=Duplicate emails duplicateEmailsAllowed.tooltip=Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses. verifyEmail=Verify email verifyEmail.tooltip=Require users to verify their email address after initial login or after address changes are submitted. sslRequired=Require SSL sslRequired.option.all=all requests sslRequired.option.external=external requests sslRequired.option.none=none sslRequired.tooltip=Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses. publicKeys=Public keys publicKey=Public key privateKey=Private key gen-new-keys=Generate new keys certificate=Certificate host=Host smtp-host=SMTP Host port=Port smtp-port=SMTP Port (defaults to 25) smtp-password.tooltip=SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format. from=From fromDisplayName=From Display Name fromDisplayName.tooltip=A user-friendly name for the 'From' address (optional). replyTo=Reply To replyToDisplayName=Reply To Display Name replyToDisplayName.tooltip=A user-friendly name for the 'Reply-To' address (optional). envelopeFrom=Envelope From envelopeFrom.tooltip=An email address used for bounces (optional). sender-email-addr=Sender Email Address sender-email-addr-display=Display Name for Sender Email Address reply-to-email-addr=Reply To Email Address reply-to-email-addr-display=Display Name for Reply To Email Address sender-envelope-email-addr=Sender Envelope Email Address enable-ssl=Enable SSL enable-start-tls=Enable StartTLS enable-auth=Enable Authentication username=Username login-username=Login Username password=Password login-password=Login Password login-theme=Login Theme login-theme.tooltip=Select theme for login, OTP, grant, registration, and forgot password pages. account-theme=Account Theme account-theme.tooltip=Select theme for user account management pages. admin-console-theme=Admin Console Theme select-theme-admin-console=Select theme for admin console. email-theme=Email Theme select-theme-email=Select theme for emails that are sent by the server. i18n-enabled=Internationalization Enabled supported-locales=Supported Locales supported-locales.placeholder=Type a locale and enter default-locale=Default Locale localization-upload-file=Upload localization JSON file missing-locale=Missing locale. missing-file=Missing file. Please select a file to upload. localization-file.upload.success=The localization data has been loaded from file. localization-file.upload.error=The file can not be uploaded. Please verify the file. localization-show=Show realm specific localizations no-localizations-configured=No realm specific localizations configured add-localization-text=Add localization text localization-text.create.success=The localization text has been created. localization-text.update.success=The localization text has been updated. localization-text.remove.success=The localization text has been deleted. realm-cache-clear=Realm Cache realm-cache-clear.tooltip=Clears all entries from the realm cache (this will clear entries for all realms) user-cache-clear=User Cache user-cache-clear.tooltip=Clears all entries from the user cache (this will clear entries for all realms) keys-cache-clear=Keys Cache keys-cache-clear.tooltip=Clears all entries from the cache of external public keys. These are keys of external clients or identity providers. (this will clear entries for all realms) default-signature-algorithm=Default Signature Algorithm default-signature-algorithm.tooltip=Default algorithm used to sign tokens for the realm revoke-refresh-token=Revoke Refresh Token revoke-refresh-token.tooltip=If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times. refresh-token-max-reuse=Refresh Token Max Reuse refresh-token-max-reuse.tooltip=Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate. sso-session-idle=SSO Session Idle seconds=Seconds minutes=Minutes hours=Hours days=Days sso-session-max=SSO Session Max sso-session-idle.tooltip=Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. sso-session-max.tooltip=Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired. sso-session-idle-remember-me=SSO Session Idle Remember Me sso-session-idle-remember-me.tooltip=Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value. sso-session-max-remember-me=SSO Session Max Remember Me sso-session-max-remember-me.tooltip=Max time before a session is expired when the user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set, it uses the standard SSO Session Max value. offline-session-idle=Offline Session Idle offline-session-idle.tooltip=Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire. realm-detail.hostname=Hostname realm-detail.hostname.tooltip=Set the hostname for the realm. Use in combination with the fixed hostname provider to override the server hostname for a specific realm. realm-detail.frontendUrl=Frontend URL realm-detail.frontendUrl.tooltip=Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. ## KEYCLOAK-7688 Offline Session Max for Offline Token offline-session-max-limited=Offline Session Max Limited offline-session-max-limited.tooltip=Enable Offline Session Max. offline-session-max=Offline Session Max offline-session-max.tooltip=Max time before an offline session is expired regardless of activity. client-session-idle=Client Session Idle client-session-idle.tooltip=Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value. client-session-max=Client Session Max client-session-max.tooltip=Max time before a client session is expired. Tokens are invalidated when a client session is expired. If not set, it uses the standard SSO Session Max value. client-offline-session-idle=Client Offline Session Idle client-offline-session-idle.tooltip=Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. If not set it uses the Offline Session Idle value. client-offline-session-max=Client Offline Session Max client-offline-session-max.tooltip=Max time before a client offline session is expired. Offline tokens are invalidated when a client offline session is expired. If not set, it uses the Offline Session Max value. access-token-lifespan=Access Token Lifespan access-token-lifespan.tooltip=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout. access-token-lifespan-for-implicit-flow=Access Token Lifespan For Implicit Flow access-token-lifespan-for-implicit-flow.tooltip=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan'. action-token-generated-by-admin-lifespan=Default Admin-Initiated Action Lifespan action-token-generated-by-admin-lifespan.tooltip=Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token. action-token-generated-by-user-lifespan=User-Initiated Action Lifespan action-token-generated-by-user-lifespan.tooltip=Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly. saml-assertion-lifespan=Assertion Lifespan saml-assertion-lifespan.tooltip=Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The "SessionNotOnOrAfter" attribute is not modified and continue using the "SSO Session Max" time defined at realm level. action-token-generated-by-user.execute-actions=Execute Actions action-token-generated-by-user.idp-verify-account-via-email=IdP Account E-mail Verification action-token-generated-by-user.reset-credentials=Forgot Password action-token-generated-by-user.verify-email=E-mail Verification action-token-generated-by-user.tooltip=Override default settings of maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired for specific action. This value is recommended to be short because it is expected that the user would react to self-created action quickly. action-token-generated-by-user.reset=Reset action-token-generated-by-user.operation=Override User-Initiated Action Lifespan client-login-timeout=Client login timeout client-login-timeout.tooltip=Max time a client has to finish the access token protocol. This should normally be 1 minute. login-timeout=Login timeout login-timeout.tooltip=Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more. login-action-timeout=Login action timeout login-action-timeout.tooltip=Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more. oauth2-device-code-lifespan=OAuth 2.0 Device Code Lifespan oauth2-device-code-lifespan.tooltip=Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing. oauth2-device-polling-interval=OAuth 2.0 Device Polling Interval oauth2-device-polling-interval.tooltip=The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. headers=Headers brute-force-detection=Brute Force Detection x-frame-options=X-Frame-Options x-frame-options-tooltip=Default value prevents pages from being included by non-origin iframes (click label for more information) content-sec-policy=Content-Security-Policy content-sec-policy-tooltip=Default value prevents pages from being included by non-origin iframes (click label for more information) content-sec-policy-report-only=Content-Security-Policy-Report-Only content-sec-policy-report-only-tooltip=For testing Content Security Policies content-type-options=X-Content-Type-Options content-type-options-tooltip=Default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type (click label for more information) robots-tag=X-Robots-Tag robots-tag-tooltip=Prevent pages from appearing in search engines (click label for more information) x-xss-protection=X-XSS-Protection x-xss-protection-tooltip=This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behavior, the browser will prevent rendering of the page when a XSS attack is detected (click label for more information) strict-transport-security=HTTP Strict Transport Security (HSTS) strict-transport-security-tooltip=The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. permanent-lockout=Permanent Lockout permanent-lockout.tooltip=Lock the user permanently when the user exceeds the maximum login failures. max-login-failures=Max Login Failures max-login-failures.tooltip=How many failures before wait is triggered. wait-increment=Wait Increment wait-increment.tooltip=When failure threshold has been met, how much time should the user be locked out? quick-login-check-millis=Quick Login Check Milli Seconds quick-login-check-millis.tooltip=If a failure happens concurrently too quickly, lock out the user. min-quick-login-wait=Minimum Quick Login Wait min-quick-login-wait.tooltip=How long to wait after a quick login failure. max-wait=Max Wait max-wait.tooltip=Max time a user will be locked out. failure-reset-time=Failure Reset Time failure-reset-time.tooltip=When will failure count be reset? realm-tab-login=Login realm-tab-keys=Keys realm-tab-email=Email realm-tab-themes=Themes realm-tab-localization=Localization realm-tab-cache=Cache realm-tab-tokens=Tokens realm-tab-client-registration=Client Registration realm-tab-security-defenses=Security Defenses realm-tab-general=General add-realm=Add realm #Session settings realm-sessions=Realm Sessions revocation=Revocation logout-all=Logout all active-sessions=Active Sessions offline-sessions=Offline Sessions sessions=Sessions not-before=Not Before not-before.tooltip=Revoke any tokens issued before this date. set-to-now=Set to now push=Push push.tooltip=For every client that has an admin URL, notify them of the new revocation policy. #Protocol Mapper usermodel.prop.label=Property usermodel.prop.tooltip=Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method. usermodel.attr.label=User Attribute usermodel.attr.tooltip=Name of stored user attribute which is the name of an attribute within the UserModel.attribute map. userSession.modelNote.label=User Session Note userSession.modelNote.tooltip=Name of stored user session note within the UserSessionModel.note map. multivalued.label=Multivalued multivalued.tooltip=Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim aggregate.attrs.label=Aggregate attribute values aggregate.attrs.tooltip=Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option. selectRole.label=Select Role selectRole.tooltip=Enter role in the textbox to the left, or click this button to browse and select the role you want. tokenClaimName.label=Token Claim Name tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.). jsonType.label=Claim JSON Type jsonType.tooltip=JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values. includeInIdToken.label=Add to ID token includeInIdToken.tooltip=Should the claim be added to the ID token? includeInAccessToken.label=Add to access token includeInAccessToken.tooltip=Should the claim be added to the access token? includeInUserInfo.label=Add to userinfo includeInUserInfo.tooltip=Should the claim be added to the userinfo? usermodel.clientRoleMapping.clientId.label=Client ID usermodel.clientRoleMapping.clientId.tooltip=Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token. usermodel.clientRoleMapping.rolePrefix.label=Client Role prefix usermodel.clientRoleMapping.rolePrefix.tooltip=A prefix for each client role (optional). usermodel.clientRoleMapping.tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.). The special token ${client_id} can be used and this will be replaced by the actual client ID. Example usage is 'resource_access.${client_id}.roles'. This is useful especially when you are adding roles from all the clients (Hence 'Client ID' switch is unset) and you want client roles of each client stored separately. usermodel.realmRoleMapping.rolePrefix.label=Realm Role prefix usermodel.realmRoleMapping.rolePrefix.tooltip=A prefix for each Realm Role (optional). sectorIdentifierUri.label=Sector Identifier URI sectorIdentifierUri.tooltip=Providers that use pairwise sub values and support Dynamic Client Registration SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names. It also provides a way for Clients to change redirect_uri domains without having to reregister all their users. pairwiseSubAlgorithmSalt.label=Salt pairwiseSubAlgorithmSalt.tooltip=Salt used when calculating the pairwise subject identifier. If left blank, a salt will be generated. addressClaim.street.label=User Attribute Name for Street addressClaim.street.tooltip=Name of User Attribute, which will be used to map to 'street_address' subclaim inside 'address' token claim. Defaults to 'street' . addressClaim.locality.label=User Attribute Name for Locality addressClaim.locality.tooltip=Name of User Attribute, which will be used to map to 'locality' subclaim inside 'address' token claim. Defaults to 'locality' . addressClaim.region.label=User Attribute Name for Region addressClaim.region.tooltip=Name of User Attribute, which will be used to map to 'region' subclaim inside 'address' token claim. Defaults to 'region' . addressClaim.postal_code.label=User Attribute Name for Postal Code addressClaim.postal_code.tooltip=Name of User Attribute, which will be used to map to 'postal_code' subclaim inside 'address' token claim. Defaults to 'postal_code' . addressClaim.country.label=User Attribute Name for Country addressClaim.country.tooltip=Name of User Attribute, which will be used to map to 'country' subclaim inside 'address' token claim. Defaults to 'country' . addressClaim.formatted.label=User Attribute Name for Formatted Address addressClaim.formatted.tooltip=Name of User Attribute, which will be used to map to 'formatted' subclaim inside 'address' token claim. Defaults to 'formatted' . included.client.audience.label=Included Client Audience included.client.audience.tooltip=The Client ID of the specified audience client will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences. included.custom.audience.label=Included Custom Audience included.custom.audience.tooltip=This is used just if 'Included Client Audience' is not filled. The specified value will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences. # client details clients.tooltip=Clients are trusted browser apps and web services in a realm. These clients can request a login. You can also define client specific roles. search.placeholder=Search... search.loading=Searching... create=Create import=Import client-id=Client ID base-url=Base URL actions=Actions not-defined=Not defined edit=Edit delete=Delete no-results=No results no-clients-available=No clients available add-client=Add Client select-file=Select file view-details=View details clear-import=Clear import client-id.tooltip=Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests client.name.tooltip=Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example\: ${my_client} client.enabled.tooltip=Disabled clients cannot initiate a login or have obtain access tokens. alwaysDisplayInConsole=Always Display in Console alwaysDisplayInConsole.tooltip=Always list this client in the Account Console, even if the user does not have an active session. consent-required=Consent Required consent-required.tooltip=If enabled, users have to consent to client access. client.display-on-consent-screen=Display Client On Consent Screen client.display-on-consent-screen.tooltip=Applicable just if Consent Required is on. If this switch is off, consent screen will contain just the consents corresponding to configured client scopes. If on, there will be also one item on consent screen about this client itself client.consent-screen-text=Client Consent Screen Text client.consent-screen-text.tooltip=Applicable just if 'Display Client On Consent Screen' is on for this client. Contains the text, which will be on consent screen about permissions specific just for this client client-protocol=Client Protocol client-protocol.tooltip='OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information. access-type=Access Type access-type.tooltip='Confidential' clients require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' clients are web services that never initiate a login. standard-flow-enabled=Standard Flow Enabled standard-flow-enabled.tooltip=This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client. implicit-flow-enabled=Implicit Flow Enabled implicit-flow-enabled.tooltip=This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client. direct-access-grants-enabled=Direct Access Grants Enabled direct-access-grants-enabled.tooltip=This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client. service-accounts-enabled=Service Accounts Enabled service-accounts-enabled.tooltip=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client. oauth2-device-authorization-grant-enabled=OAuth 2.0 Device Authorization Grant Enabled oauth2-device-authorization-grant-enabled.tooltip=This enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. oidc-ciba-grant-enabled=OIDC CIBA Grant Enabled oidc-ciba-grant-enabled.tooltip=This enables support for OIDC CIBA Grant, which means that the user is authenticated via some external authentication device instead of the user's browser. include-authnstatement=Include AuthnStatement include-authnstatement.tooltip=Should a statement specifying the method and timestamp be included in login responses? include-onetimeuse-condition=Include OneTimeUse Condition include-onetimeuse-condition.tooltip=Should a OneTimeUse Condition be included in login responses? artifact-binding = Force Artifact Binding artifact-binding.tooltip = Should response messages be returned to the client through the SAML ARTIFACT binding system? sign-documents=Sign Documents sign-documents.tooltip=Should SAML documents be signed by the realm? sign-documents-redirect-enable-key-info-ext=Optimize REDIRECT signing key lookup sign-documents-redirect-enable-key-info-ext.tooltip=When signing SAML documents in REDIRECT binding for SP that is secured by Keycloak adapter, should the ID of the signing key be included in SAML protocol message in element? This optimizes validation of the signature as the validating party uses a single key instead of trying every known key for validation. sign-assertions=Sign Assertions sign-assertions.tooltip=Should assertions inside SAML documents be signed? This setting is not needed if document is already being signed. signature-algorithm=Signature Algorithm signature-algorithm.tooltip=The signature algorithm to use to sign documents. canonicalization-method=Canonicalization Method canonicalization-method.tooltip=Canonicalization Method for XML signatures. encrypt-assertions=Encrypt Assertions encrypt-assertions.tooltip=Should SAML assertions be encrypted with client's public key using AES? client-signature-required=Client Signature Required client-signature-required.tooltip=Will the client sign their saml requests and responses? And should they be validated? force-post-binding=Force POST Binding force-post-binding.tooltip=Always use POST binding for responses. front-channel-logout=Front Channel Logout front-channel-logout.tooltip=When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout. force-name-id-format=Force Name ID Format force-name-id-format.tooltip=Ignore requested NameID subject format and use admin console configured one. name-id-format=Name ID Format name-id-format.tooltip=The name ID format to use for the subject. mapper.nameid.format.tooltip=Name ID Format using Mapper root-url=Root URL root-url.tooltip=Root URL appended to relative URLs valid-redirect-uris=Valid Redirect URIs valid-redirect-uris.tooltip=Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed such as 'http://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request. base-url.tooltip=Default URL to use when the auth server needs to redirect or link back to the client. admin-url=Admin URL admin-url.tooltip=URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client. master-saml-processing-url=Master SAML Processing URL master-saml-processing-url.tooltip=If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overriden for each binding and service in the Fine Grain SAML Endpoint Configuration. idp-sso-url-ref=IDP Initiated SSO URL Name idp-sso-url-ref.tooltip=URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name} idp-sso-url-ref.urlhint=Target IDP initiated SSO URL: idp-sso-relay-state=IDP Initiated SSO Relay State idp-sso-relay-state.tooltip=Relay state you want to send with SAML request when you want to do IDP Initiated SSO. web-origins=Web Origins web-origins.tooltip=Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'. backchannel-logout-url=Backchannel Logout URL backchannel-logout-url.tooltip=URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client is this case. backchannel-logout-session-required=Backchannel Logout Session Required backchannel-logout-session-required.tooltip=Specifying whether a sid (session ID) Claim is included in the Logout Token when the Backchannel Logout URL is used. backchannel-logout-revoke-offline-sessions=Backchannel Logout Revoke Offline Sessions backchannel-logout-revoke-offline-sessions.tooltip=Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. fine-oidc-endpoint-conf=Fine Grain OpenID Connect Configuration fine-oidc-endpoint-conf.tooltip=Expand this section to configure advanced settings of this client related to OpenID Connect protocol access-token-signed-response-alg=Access Token Signature Algorithm access-token-signed-response-alg.tooltip=JWA algorithm used for signing access tokens. id-token-signed-response-alg=ID Token Signature Algorithm id-token-signed-response-alg.tooltip=JWA algorithm used for signing ID tokens. id-token-encrypted-response-alg=ID Token Encryption Key Management Algorithm id-token-encrypted-response-alg.tooltip=JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted. id-token-encrypted-response-enc=ID Token Encryption Content Encryption Algorithm id-token-encrypted-response-enc.tooltip=JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted. user-info-signed-response-alg=User Info Signed Response Algorithm user-info-signed-response-alg.tooltip=JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format. request-object-signature-alg=Request Object Signature Algorithm request-object-signature-alg.tooltip=JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ). request-object-required=Request Object Required request-object-required.tooltip=Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used. request-uris=Valid Request URIs request-uris.tooltip=List of valid URIs, which can be used as values of 'request_uri' parameter during OpenID Connect authentication request. There is support for the same capabilities like for Valid Redirect URIs. For example wildcards or relative paths. fine-saml-endpoint-conf=Fine Grain SAML Endpoint Configuration fine-saml-endpoint-conf.tooltip=Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service. assertion-consumer-post-binding-url=Assertion Consumer Service POST Binding URL assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding. assertion-consumer-redirect-binding-url=Assertion Consumer Service Redirect Binding URL assertion-consumer-redirect-binding-url.tooltip=SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding. logout-service-post-binding-url=Logout Service POST Binding URL logout-service-post-binding-url.tooltip=SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding logout-service-redir-binding-url=Logout Service Redirect Binding URL logout-service-redir-binding-url.tooltip=SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding. logout-service-artifact-binding-url=Logout Service ARTIFACT Binding URL logout-service-artifact-binding-url.tooltip=SAML ARTIFACT Binding URL for the client's single logout service. You can leave this blank if you are using a different binding. artifact-binding-url= Artifact Binding URL artifact-binding-url.tooltip=URL to send the HTTP ARTIFACT messages to. You can leave this blank if you are using a different binding. This value should be set when forcing ARTIFACT binding together with IdP initiated login. artifact-resolution-service-url= Artifact Resolution Service artifact-resolution-service-url.tooltip= SAML Artifact resolution service for the client. This is the endpoint to which Keycloak will send a SOAP ArtifactResolve mesasge. You can leave this blank if you do not have a URL for this binding. saml-signature-keyName-transformer=SAML Signature Key Name saml-signature-keyName-transformer.tooltip=Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counterparty, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works. oidc-compatibility-modes=OpenID Connect Compatibility Modes oidc-compatibility-modes.tooltip=Expand this section to configure settings for backwards compatibility with older OpenID Connect / OAuth2 adapters. It is useful especially if your client uses older version of Keycloak / RH-SSO adapter. exclude-session-state-from-auth-response=Exclude Session State From Authentication Response exclude-session-state-from-auth-response.tooltip=If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if your client uses older OIDC / OAuth2 adapter, which does not support 'session_state' parameter. use-refresh-tokens=Use Refresh Tokens use-refresh-tokens.tooltip=If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated. use-refresh-token-for-client-credentials-grant=Use Refresh Tokens For Client Credentials Grant use-refresh-token-for-client-credentials-grant.tooltip=If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed. # client import import-client=Import Client format-option=Format Option select-format=Select a Format import-file=Import File # client tabs settings=Settings credentials=Credentials saml-keys=SAML Keys roles=Roles mappers=Mappers mappers.tooltip=Protocol mappers perform transformation on tokens and documents. They can do things like map user data into protocol claims, or just transform any requests going between the client and auth server. scope=Scope scope.tooltip=Scope mappings allow you to restrict which user role mappings are included within the access token requested by the client. sessions.tooltip=View active sessions for this client. Allows you to see which users are active and when they logged in. offline-access=Offline Access offline-access.tooltip=View offline sessions for this client. Allows you to see which users retrieve offline token and when they retrieve it. To revoke all tokens for the client, go to the Revocation tab and set Not Before to Now. clustering=Clustering installation=Installation installation.tooltip=Helper utility for generating various client adapter configuration formats which you can download or cut and paste to configure your clients. service-account-roles=Service Account Roles service-account-roles.tooltip=Allows you to authenticate role mappings for the service account dedicated to this client. # client credentials client-authenticator=Client Authenticator client-authenticator.tooltip=Client Authenticator used for authentication of this client against Keycloak server certificate.tooltip=Client Certificate for validate JWT issued by client and signed by Client private key from your keystore. publicKey.tooltip=Public Key for validate JWT issued by client and signed by Client private key. no-client-certificate-configured=No client certificate configured gen-new-keys-and-cert=Generate new keys and certificate import-certificate=Import Certificate gen-client-private-key=Generate Client Private Key generate-private-key=Generate Private Key kid=Kid kid.tooltip=KID (Key ID) of the client public key from imported JWKS. token-endpoint-auth-signing-alg=Signature Algorithm token-endpoint-auth-signing-alg.tooltip=JWA algorithm, which the client needs to use when signing a JWT for authentication. If left blank, the client is allowed to use any algorithm. use-jwks-url=Use JWKS URL use-jwks-url.tooltip=If the switch is on, client public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when client generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when client keypair changes, you always need to import new key (or certificate) to the Keycloak DB as well. jwks-url=JWKS URL jwks-url.tooltip=URL where client keys in JWK format are stored. See JWK specification for more details. If you use Keycloak client adapter with "jwt" credential, you can use URL of your app with '/k_jwks' suffix. For example 'http://www.myhost.com/myapp/k_jwks' . pkce-enabled=Use PKCE pkce-enabled.tooltip=Use PKCE (Proof of Key-code exchange) for IdP Brokering pkce-method=PKCE Method pkce-method.tooltip=PKCE Method to use pkce.plain.option=Plain pkce.s256.option=S256 archive-format=Archive Format archive-format.tooltip=Java keystore or PKCS12 archive format. key-alias=Key Alias key-alias.tooltip=Archive alias for your private key and certificate. key-password=Key Password key-password.tooltip=Password to access the private key in the archive store-password=Store Password store-password.tooltip=Password to access the archive itself generate-and-download=Generate and Download client-certificate-import=Client Certificate Import import-client-certificate=Import Client Certificate jwt-import.key-alias.tooltip=Archive alias for your certificate. secret=Secret regenerate-secret=Regenerate Secret registrationAccessToken=Registration access token registrationAccessToken.regenerate=Regenerate registration access token registrationAccessToken.tooltip=The registration access token provides access for clients to the client registration service. add-role=Add Role role-name=Role Name composite=Composite description=Description no-client-roles-available=No client roles available composite-roles=Composite Roles composite-roles.tooltip=When this role is (un)assigned to a user any role associated with it will be (un)assigned implicitly. realm-roles=Realm Roles available-roles=Available Roles add-selected=Add selected associated-roles=Associated Roles composite.associated-realm-roles.tooltip=Realm level roles associated with this composite role. composite.available-realm-roles.tooltip=Realm level roles that you can associate to this composite role. remove-selected=Remove selected client-roles=Client Roles select-client-to-view-roles=Select client to view roles for client available-roles.tooltip=Roles from this client that you can associate to this composite role. client.associated-roles.tooltip=Client roles associated with this composite role. add-builtin=Add Builtin category=Category type=Type priority-order=Priority Order no-mappers-available=No mappers available add-builtin-protocol-mappers=Add Builtin Protocol Mappers add-builtin-protocol-mapper=Add Builtin Protocol Mapper scope-mappings=Scope Mappings full-scope-allowed=Full Scope Allowed full-scope-allowed.tooltip=Allows you to disable all restrictions. scope.available-roles.tooltip=Realm level roles that can be assigned to scope. assigned-roles=Assigned Roles assigned-roles.tooltip=Realm level roles assigned to scope. effective-roles=Effective Roles realm.effective-roles.tooltip=Assigned realm level roles that may have been inherited from a composite role. select-client-roles.tooltip=Select client to view roles for client assign.available-roles.tooltip=Client roles available to be assigned. client.assigned-roles.tooltip=Assigned client roles. client.effective-roles.tooltip=Assigned client roles that may have been inherited from a composite role. basic-configuration=Basic configuration node-reregistration-timeout=Node Re-registration Timeout node-reregistration-timeout.tooltip=Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak registered-cluster-nodes=Registered cluster nodes register-node-manually=Register node manually test-cluster-availability=Test cluster availability last-registration=Last registration node-host=Node host no-registered-cluster-nodes=No registered cluster nodes available cluster-nodes=Cluster Nodes add-node=Add Node active-sessions.tooltip=Total number of active user sessions for this client. show-sessions=Show Sessions show-sessions.tooltip=Warning, this is a potentially expensive operation depending on the number of active sessions. user=User from-ip=From IP session-start=Session Start first-page=First Page previous-page=Previous Page next-page=Next Page client-revoke.not-before.tooltip=Revoke any tokens issued before this date for this client. client-revoke.push.tooltip=If the admin URL is configured for this client, push this policy to that client. select-a-format=Select a Format download=Download offline-tokens=Offline Tokens offline-tokens.tooltip=Total number of offline tokens for this client. show-offline-tokens=Show Offline Tokens show-offline-tokens.tooltip=Warning, this is a potentially expensive operation depending on the number of offline tokens. token-issued=Token Issued last-access=Last Access last-refresh=Last Refresh key-export=Key Export key-import=Key Import export-saml-key=Export SAML Key import-saml-key=Import SAML Key realm-certificate-alias=Realm Certificate Alias realm-certificate-alias.tooltip=Realm certificate is stored in archive too. This is the alias to it. signing-key=Signing Key saml-signing-key=SAML Signing Key. private-key=Private Key generate-new-keys=Generate new keys export=Export encryption-key=Encryption Key saml-encryption-key.tooltip=SAML Encryption Key. service-accounts=Service Accounts service-account.available-roles.tooltip=Realm level roles that can be assigned to service account. service-account.assigned-roles.tooltip=Realm level roles assigned to service account. service-account-is-not-enabled-for=Service account is not enabled for {{client}} create-protocol-mappers=Create Protocol Mappers create-protocol-mapper=Create Protocol Mapper protocol=Protocol protocol.tooltip=Protocol... id=ID mapper.name.tooltip=Name of the mapper. mapper.consent-required.tooltip=When granting temporary access, must the user consent to providing this data to the client? consent-text=Consent Text consent-text.tooltip=Text to display on consent page. mapper-type=Mapper Type mapper-type.tooltip=Type of the mapper user-label=User Label data=Data show-data=Show data... position=Position # realm identity providers identity-providers=Identity Providers table-of-identity-providers=Table of identity providers add-provider.placeholder=Add provider... provider=Provider gui-order=GUI order first-broker-login-flow=First Login Flow post-broker-login-flow=Post Login Flow sync-mode=Sync Mode sync-mode.tooltip=Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider. sync-mode.inherit=inherit sync-mode.legacy=legacy sync-mode.import=import sync-mode.force=force sync-mode-override=Sync Mode Override sync-mode-override.tooltip=Overrides the default sync mode of the IDP for this mapper. Values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper. redirect-uri=Redirect URI redirect-uri.tooltip=The redirect uri to use when configuring the identity provider. alias=Alias display-name=Display Name identity-provider.alias.tooltip=The alias uniquely identifies an identity provider and it is also used to build the redirect uri. identity-provider.display-name.tooltip=Friendly name for Identity Providers. identity-provider.enabled.tooltip=Enable/disable this identity provider. authenticate-by-default=Authenticate by Default identity-provider.authenticate-by-default.tooltip=Indicates if this provider should be tried by default for authentication even before displaying login screen. store-tokens=Store Tokens identity-provider.store-tokens.tooltip=Enable/disable if tokens must be stored after authenticating users. stored-tokens-readable=Stored Tokens Readable identity-provider.stored-tokens-readable.tooltip=Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. disableUserInfo=Disable User Info identity-provider.disableUserInfo.tooltip=Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service. userIp=Use userIp Param identity-provider.google-userIp.tooltip=Set 'userIp' query parameter when invoking on Google's User Info service. This will use the user's ip address. Useful if Google is throttling access to the User Info service. offlineAccess=Request refresh token identity-provider.google-offlineAccess.tooltip=Set 'access_type' query parameter to 'offline' when redirecting to google authorization endpoint, to get a refresh token back. Useful if planning to use Token Exchange to retrieve Google token to access Google APIs when the user is not at the browser. hostedDomain=Hosted Domain identity-provider.google-hostedDomain.tooltip=Set 'hd' query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When '*' is entered, any hosted account can be used. identity-provider.facebook-fetchedFields.label=Additional user's profile fields identity-provider.facebook-fetchedFields.tooltip=Provide additional fields which would be fetched using the profile request. This will be appended to the default set of 'id,name,email,first_name,last_name'. sandbox=Target Sandbox identity-provider.paypal-sandbox.tooltip=Target PayPal's sandbox environment update-profile-on-first-login=Update Profile on First Login on=On on-missing-info=On missing info off=Off update-profile-on-first-login.tooltip=Define conditions under which a user has to update their profile during first-time login. trust-email=Trust Email trust-email.tooltip=If enabled, email provided by this provider is not verified even if verification is enabled for the realm. link-only=Account Linking Only link-only.tooltip=If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider hide-on-login-page=Hide on Login Page hide-on-login-page.tooltip=If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter. gui-order.tooltip=Number defining order of the provider in GUI (for example, on Login page). first-broker-login-flow.tooltip=Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account. post-broker-login-flow.tooltip=Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this empty if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. openid-connect-config=OpenID Connect Config openid-connect-config.tooltip=OIDC SP and external IDP configuration. authorization-url=Authorization URL authorization-url.tooltip=The Authorization Url. token-url=Token URL token-url.tooltip=The Token URL. loginHint=Pass login_hint loginHint.tooltip=Pass login_hint to identity provider. uiLocales=Pass current locale uiLocales.tooltip=Pass the current locale to the identity provider as a ui_locales parameter. logout-url=Logout URL identity-provider.logout-url.tooltip=End session endpoint to use to logout user from external IDP. backchannel-logout=Backchannel Logout backchannel-logout.tooltip=Does the external IDP support backchannel logout? user-info-url=User Info URL user-info-url.tooltip=The User Info Url. This is optional. client-auth=Client Authentication client-auth.tooltip=The client authentication method (cfr. https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). In case of JWT signed with private key, the realm private key is used. client-auth.client_secret_post=Client secret sent as post client-auth.client_secret_basic=Client secret sent as basic auth client-auth.client_secret_jwt=Client secret as jwt client-auth.private_key_jwt=JWT signed with private key identity-provider.client-id.tooltip=The client or client identifier registered within the identity provider. client-secret=Client Secret client-assertion-signing-algorithm=Client Assertion Signature Algorithm client-assertion-signing-algorithm.tooltip=Signature algorithm to create JWT assertion as client authentication. In the case of JWT signed with private key or Client secret as jwt, it is required. If no algorithm is specified, the following algorithm is adapted. RS256 is adapted in the case of JWT signed with private key. HS256 is adapted in the case of Client secret as jwt. show-secret=Show secret hide-secret=Hide secret client-secret.tooltip=The client or client secret registered within the identity provider. This field is able to obtain its value from vault, use ${vault.ID} format. issuer=Issuer issuer.tooltip=The issuer identifier for the issuer of the response. If not provided, no validation will be performed. default-scopes=Default Scopes identity-provider.default-scopes.tooltip=The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'. prompt=Prompt unspecified.option=unspecified none.option=none consent.option=consent login.option=login select-account.option=select_account prompt.tooltip=Specifies whether the Authorization Server prompts the End-User for reauthentication and consent. accepts-prompt-none-forward-from-client=Accepts prompt=none forward from client accepts-prompt-none-forward-from-client.tooltip=This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt=none will be forwarded to this identity provider. validate-signatures=Validate Signatures identity-provider.validate-signatures.tooltip=Enable/disable signature validation of external IDP signatures. identity-provider.use-jwks-url.tooltip=If the switch is on, identity provider public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when identity provider generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when the identity provider keypair changes, you always need to import the new key to the Keycloak DB as well. identity-provider.jwks-url.tooltip=URL where identity provider keys in JWK format are stored. See JWK specification for more details. If you use external Keycloak identity provider, you can use URL like 'http://broker-keycloak:8180/auth/realms/test/protocol/openid-connect/certs' assuming your brokered Keycloak is running on 'http://broker-keycloak:8180' and its realm is 'test' . validating-public-key=Validating Public Key identity-provider.validating-public-key.tooltip=The public key in PEM format that must be used to verify external IDP signatures. validating-public-key-id=Validating Public Key Id identity-provider.validating-public-key-id.tooltip=Explicit ID of the validating public key given above if the key ID. Leave blank if the key above should be used always, regardless of key ID specified by external IDP; set it if the key should only be used for verifying if the key ID from external IDP matches. allowed-clock-skew=Allowed clock skew identity-provider.allowed-clock-skew.tooltip=Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero. forwarded-query-parameters=Forwarded Query Parameters identity-provider.forwarded-query-parameters.tooltip=Non OpenID Connect/OAuth standard query parameters to be forwarded to external IDP from the initial application request to Authorization Endpoint. Multiple parameters can be entered, separated by comma (,). import-external-idp-config=Import External IDP Config import-external-idp-config.tooltip=Allows you to load external IDP metadata from a config file or to download it from a URL. import-from-url=Import from URL identity-provider.import-from-url.tooltip=Import metadata from a remote IDP discovery descriptor. import-from-file=Import from file identity-provider.import-from-file.tooltip=Import metadata from a downloaded IDP discovery descriptor. identity-provider.saml.entity-id=Service Provider Entity ID identity-provider.saml.entity-id.tooltip=The Entity ID that will be used to uniquely identify this SAML Service Provider identity-provider.saml.protocol-endpoints.saml=SAML 2.0 Service Provider Metadata identity-provider.saml.protocol-endpoints.saml.tooltip=Shows the configuration of the Service Provider endpoint saml-config=SAML Config identity-provider.saml-config.tooltip=SAML SP and external IDP configuration. single-signon-service-url=Single Sign-On Service URL saml.single-signon-service-url.tooltip=The Url that must be used to send authentication requests (SAML AuthnRequest). single-logout-service-url=Single Logout Service URL saml.single-logout-service-url.tooltip=The Url that must be used to send logout requests. nameid-policy-format=NameID Policy Format nameid-policy-format.tooltip=Specifies the URI reference corresponding to a name identifier format. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. saml.principal-type=Principal Type saml.principal-type.tooltip=Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute. saml.principal-attribute=Principal Attribute saml.principal-attribute.tooltip=Name or Friendly Name of the attribute used to identify external users. saml.allow-create=Allow create saml.allow-create.tooltip=Allow the external identity provider to create a new identifier to represent the principal http-post-binding-response=HTTP-POST Binding Response http-post-binding-response.tooltip=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. http-post-binding-for-authn-request=HTTP-POST Binding for AuthnRequest http-post-binding-for-authn-request.tooltip=Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. http-post-binding-logout=HTTP-POST Binding Logout http-post-binding-logout.tooltip=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. want-authn-requests-signed=Want AuthnRequests Signed want-authn-requests-signed.tooltip=Indicates whether the identity provider expects a signed AuthnRequest. want-assertions-signed=Want Assertions Signed want-assertions-signed.tooltip=Indicates whether this service provider expects a signed Assertion. want-assertions-encrypted=Want Assertions Encrypted want-assertions-encrypted.tooltip=Indicates whether this service provider expects an encrypted Assertion. force-authentication=Force Authentication identity-provider.force-authentication.tooltip=Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. validate-signature=Validate Signature saml.validate-signature.tooltip=Enable/disable signature validation of SAML responses. validating-x509-certificate=Validating X509 Certificates validating-x509-certificate.tooltip=The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,). saml.loginHint=Pass subject saml.loginHint.tooltip=During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject. saml.import-from-url.tooltip=Import metadata from a remote IDP SAML entity descriptor. identity-provider.saml.sign-sp-metadata=Sign Service Provider Metadata identity-provider.saml.sign-sp-metadata.tooltip=Enable/disable signature of the provider SAML metadata identity-provider.saml.requested-authncontext=Requested AuthnContext Constraints identity-provider.saml.requested-authncontext.tooltip=Allows the SP to specify the authentication context requirements of authentication statements returned. identity-provider.saml.authncontext-comparison-type=Comparison identity-provider.saml.authncontext-comparison-type.tooltip=Specifies the comparison method used to evaluate the requested context classes or statements. The default is "Exact". identity-provider.saml.authncontext-comparison-type.exact=Exact identity-provider.saml.authncontext-comparison-type.minimum=Minimum identity-provider.saml.authncontext-comparison-type.maximum=Maximum identity-provider.saml.authncontext-comparison-type.better=Better identity-provider.saml.authncontext-class-ref=AuthnContext ClassRefs identity-provider.saml.authncontext-class-ref.tooltip=Ordered list of requested AuthnContext ClassRefs. identity-provider.saml.authncontext-decl-ref=AuthnContext DeclRefs identity-provider.saml.authncontext-decl-ref.tooltip=Ordered list of requested AuthnContext DeclRefs. social.client-id.tooltip=The client identifier registered with the identity provider. social.client-secret.tooltip=The client secret registered with the identity provider. This field is able to obtain its value from vault, use ${vault.ID} format. social.default-scopes.tooltip=The scopes to be sent when asking for authorization. See the documentation for possible values, separator and default value'. key=Key stackoverflow.key.tooltip=The Key obtained from Stack Overflow client registration. openshift.base-url=Base Url openshift.base-url.tooltip=Base Url to OpenShift Online API openshift4.base-url=Base Url openshift4.base-url.tooltip=Base Url to OpenShift Online API gitlab-application-id=Application Id gitlab-application-secret=Application Secret gitlab.application-id.tooltip=Application Id for the application you created in your GitLab Applications account menu gitlab.application-secret.tooltip=Secret for the application that you created in your GitLab Applications account menu gitlab.default-scopes.tooltip=Scopes to ask for on login. Will always ask for openid. Additionally adds read_user if you do not specify anything. bitbucket-consumer-key=Consumer Key bitbucket-consumer-secret=Consumer Secret bitbucket.key.tooltip=Bitbucket OAuth Consumer Key bitbucket.secret.tooltip=Bitbucket OAuth Consumer Secret bitbucket.default-scopes.tooltip=Scopes to ask for on login. If you do not specify anything, scope defaults to 'email'. # User federation sync-ldap-roles-to-keycloak=Sync LDAP Roles To Keycloak sync-keycloak-roles-to-ldap=Sync Keycloak Roles To LDAP sync-ldap-groups-to-keycloak=Sync LDAP Groups To Keycloak sync-keycloak-groups-to-ldap=Sync Keycloak Groups To LDAP realms=Realms realm=Realm identity-provider-mappers=Identity Provider Mappers create-identity-provider-mapper=Create Identity Provider Mapper add-identity-provider-mapper=Add Identity Provider Mapper client.description.tooltip=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description} expires=Expires expiration=Expiration expiration.tooltip=Specifies how long the token should be valid count=Count count.tooltip=Specifies how many clients can be created using the token remainingCount=Remaining Count created=Created back=Back initial-access-tokens=Initial Access Tokens add-initial-access-tokens=Add Initial Access Token initial-access-token=Initial Access Token initial-access.copyPaste.tooltip=Copy/paste the initial access token before navigating away from this page as it is not possible to retrieve later continue=Continue initial-access-token.confirm.title=Copy Initial Access Token initial-access-token.confirm.text=Please copy and paste the initial access token before confirming as it cannot be retrieved later no-initial-access-available=No Initial Access Tokens available client-reg-policies=Client Registration Policies client-reg-policy.name.tooltip=Display Name of the policy anonymous-policies=Anonymous Access Policies anonymous-policies.tooltip=Those Policies are used when the Client Registration Service is invoked by unauthenticated request. This means that the request does not contain Initial Access Token nor Bearer Token. auth-policies=Authenticated Access Policies auth-policies.tooltip=Those Policies are used when Client Registration Service is invoked by authenticated request. This means that the request contains Initial Access Token or Bearer Token. policy-name=Policy Name no-client-reg-policies-configured=No Client Registration Policies trusted-hosts.label=Trusted Hosts trusted-hosts.tooltip=List of Hosts, which are trusted and are allowed to invoke Client Registration Service and/or be used as values of Client URIs. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted. host-sending-registration-request-must-match.label=Host Sending Client Registration Request Must Match host-sending-registration-request-must-match.tooltip=If on, any request to Client Registration Service is allowed just if it was sent from some trusted host or domain. client-uris-must-match.label=Client URIs Must Match client-uris-must-match.tooltip=If on, all Client URIs (Redirect URIs and others) are allowed just if they match some trusted host or domain. consent-required-for-all-mappers.label=Consent Required For Mappers consent-required-for-all-mappers.tooltip=If on, all newly registered protocol mappers will automatically have consentRequired switch on. This means that user will need to approve consent screen. NOTE: Consent screen is shown just if client has consentRequired switch on. So it is usually good to use this switch together with consent-required policy. allowed-client-scopes.label=Allowed Client Scopes allowed-client-scopes.tooltip=Whitelist of the client scopes, which can be used on a newly registered client. Attempt to register client with some client scope, which is not whitelisted, will be rejected. By default, the whitelist is either empty or contains just realm default client scopes (based on 'Allow Default Scopes' configuration property) allow-default-scopes.label=Allow Default Scopes allow-default-scopes.tooltip=If on, newly registered clients will be allowed to have client scopes mentioned in realm default client scopes or realm optional client scopes # Client Registration Policies providers allowed-protocol-mappers.label=Allowed Protocol Mappers allowed-protocol-mappers.tooltip=Whitelist of allowed protocol mapper providers. If there is an attempt to register client, which contains some protocol mappers, which were not whitelisted, registration request will be rejected. allowed-client-templates.label=Allowed Client Templates client-disabled.label=Client Disabled scope.label=Scope consent-required.label=Consent Required max-clients.label=Max Clients Per Realm max-clients.tooltip=It will not be allowed to register a new client if count of existing clients in realm is same or bigger than the configured limit. client-scopes=Client Scopes client-scopes.tooltip=Client scopes allow you to define a common set of protocol mappers and roles, which are shared between multiple clients groups=Groups group.add-selected.tooltip=Realm roles that can be assigned to the group. group.assigned-roles.tooltip=Realm roles mapped to the group group.effective-roles.tooltip=All realm role mappings. Some roles here might be inherited from a mapped composite role. group.available-roles.tooltip=Assignable roles from this client. group.assigned-roles-client.tooltip=Role mappings for this client. group.effective-roles-client.tooltip=Role mappings for this client. Some roles here might be inherited from a mapped composite role. group.move.success=Group moved. group.remove.confirm.title=Delete Group group.remove.confirm.message=Are you sure you want to permanently delete the group {{name}}? group.remove.success=The group has been deleted. group.fetch.fail=Unable to fetch {{params}} group.create.success=Group Created. group.edit.success=Your changes have been saved to the group. group.roles.add.success=Role mappings updated. group.roles.remove.success=Role mappings updated. group.default.add.error=Please select a group to add group.default.add.success=Added default group group.default.remove.success=Removed default group default-roles=Default Roles no-realm-roles-available=No realm roles available users=Users user.add-selected.tooltip=Realm roles that can be assigned to the user. user.assigned-roles.tooltip=Realm roles mapped to the user user.effective-roles.tooltip=All realm role mappings. Some roles here might be inherited from a mapped composite role. user.available-roles.tooltip=Assignable roles from this client. user.assigned-roles-client.tooltip=Role mappings for this client. user.effective-roles-client.tooltip=Role mappings for this client. Some roles here might be inherited from a mapped composite role. user.roles.add.success=Role mappings updated. user.roles.remove.success=Role mappings updated. user.logout.all.success=Logged out user in all clients user.logout.session.success=Logged out session user.fedid.link.remove.confirm.title=Delete Identity Provider Link user.fedid.link.remove.confirm.message=Are you sure you want to permanently delete the Identity Provider Link {{name}}? user.fedid.link.remove.success=The provider link has been deleted. user.fedid.link.add.success=Provider link has been created. user.consent.revoke.success=Grant revoked successfully user.consent.revoke.error=Grant couldn't be revoked user.remove.confirm.title=Delete User user.remove.confirm.message=Are you sure you want to permanently delete the user {{name}}? user.unlock.success=Any temporarily locked users are now unlocked. user.remove.success=The user has been deleted. user.remove.error=User couldn't be deleted user.create.success=The user has been created. user.edit.success=Your changes have been saved to the user. user.credential.update.success=Credentials saved! user.credential.update.error=Error while updating the credential. See console for more information. user.credential.remove.confirm.title=Delete credentials user.credential.remove.confirm.message=Are you sure you want to delete these users credentials? user.credential.remove.success=Credentials deleted! user.credential.remove.error=Error while deleting the credential. See console for more information. user.credential.move-top.error=Error while moving the credential to top. See console for more information. user.credential.move-up.error=Error while moving the credential up. See console for more information. user.credential.move-down.error=Error while moving the credential down. See console for more information. user.credential.fetch.error=Error while loading user credentials. See console for more information. user.credential.storage.fetch.error=Error while loading user storage credentials. See console for more information. user.password.error.not-matching=Password and confirmation does not match. user.password.reset.confirm.title=Reset password user.password.reset.confirm.message=Are you sure you want to reset the password for the user? user.password.reset.success=The password has been reset. user.password.set.confirm.title=Set password user.password.set.confirm.message=Are you sure you want to set a password for the user? user.password.set.success=The password has been set. user.credential.disable.confirm.title=Disable credentials user.credential.disable.confirm.message=Are you sure you want to disable these users credentials? user.credential.disable.confirm.success=Credentials disabled user.credential.disable.confirm.error=Failed to disable credentials user.actions-email.send.pending-changes.title=Cannot send email user.actions-email.send.pending-changes.message=You must save your current changes before you can send an email user.actions-email.send.confirm.title=Send Email user.actions-email.send.confirm.message=Are you sure you want to send email to user? user.actions-email.send.confirm.success=Email sent to user user.actions-email.send.confirm.error=Failed to send email to user user.storage.remove.confirm.title=Delete User storage provider user.storage.remove.confirm.message=Are you sure you want to permanently delete the user storage provider {{name}}? user.storage.remove.success=The provider has been deleted. user.storage.create.success=The provider has been created. user.storage.edit.success=The provider has been updated. user.storage.sync.success=Sync of users finished successfully. {{status}} user.storage.sync.error=Error during sync of users user.storage.remove-users.success=Remove imported users finished successfully. user.storage.remove-users.error=Error during remove user.storage.unlink.success=Unlink of users finished successfully. user.storage.unlink.error=Error during unlink user.groups.fetch.all.error=Unable to fetch all group memberships {{params}} user.groups.fetch.error=Unable to fetch {{params}} user.groups.join.error.no-group-selected=Please select a group to add user.groups.join.error.already-added=Group already added user.groups.join.success=Added group membership user.groups.leave.error.no-group-selected=Please select a group to remove user.groups.leave.success=Removed group membership default.available-roles.tooltip=Realm level roles that can be assigned. realm-default-roles=Realm Default Roles realm-default-roles.tooltip=Realm level roles assigned to new users. default.available-roles-client.tooltip=Roles from this client that are assignable as a default. client-default-roles=Client Default Roles client-default-roles.tooltip=Roles from this client assigned as a default role. composite.available-roles.tooltip=Realm level roles that you can associate to this composite role. composite.associated-roles.tooltip=Realm level roles associated with this composite role. composite.available-roles-client.tooltip=Roles from this client that you can associate to this composite role. composite.associated-roles-client.tooltip=Client roles associated with this composite role. partial-import=Partial Import partial-import.tooltip=Partial import allows you to import users, clients, and other resources from a previously exported json file. file=File exported-json-file=Exported json file import-from-realm=Import from realm import-users=Import users import-groups=Import groups import-clients=Import clients import-identity-providers=Import identity providers import-realm-roles=Import realm roles import-client-roles=Import client roles if-resource-exists=If a resource exists fail=Fail skip=Skip overwrite=Overwrite if-resource-exists.tooltip=Specify what should be done if you try to import a resource that already exists. partial-export=Partial Export partial-export.tooltip=Partial export allows you to export realm configuration, and other associated resources into a json file. export-groups-and-roles=Export groups and roles export-clients=Export clients action=Action role-selector=Role Selector realm-roles.tooltip=Realm roles that can be selected. select-a-role=Select a role select-realm-role=Select realm role client-roles.tooltip=Client roles that can be selected. select-client-role=Select client role client-saml-endpoint=Client SAML Endpoint add-client-scope=Add client scope default-client-scopes=Default Client Scopes default-client-scopes.tooltip=Client Scopes, which will be added automatically to each created client default-client-scopes.default=Default Client Scopes default-client-scopes.default.tooltip=Allow to define client scopes, which will be added as default scopes to each created client default-client-scopes.default.available=Available Client Scopes default-client-scopes.default.available.tooltip=Client scopes, which are not yet assigned as realm default scopes or realm optional scopes default-client-scopes.default.assigned=Assigned Default Client Scopes default-client-scopes.default.assigned.tooltip=Client scopes, which will be added as default scopes to each created client default-client-scopes.optional=Optional Client Scopes default-client-scopes.optional.tooltip=Allow to define client scopes, which will be added as optional scopes to each created client default-client-scopes.optional.available=Available Client Scopes default-client-scopes.optional.available.tooltip=Client scopes, which are not yet assigned as realm default scopes or realm optional scopes default-client-scopes.optional.assigned=Assigned Optional Client Scopes default-client-scopes.optional.assigned.tooltip=Client scopes, which will be added as optional scopes to each created client client-scopes.setup=Setup client-scopes.setup.tooltip=Allow to setup client scopes linked to this client client-scopes.default=Default Client Scopes client-scopes.default.tooltip=Default client scopes are always applied when issuing tokens for this client. Protocol mappers and role scope mappings are always applied regardless of value of used scope parameter in OIDC Authorization request client-scopes.default.available=Available Client Scopes client-scopes.default.available.tooltip=Client scopes, which are not yet assigned as default scopes or optional scopes client-scopes.default.assigned=Assigned Default Client Scopes client-scopes.default.assigned.tooltip=Client scopes, which will be used as default scopes when generating tokens for this client client-scopes.optional=Optional Client Scopes client-scopes.optional.tooltip=Optional client scopes are applied when issuing tokens for this client, however just in case when they are requested by scope parameter in OIDC Authorization request client-scopes.optional.available=Available Client Scopes client-scopes.optional.available.tooltip=Client scopes, which are not yet assigned as default scopes or optional scopes client-scopes.optional.assigned=Assigned Optional Client Scopes client-scopes.optional.assigned.tooltip=Client scopes, which may be used as optional scopes when generating tokens for this client client-scopes.evaluate=Evaluate client-scopes.evaluate.tooltip=Allow to see all protocol mappers and role scope mapping that will be used in the tokens issued to this client. Also allow to generate example access token based on provided scope parameter scope-parameter=Scope Parameter scope-parameter.tooltip=You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client client-scopes.evaluate.scopes=Client Scopes client-scopes.evaluate.scopes.tooltip=Allow to select optional client scopes, which may be used when generating token issued for this client client-scopes.evaluate.scopes.available=Available Optional Client Scopes client-scopes.evaluate.scopes.available.tooltip=This contains Optional Client Scopes, which can be optionally used when issuing access token for this client client-scopes.evaluate.scopes.assigned=Selected Optional Client Scopes client-scopes.evaluate.scopes.assigned.tooltip=Selected Optional Client Scopes, which will be used when issuing access token for this client. You can see above what value of OAuth Scope Parameter needs to be used when you want to have these optional client scopes applied when the initial OpenID Connect Authentication request will be sent from your client adapter client-scopes.evaluate.scopes.effective=Effective Client Scopes client-scopes.evaluate.scopes.effective.tooltip=Contains all default client scopes and selected optional scopes. All protocol mappers and role scope mappings of all those client scopes will be used when generating access token issued for your client client-scopes.evaluate.user.tooltip=Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation send-evaluation-request=Evaluate send-evaluation-request.tooltip=Click this to see all protocol mappers and role scope mappings that will be used when issuing an access token for this client. It will also optionally generate example access token in case that some user was selected evaluated-protocol-mappers=Effective Protocol Mappers evaluated-protocol-mappers.tooltip=Shows all effective protocol mappers that will be used when issuing token for this client. Also contains protocol mappers of selected optional client scopes. For each protocol mapper, you can see from which client scope it is inherited from evaluated-roles=Effective Role Scope Mappings evaluated-roles.tooltip=Shows all effective roles scope mappings that will be used when issuing token for this client. Also contains role scope mappings of selected optional client scopes parent-client-scope=Parent Client Scope client-scopes.evaluate.not-granted-roles=Not Granted Roles client-scopes.evaluate.not-granted-roles.tooltip=Client does not have scope mappings for these roles. Those roles will not be in the access token issued to this client even if the authenticated user is a member of them client-scopes.evaluate.granted-realm-effective-roles=Granted Effective Realm Roles client-scopes.evaluate.granted-realm-effective-roles.tooltip=Client has scope mappings for these roles. Those roles will be in the access token issued to this client if the authenticated user is a member of them client-scopes.evaluate.granted-client-effective-roles=Granted Effective Client Roles generated-access-token=Generated Access Token generated-access-token.tooltip=See the example access token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself generated-id-token=Generated ID Token generated-id-token.tooltip=See the example ID Token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself generated-user-info=Generated User Info generated-user-info.tooltip=See the example User Info, which will be provided by the User Info Endpoint manage=Manage authentication=Authentication user-federation=User Federation user-storage=User Storage events=Events realm-settings=Realm Settings configure=Configure select-realm=Select realm add=Add client-storage=Client Storage no-client-storage-providers-configured=No client storage providers configured client-stores.tooltip=Keycloak can retrieve clients and their details from external stores. client-scope.name.tooltip=Name of the client scope. Must be unique in the realm. Name should not contain space characters as it is used as value of scope parameter client-scope.description.tooltip=Description of the client scope client-scope.protocol.tooltip=Which SSO protocol configuration is being supplied by this client scope client-scope.display-on-consent-screen=Display On Consent Screen client-scope.display-on-consent-screen.tooltip=If on, and this client scope is added to some client with consent required, the text specified by 'Consent Screen Text' will be displayed on consent screen. If off, this client scope will not be displayed on the consent screen client-scope.consent-screen-text=Consent Screen Text client-scope.consent-screen-text.tooltip=Text that will be shown on the consent screen when this client scope is added to some client with consent required. Defaults to name of client scope if it is not filled client-scope.gui-order=GUI order client-scope.gui-order.tooltip=Specify order of the provider in GUI (such as in Consent page) as integer client-scope.include-in-token-scope=Include In Token Scope client-scope.include-in-token-scope.tooltip=If on, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. If off, this client scope will be omitted from the token and from the Token Introspection Endpoint response. add-user-federation-provider=Add user federation provider add-user-storage-provider=Add user storage provider required-settings=Required Settings provider-id=Provider ID console-display-name=Console Display Name console-display-name.tooltip=Display name of provider when linked in admin console. priority=Priority priority.tooltip=Priority of provider when doing a user lookup. Lowest first. user-storage.enabled.tooltip=If provider is disabled, it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again. sync-settings=Sync Settings periodic-full-sync=Periodic Full Sync periodic-full-sync.tooltip=Does periodic full synchronization of provider users to Keycloak should be enabled or not full-sync-period=Full Sync Period full-sync-period.tooltip=Period for full synchronization in seconds periodic-changed-users-sync=Periodic Changed Users Sync periodic-changed-users-sync.tooltip=Does periodic synchronization of changed or newly created provider users to Keycloak should be enabled or not changed-users-sync-period=Changed Users Sync Period changed-users-sync-period.tooltip=Period for synchronization of changed or newly created provider users in seconds synchronize-changed-users=Synchronize changed users synchronize-all-users=Synchronize all users remove-imported-users=Remove imported unlink-users=Unlink users kerberos-realm=Kerberos Realm kerberos-realm.tooltip=Name of kerberos realm. For example FOO.ORG server-principal=Server Principal server-principal.tooltip=Full name of server principal for HTTP service including server and domain name. For example HTTP/host.foo.org@FOO.ORG keytab=KeyTab keytab.tooltip=Location of Kerberos KeyTab file containing the credentials of server principal. For example /etc/krb5.keytab debug=Debug debug.tooltip=Enable/disable debug logging to standard output for Krb5LoginModule. allow-password-authentication=Allow Password Authentication allow-password-authentication.tooltip=Enable/disable possibility of username/password authentication against Kerberos database edit-mode=Edit Mode edit-mode.tooltip=READ_ONLY means that password updates are not allowed and user always authenticates with Kerberos password. UNSYNCED means that the user can change the password in the Keycloak database and this one will be used instead of the Kerberos password ldap.edit-mode.tooltip=READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP. update-profile-first-login=Update Profile First Login update-profile-first-login.tooltip=Update profile on first login sync-registrations=Sync Registrations ldap.sync-registrations.tooltip=Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. import-enabled=Import Users ldap.import-enabled.tooltip=If true, LDAP users will be imported into Keycloak DB and synced by the configured sync policies. vendor=Vendor ldap.vendor.tooltip=LDAP vendor (provider) enable-usePasswordModifyExtendedOp=Enable the LDAPv3 Password Modify Extended Operation ldap.usePasswordModifyExtendedOp.tooltip=Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password. username-ldap-attribute=Username LDAP attribute ldap-attribute-name-for-username=LDAP attribute name for username username-ldap-attribute.tooltip=Name of LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak. rdn-ldap-attribute=RDN LDAP attribute ldap-attribute-name-for-user-rdn=LDAP attribute name for user RDN rdn-ldap-attribute.tooltip=Name of LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as Username LDAP attribute, however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'. uuid-ldap-attribute=UUID LDAP attribute ldap-attribute-name-for-uuid=LDAP attribute name for UUID uuid-ldap-attribute.tooltip=Name of LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example for Active directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'. user-object-classes=User Object Classes ldap-user-object-classes.placeholder=LDAP User Object Classes (div. by comma) ldap-connection-url=LDAP connection URL ldap-users-dn=LDAP Users DN ldap-bind-dn=LDAP Bind DN ldap-bind-credentials=LDAP Bind Credentials ldap-filter=LDAP Filter ldap.user-object-classes.tooltip=All values of LDAP objectClass attribute for users in LDAP divided by comma. For example: 'inetOrgPerson, organizationalPerson' . Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes. connection-url=Connection URL ldap.connection-url.tooltip=Connection URL to your LDAP server test-connection=Test connection users-dn=Users DN ldap.users-dn.tooltip=Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid=john,ou=users,dc=example,dc=com' authentication-type=Bind Type ldap.authentication-type.tooltip=Type of the Authentication method used during LDAP Bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (Bind credential + Bind password authentication) mechanisms are available bind-dn=Bind DN ldap.bind-dn.tooltip=DN of LDAP admin, which will be used by Keycloak to access LDAP server bind-credential=Bind Credential ldap.bind-credential.tooltip=Password of LDAP admin. This field is able to obtain its value from vault, use ${vault.ID} format. test-authentication=Test authentication custom-user-ldap-filter=Custom User LDAP Filter ldap.custom-user-ldap-filter.tooltip=Additional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. Make sure that it starts with '(' and ends with ')' search-scope=Search Scope ldap.search-scope.tooltip=For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details use-truststore-spi=Use Truststore SPI ldap.use-truststore-spi.tooltip=Specifies whether LDAP connection will use the truststore SPI with the truststore configured in standalone.xml/domain.xml. 'Always' means that it will always use it. 'Never' means that it will not use it. 'Only for ldaps' means that it will use if your connection URL use ldaps. Note even if standalone.xml/domain.xml is not configured, the default Java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used. validate-password-policy=Validate Password Policy connection-pooling=Connection Pooling connection-pooling-settings=Connection Pooling Settings connection-pooling-authentication=Connection Pooling Authentication connection-pooling-authentication-default=none simple connection-pooling-debug=Connection Pool Debug Level connection-pooling-debug-default=off connection-pooling-initsize=Connection Pool Initial Size connection-pooling-initsize-default=1 connection-pooling-maxsize=Connection Pool Maximum Size connection-pooling-maxsize-default=1000 connection-pooling-prefsize=Connection Pool Preferred Size connection-pooling-prefsize-default=5 connection-pooling-protocol=Connection Pool Protocol connection-pooling-protocol-default=plain ssl connection-pooling-timeout=Connection Pool Timeout connection-pooling-timeout-default=300000 ldap-connection-timeout=Connection Timeout ldap.connection-timeout.tooltip=LDAP Connection Timeout in milliseconds ldap-read-timeout=Read Timeout ldap.read-timeout.tooltip=LDAP Read Timeout in milliseconds. This timeout applies for LDAP read operations ldap.validate-password-policy.tooltip=Determines if Keycloak should validate the password with the realm password policy before updating it ldap.connection-pooling.tooltip=Determines if Keycloak should use connection pooling for accessing LDAP server ldap.connection-pooling.authentication.tooltip=A list of space-separated authentication types of connections that may be pooled. Valid types are "none", "simple", and "DIGEST-MD5". ldap.connection-pooling.debug.tooltip=A string that indicates the level of debug output to produce. Valid values are "fine" (trace connection creation and removal) and "all" (all debugging information). ldap.connection-pooling.initsize.tooltip=The string representation of an integer that represents the number of connections per connection identity to create when initially creating a connection for the identity. ldap.connection-pooling.maxsize.tooltip=The string representation of an integer that represents the maximum number of connections per connection identity that can be maintained concurrently. ldap.connection-pooling.prefsize.tooltip=The string representation of an integer that represents the preferred number of connections per connection identity that should be maintained concurrently. ldap.connection-pooling.protocol.tooltip=A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl". ldap.connection-pooling.timeout.tooltip=The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool. ldap.pagination.tooltip=Does the LDAP server support pagination. ldap.startTls.tooltip=Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling. kerberos-integration=Kerberos Integration allow-kerberos-authentication=Allow Kerberos authentication ldap.allow-kerberos-authentication.tooltip=Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server use-kerberos-for-password-authentication=Use Kerberos For Password Authentication ldap.use-kerberos-for-password-authentication.tooltip=Use Kerberos login module for authenticate username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API batch-size=Batch Size ldap.batch-size.tooltip=Count of LDAP users to be imported from LDAP to Keycloak within a single transaction. ldap.periodic-full-sync.tooltip=Does periodic full synchronization of LDAP users to Keycloak should be enabled or not ldap.periodic-changed-users-sync.tooltip=Does periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not ldap.changed-users-sync-period.tooltip=Period for synchronization of changed or newly created LDAP users in seconds user-federation-mappers=User Federation Mappers create-user-federation-mapper=Create user federation mapper add-user-federation-mapper=Add user federation mapper provider-name=Provider Name no-user-federation-providers-configured=No user federation providers configured no-user-storage-providers-configured=No user storage providers configured add-identity-provider=Add identity provider add-identity-provider-link=Add identity provider link identity-provider=Identity Provider identity-provider-user-id=Identity Provider User ID identity-provider-user-id.tooltip=Unique ID of the user on the Identity Provider side identity-provider-username=Identity Provider Username identity-provider-username.tooltip=Username on the Identity Provider side pagination=Pagination browser-flow=Browser Flow browser-flow.tooltip=Select the flow you want to use for browser authentication. registration-flow=Registration Flow registration-flow.tooltip=Select the flow you want to use for registration. direct-grant-flow=Direct Grant Flow direct-grant-flow.tooltip=Select the flow you want to use for direct grant authentication. reset-credentials=Reset Credentials reset-credentials.tooltip=Select the flow you want to use when the user has forgotten their credentials. client-authentication=Client Authentication client-authentication.tooltip=Select the flow you want to use for authentication of clients. docker-auth=Docker Authentication docker-auth.tooltip=Select the flow you want to use for authentication against a docker client. new=New copy=Copy add-execution=Add execution add-flow=Add flow auth-type=Auth Type requirement=Requirement config=Config no-executions-available=No executions available authentication-flows=Authentication Flows create-authenticator-config=Create authenticator config authenticator.alias.tooltip=Name of the configuration otp-type=OTP Type time-based=Time Based counter-based=Counter Based otp-type.tooltip=totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against. otp-hash-algorithm=OTP Hash Algorithm otp-hash-algorithm.tooltip=What hashing algorithm should be used to generate the OTP. number-of-digits=Number of Digits otp.number-of-digits.tooltip=How many digits should the OTP have? look-ahead-window=Look Ahead Window otp.look-ahead-window.tooltip=How far ahead should the server look just in case the token generator and server are out of time sync or counter sync? initial-counter=Initial Counter otp.initial-counter.tooltip=What should the initial counter value be? otp-token-period=OTP Token Period otp-token-period.tooltip=How many seconds should an OTP token be valid? Defaults to 30 seconds. otp-supported-applications=Supported Applications otp-supported-applications.tooltip=Applications that are known to work with the current OTP policy table-of-password-policies=Table of Password Policies add-policy.placeholder=Add policy... policy-type=Policy Type policy-value=Policy Value webauthn-policy=WebAuthn Policy webauthn-policy.tooltip=Policy for WebAuthn authentication. This one will be used by 'WebAuthn Register' required action and 'WebAuthn Authenticator' authenticator. Typical usage is, when WebAuthn will be used for the two-factor authentication. webauthn-policy-passwordless=WebAuthn Passwordless Policy webauthn-policy-passwordless.tooltip=Policy for passwordless WebAuthn authentication. This one will be used by 'Webauthn Register Passwordless' required action and 'WebAuthn Passwordless Authenticator' authenticator. Typical usage is, when WebAuthn will be used as first-factor authentication. Having both 'WebAuthn Policy' and 'WebAuthn Passwordless Policy' allows to use WebAuthn as both first factor and second factor authenticator in the same realm. webauthn-rp-entity-name=Relying Party Entity Name webauthn-rp-entity-name.tooltip=Human-readable server name as WebAuthn Relying Party webauthn-signature-algorithms=Signature Algorithms webauthn-signature-algorithms.tooltip=What signature algorithms should be used for Authentication Assertion. webauthn-rp-id=Relying Party ID webauthn-rp-id.tooltip=This is ID as WebAuthn Relying Party. It must be origin's effective domain. webauthn-attestation-conveyance-preference=Attestation Conveyance Preference webauthn-attestation-conveyance-preference.tooltip=Communicates to an authenticator the preference of how to generate an attestation statement. webauthn-authenticator-attachment=Authenticator Attachment webauthn-authenticator-attachment.tooltip=Communicates to an authenticator an acceptable attachment pattern. webauthn-require-resident-key=Require Resident Key webauthn-require-resident-key.tooltip=It tells an authenticator create a public key credential as Resident Key or not. webauthn-user-verification-requirement=User Verification Requirement webauthn-user-verification-requirement.tooltip=Communicates to an authenticator to confirm actually verifying a user. webauthn-create-timeout=Timeout webauthn-create-timeout.tooltip=Timeout value for creating user's public key credential in seconds. if set to 0, this timeout option is not adapted. webauthn-avoid-same-authenticator-register=Avoid Same Authenticator Registration webauthn-avoid-same-authenticator-register.tooltip=avoid registering the authenticator that has already been registered. webauthn-acceptable-aaguids=Acceptable AAGUIDs webauthn-acceptable-aaguids.tooltip=The list of AAGUID of which an authenticator can be registered. manage-webauthn-authenticator=Manage WebAuthn Authenticator public-key-credential-id=Public Key Credential ID public-key-credential-aaguid=Public Key Credential AAGUID public-key-credential-label=Public Key Credential Label ciba-policy=CIBA Policy ciba-backchannel-tokendelivery-mode=Backchannel Token Delivery Mode ciba-backchannel-tokendelivery-mode.tooltip=Specifies how the CD(Consumption Device) gets the authentication result and related tokens. ciba-expires-in=Expires In ciba-expires-in.tooltip=The expiration time of the "auth_req_id" in seconds since the authentication request was received. ciba-interval=Interval ciba-interval.tooltip=The minimum amount of time in seconds that the CD(Consumption Device) must wait between polling requests to the token endpoint. ciba-auth-requested-user-hint=Authentication Requested User Hint ciba-auth-requested-user-hint.tooltip=The way of identifying the end-user for whom authentication is being requested. admin-events=Admin Events admin-events.tooltip=Displays saved admin events for the realm. Events are related to admin account, for example a realm creation. To enable persisted events go to config. login-events=Login Events filter=Filter update=Update reset=Reset operation-types=Operation Types resource-types=Resource Types select-operations.placeholder=Select operations... select-resource-types.placeholder=Select resource types... resource-path=Resource Path resource-path.tooltip=Filter by resource path. Supports wildcard '*' (for example 'users/*'). date-(from)=Date (From) date-(to)=Date (To) authentication-details=Authentication Details ip-address=IP Address time=Time operation-type=Operation Type resource-type=Resource Type auth=Auth representation=Representation register=Register required-action=Required Action default-action=Default Action auth.default-action.tooltip=If enabled, any new user will have this required action assigned to it. no-required-actions-configured=No required actions configured defaults-to-id=Defaults to id flows=Flows bindings=Bindings client-flow-bindings=Authentication Flow Overrides client-flow-bindings.tooltip=Override realm authentication flow bindings. required-actions=Required Actions password-policy=Password Policy otp-policy=OTP Policy user-groups=User Groups default-groups=Default Groups groups.default-groups.tooltip=Set of groups that new users will automatically join. cut=Cut paste=Paste create-group=Create group create-authenticator-execution=Create Authenticator Execution edit-flow=Edit Flow create-form-action-execution=Create Form Action Execution create-top-level-form=Create Top Level Form flow.alias.tooltip=Specifies display name for the flow. top-level-flow-type=Top Level Flow Type flow.generic=generic flow.client=client top-level-flow-type.tooltip=What kind of top level flow is it? Type 'client' is used for authentication of clients (applications) when generic is for users and everything else create-execution-flow=Create Execution Flow flow-type=Flow Type flow.form.type=form flow.generic.type=generic flow-type.tooltip=What kind of form is it form-provider=Form Provider default-groups.tooltip=Newly created or registered users will automatically be added to these groups select-a-type.placeholder=select a type available-groups=Available Groups available-groups.tooltip=Select a group you want to add as a default. value=Value table-of-group-members=Table of group members table-of-role-members=Table of role members last-name=Last Name first-name=First Name email=Email toggle-navigation=Toggle navigation manage-account=Manage account sign-out=Sign Out server-info=Server Info resource-not-found=Resource not found... resource-not-found.instruction=We could not find the resource you are looking for. Please make sure the URL you entered is correct. go-to-the-home-page=Go to the home page » page-not-found=Page not found... page-not-found.instruction=We could not find the page you are looking for. Please make sure the URL you entered is correct. events.tooltip=Displays saved events for the realm. Events are related to user accounts, for example a user login. To enable persisted events go to config. select-event-types.placeholder=Select event types... events-config.tooltip=Displays configuration options to enable persistence of user and admin events. select-an-action.placeholder=Select an action... event-listeners.tooltip=Configure what listeners receive events for the realm. login.save-events.tooltip=If enabled, login events are saved to the database, which makes events available to the admin and account management consoles. clear-events.tooltip=Deletes all events in the database. events.expiration.tooltip=Sets the expiration for events. Expired events are periodically deleted from the database. admin-events-settings=Admin Events Settings save-events=Save Events admin.save-events.tooltip=If enabled, admin events are saved to the database, which makes events available to the admin console. saved-types.tooltip=Configure what event types are saved. include-representation=Include Representation include-representation.tooltip=Include JSON representation for create and update requests. clear-admin-events.tooltip=Deletes all admin events in the database. server-version=Server Version server-profile=Server Profile server-disabled=Disabled Features server-disabled.tooltip=Features that are not currently enabled. Some features are not enabled by default. This applies to all preview and experimental features. server-preview=Preview Features server-preview.tooltip=Preview features are not supported in production use and may be significantly changed or removed in the future. server-experimental=Experimental Features server-experimental.tooltip=Experimental features, which may not be fully functional. Never use experimental features in production. info=Info providers=Providers server-time=Server Time server-uptime=Server Uptime profile=Profile memory=Memory total-memory=Total Memory free-memory=Free Memory used-memory=Used Memory system=System current-working-directory=Current Working Directory java-version=Java Version java-vendor=Java Vendor java-runtime=Java Runtime java-vm=Java VM java-vm-version=Java VM Version java-home=Java Home user-name=User Name user-timezone=User Timezone user-locale=User Locale system-encoding=System Encoding operating-system=Operating System os-architecture=OS Architecture spi=SPI granted-client-scopes=Granted Client Scopes additional-grants=Additional Grants consent-created-date=Created consent-last-updated-date=Last updated revoke=Revoke new-password=New Password password-confirmation=Password Confirmation reset-password=Reset Password set-password=Set Password credentials.temporary.tooltip=If enabled, the user must change the password on next login remove-totp=Remove OTP credentials.remove-totp.tooltip=Remove one time password generator for user. reset-actions=Reset Actions credentials.reset-actions.tooltip=Set of actions to execute when sending the user a Reset Actions Email. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator. reset-actions-email=Reset Actions Email send-email=Send email credentials.reset-actions-email.tooltip=Sends an email to user with an embedded link. Clicking the link enables the user to execute the reset actions without first logging in. For example, set the action to update password, click this button, and the user can change the password without logging in. add-user=Add user created-at=Created At user-enabled=User Enabled user-enabled.tooltip=A disabled user cannot login. user-temporarily-locked=User Temporarily Locked user-temporarily-locked.tooltip=The user may be locked due to multiple failed attempts to log in. unlock-user=Unlock user federation-link=Federation Link email-verified=Email Verified email-verified.tooltip=Has the user's email been verified? groups-joining=Groups groups-joining.tooltip=Groups the user will be joining. To add a group, search for any existing one and select it. groups-joining-select.placeholder=Select existing group groups-joining-no-selected=No group selected groups-joining-path=Path required-user-actions=Required User Actions required-user-actions.tooltip=Require an action when the user logs in. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator. locale=Locale select-one.placeholder=Select one... impersonate=Impersonate impersonate-user=Impersonate user impersonate-user.tooltip=Login as this user. If user is in same realm as you, your current login session will be logged out before you are logged in as this user. identity-provider-alias=Identity Provider Alias provider-user-id=Provider User ID provider-username=Provider Username no-identity-provider-links-available=No identity provider links available group-membership=Group Membership leave=Leave group-membership.tooltip=Groups where the user has membership. To leave a group, select it and click Leave. membership.available-groups.tooltip=Groups a user can join. Select a group and click Join. table-of-realm-users=Table of Realm Users view-all-users=View all users view-all-groups=View all groups view-all-roles=View all roles unlock-users=Unlock users no-users-available=No users available users.instruction=Please enter a search, or click on view all users clients.instruction=Please enter a search consents=Consents started=Started logout-all-sessions=Log out all sessions logout=Logout new-name=New Name new-description=New Description ok=Ok attributes=Attributes role-mappings=Role Mappings members=Members details=Details identity-provider-links=Identity Provider Links register-required-action=Register required action gender=Gender address=Address phone=Phone profile-url=Profile URL picture-url=Picture URL website=Website import-keys-and-cert=Import keys and cert import-keys-and-cert.tooltip=Upload the client's key pair and cert. upload-keys=Upload Keys download-keys-and-cert=Download keys and cert no-value-assigned.placeholder=No value assigned remove=Remove no-group-members=No group members no-role-members=No role members temporary=Temporary join=Join event-type=Event Type events-config=Events Config event-listeners=Event Listeners login-events-settings=Login Events Settings clear-events=Clear events saved-types=Saved Types clear-admin-events=Clear admin events clear-changes=Clear changes error=Error # Authz # Authz Common authz-authorization=Authorization authz-owner=Owner authz-uri=URI authz-uris=URIS authz-scopes=Scopes authz-resource=Resource authz-resource-type=Resource Type authz-resources=Resources authz-scope=Scope authz-authz-scopes=Authorization Scopes authz-policies=Policies authz-policy=Policy authz-permissions=Permissions authz-users=Users in Role authz-evaluate=Evaluate authz-icon-uri=Icon URI authz-icon-uri.tooltip=An URI pointing to an icon. authz-select-scope=Select a scope authz-select-resource=Select a resource authz-associated-policies=Associated Policies authz-any-resource=Any resource authz-any-scope=Any scope authz-any-role=Any role authz-policy-evaluation=Policy Evaluation authz-select-user=Select a user authz-select-client=Select a client authz-entitlements=Entitlements authz-no-resources=No resources authz-result=Result authz-authorization-services-enabled=Authorization Enabled authz-authorization-services-enabled.tooltip=Enable/Disable fine-grained authorization support for a client authz-required=Required authz-show-details=Show Details authz-hide-details=Hide Details authz-associated-permissions=Associated Permissions authz-no-permission-associated=No permissions associated # Authz Settings authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server. authz-policy-enforcement-mode=Policy Enforcement Mode authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource. authz-policy-enforcement-mode-enforcing=Enforcing authz-policy-enforcement-mode-permissive=Permissive authz-policy-enforcement-mode-disabled=Disabled authz-remote-resource-management=Remote Resource Management authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console. authz-export-settings=Export Settings authz-export-settings.tooltip=Export and download all authorization settings for this resource server. authz-server-decision-strategy.tooltip=The decision strategy dictates how permissions are evaluated and how a final decision is obtained. 'Affirmative' means that at least one permission must evaluate to a positive decision in order to grant access to a resource and its scopes. 'Unanimous' means that all permissions must evaluate to a positive decision in order for the final decision to be also positive. # Authz Resource List authz-no-resources-available=No resources available. authz-no-scopes-assigned=No scopes assigned. authz-no-type-defined=No type defined. authz-no-uri-defined=No URI defined. authz-no-permission-assigned=No permission assigned. authz-no-policy-assigned=No policy assigned. authz-create-permission=Create Permission # Authz Resource Detail authz-add-resource=Add Resource authz-resource-name.tooltip=A unique name for this resource. The name can be used to uniquely identify a resource, useful when querying for a specific resource. authz-resource-owner.tooltip=The owner of this resource. authz-resource-type.tooltip=The type of this resource. It can be used to group different resource instances with the same type. authz-resource-uri.tooltip=Set of URIs which are protected by resource. authz-resource-scopes.tooltip=The scopes associated with this resource. authz-resource-attributes=Resource Attributes authz-resource-attributes.tooltip=The attributes associated wth the resource. authz-resource-user-managed-access-enabled=User-Managed Access Enabled authz-resource-user-managed-access-enabled.tooltip=If enabled, the access to this resource can be managed by the resource owner. # Authz Scope List authz-add-scope=Add Scope authz-no-scopes-available=No scopes available. # Authz Scope Detail authz-scope-name.tooltip=A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope. # Authz Policy List authz-all-types=All types authz-create-policy=Create Policy authz-no-policies-available=No policies available. # Authz Policy Detail authz-policy-name.tooltip=The name of this policy. authz-policy-description.tooltip=A description for this policy. authz-policy-logic=Logic authz-policy-logic-positive=Positive authz-policy-logic-negative=Negative authz-policy-logic.tooltip=The logic dictates how the policy decision should be made. If 'Positive', the resulting effect (permit or deny) obtained during the evaluation of this policy will be used to perform a decision. If 'Negative', the resulting effect will be negated, in other words, a permit becomes a deny and vice-versa. authz-policy-apply-policy=Apply Policy authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission. authz-policy-decision-strategy=Decision Strategy authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. authz-policy-decision-strategy-affirmative=Affirmative authz-policy-decision-strategy-unanimous=Unanimous authz-policy-decision-strategy-consensus=Consensus authz-select-a-policy=Select existing policy authz-no-policies-assigned=No policies assigned. # Authz Role Policy Detail authz-add-role-policy=Add Role Policy authz-no-roles-assigned=No roles assigned. authz-policy-role-realm-roles.tooltip=Specifies the *realm* roles allowed by this policy. authz-policy-role-clients.tooltip=Selects a client in order to filter the client roles that can be applied to this policy. authz-policy-role-client-roles.tooltip=Specifies the client roles allowed by this policy. # Authz User Policy Detail authz-add-user-policy=Add User Policy authz-no-users-assigned=No users assigned. authz-policy-user-users.tooltip=Specifies which user(s) are allowed by this policy. # Authz Client Policy Detail authz-add-client-policy=Add Client Policy authz-no-clients-assigned=No clients assigned. authz-policy-client-clients.tooltip=Specifies which client(s) are allowed by this policy. # Authz Time Policy Detail authz-add-time-policy=Add Time Policy authz-policy-time-not-before.tooltip=Defines the time before which the policy MUST NOT be granted. Only granted if current date/time is after or equal to this value. authz-policy-time-not-on-after=Not On or After authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value. authz-policy-time-day-month=Day of Month authz-policy-time-day-month.tooltip=Defines the day of month when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided. authz-policy-time-month=Month authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided. authz-policy-time-year=Year authz-policy-time-year.tooltip=Defines the year when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided. authz-policy-time-hour=Hour authz-policy-time-hour.tooltip=Defines the hour when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided. authz-policy-time-minute=Minute authz-policy-time-minute.tooltip=Defines the minute when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided. # Authz JS Policy Detail authz-add-js-policy=Add JavaScript Policy authz-policy-js-code=Code authz-policy-js-code.tooltip=The JavaScript code providing the conditions for this policy. # Authz Aggregated Policy Detail authz-aggregated=Aggregated authz-add-aggregated-policy=Add Aggregated Policy # Authz Group Policy Detail authz-add-group-policy=Add Group Policy authz-no-groups-assigned=No groups assigned. authz-policy-group-claim=Groups Claim authz-policy-group-claim.tooltip=If defined, the policy will fetch user's groups from the given claim within an access token or ID token representing the identity asking permissions. If not defined, user's groups are obtained from your realm configuration. authz-policy-group-groups.tooltip=Specifies the groups allowed by this policy. # Authz Client Scope Policy Detail authz-add-client-scope-policy=Add Client Scope Policy authz-no-client-scopes-assigned=No client scopes assigned. authz-policy-client-scope-client-scopes.tooltip=Specifies which client scope(s) are allowed by this policy. select-a-client-scope=Select a client scope # Authz Permission List authz-no-permissions-available=No permissions available. # Authz Permission Detail authz-permission-name.tooltip=The name of this permission. authz-permission-description.tooltip=A description for this permission. # Authz Resource Permission Detail authz-add-resource-permission=Add Resource Permission authz-permission-resource-apply-to-resource-type=Apply to Resource Type authz-permission-resource-apply-to-resource-type.tooltip=Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type. authz-permission-resource-resource.tooltip=Specifies that this permission must be applied to a specific resource instance. authz-permission-resource-type.tooltip=Specifies that this permission must be applied to all resources instances of a given type. # Authz Scope Permission Detail authz-add-scope-permission=Add Scope Permission authz-permission-scope-resource.tooltip=Restrict the scopes to those associated with the selected resource. If not selected all scopes would be available. authz-permission-scope-scope.tooltip=Specifies that this permission must be applied to one or more scopes. # Authz Evaluation authz-evaluation-identity-information=Identity Information authz-evaluation-identity-information.tooltip=The available options to configure the identity information that will be used when evaluating policies. authz-evaluation-client.tooltip=Select the client making this authorization request. If not provided, authorization requests would be done based on the client you are in. authz-evaluation-user.tooltip=Select a user whose identity is going to be used to query permissions from the server. authz-evaluation-role.tooltip=Select the roles you want to associate with the selected user. authz-evaluation-new=New Evaluation authz-evaluation-re-evaluate=Re-Evaluate authz-evaluation-previous=Previous Evaluation authz-evaluation-contextual-info=Contextual Information authz-evaluation-contextual-info.tooltip=The available options to configure any contextual information that will be used when evaluating policies. authz-evaluation-contextual-attributes=Contextual Attributes authz-evaluation-contextual-attributes.tooltip=Any attribute provided by a running environment or execution context. authz-evaluation-permissions.tooltip=The available options to configure the permissions to which policies will be applied. authz-evaluation-evaluate=Evaluate authz-evaluation-any-resource-with-scopes=Any resource with scope(s) authz-evaluation-no-result=Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy. authz-evaluation-no-policies-resource=No policies were found for this resource. authz-evaluation-result.tooltip=The overall result for this permission request. authz-evaluation-scopes.tooltip=The list of allowed scopes. authz-evaluation-policies.tooltip=Details about which policies were evaluated and their decisions. authz-evaluation-authorization-data=Response authz-evaluation-authorization-data.tooltip=Represents a token carrying authorization data as a result of the processing of an authorization request. This representation is basically what Keycloak issues to clients asking for permissions. Check the 'authorization' claim for the permissions that were granted based on the current authorization request. authz-show-authorization-data=Show Authorization Data keys=Keys status=Status keystore=Keystore keystores=Keystores add-keystore=Add Keystore add-keystore.placeholder=Add keystore... view=View active=Active passive=Passive disabled=Disabled algorithm=Algorithm providerHelpText=Provider description Sunday=Sunday Monday=Monday Tuesday=Tuesday Wednesday=Wednesday Thursday=Thursday Friday=Friday Saturday=Saturday user-storage-cache-policy=Cache Settings userStorage.cachePolicy=Cache Policy userStorage.cachePolicy.option.DEFAULT=DEFAULT userStorage.cachePolicy.option.EVICT_WEEKLY=EVICT_WEEKLY userStorage.cachePolicy.option.EVICT_DAILY=EVICT_DAILY userStorage.cachePolicy.option.MAX_LIFESPAN=MAX_LIFESPAN userStorage.cachePolicy.option.NO_CACHE=NO_CACHE userStorage.cachePolicy.tooltip=Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX-LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry. userStorage.cachePolicy.evictionDay=Eviction Day userStorage.cachePolicy.evictionDay.tooltip=Day of the week the entry will become invalid on userStorage.cachePolicy.evictionHour=Eviction Hour userStorage.cachePolicy.evictionHour.tooltip=Hour of day the entry will become invalid on. userStorage.cachePolicy.evictionMinute=Eviction Minute userStorage.cachePolicy.evictionMinute.tooltip=Minute of day the entry will become invalid on. userStorage.cachePolicy.maxLifespan=Max Lifespan userStorage.cachePolicy.maxLifespan.tooltip=Max lifespan of cache entry in milliseconds. user-origin-link=Storage Origin user-origin.tooltip=UserStorageProvider the user was loaded from user-link.tooltip=UserStorageProvider this locally stored user was imported from. client-origin-link=Storage Origin client-origin.tooltip=Provider the client was loaded from client-storage-cache-policy=Cache Settings clientStorage.cachePolicy=Cache Policy clientStorage.cachePolicy.option.DEFAULT=DEFAULT clientStorage.cachePolicy.option.EVICT_WEEKLY=EVICT_WEEKLY clientStorage.cachePolicy.option.EVICT_DAILY=EVICT_DAILY clientStorage.cachePolicy.option.MAX_LIFESPAN=MAX_LIFESPAN clientStorage.cachePolicy.option.NO_CACHE=NO_CACHE clientStorage.cachePolicy.tooltip=Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX-LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry. clientStorage.cachePolicy.evictionDay=Eviction Day clientStorage.cachePolicy.evictionDay.tooltip=Day of the week the entry will become invalid on clientStorage.cachePolicy.evictionHour=Eviction Hour clientStorage.cachePolicy.evictionHour.tooltip=Hour of day the entry will become invalid on. clientStorage.cachePolicy.evictionMinute=Eviction Minute clientStorage.cachePolicy.evictionMinute.tooltip=Minute of day the entry will become invalid on. clientStorage.cachePolicy.maxLifespan=Max Lifespan clientStorage.cachePolicy.maxLifespan.tooltip=Max lifespan of cache entry in milliseconds. client-storage-list-no-entries=Keycloak can federate external client databases. By default, we support Openshift OAuth clients and service accounts. To get started, select a provider from the dropdown below: disable=Disable disableable-credential-types=Disableable Types credentials.disableable.tooltip=List of credential types that you can disable disable-credential-types=Disable Credential Types credentials.disable.tooltip=Click button to disable selected credential types credential-types=Credential Types manage-user-password=Manage Password supported-user-storage-credential-types=Supported User Storage Credential Types supported-user-storage-credential-types.tooltip=Credential types, which are provided by User Storage Provider and which are configured for this user. Validation and eventually update of the credentials of those types can be delegated to the User Storage Provider based on the configuration and implementation of the particular provider. provided-by=Provided By manage-credentials=Manage Credentials manage-credentials.tooltip=Credentials, which are not provided by the user storage. They are saved in the local database. disable-credentials=Disable Credentials credential-reset-actions=Credential Reset credential-reset-actions-timeout=Expires In credential-reset-actions-timeout.tooltip=Maximum time before the action permit expires. ldap-mappers=LDAP Mappers create-ldap-mapper=Create LDAP mapper map-role-mgmt-scope-description=Policies that decide if an administrator can map this role to a user or group manage-authz-users-scope-description=Policies that decide if an administrator can manage all users in the realm view-authz-users-scope-description=Policies that decide if an administrator can view all users in realm permissions-enabled-role=Permissions Enabled permissions-enabled-role.tooltip=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up. manage-permissions-role.tooltip=Fine grained permissions for managing roles. For example, you can define different policies for who is allowed to map a role. lookup=Lookup manage-permissions-users.tooltip=Fine grained permissions for managing all users in realm. You can define different policies for who is allowed to manage users in the realm. permissions-enabled-users=Permissions Enabled permissions-enabled-users.tooltip=Determines if fined grain permissions are enabled for managing users. Disabling will delete all current permissions that have been set up. manage-permissions-client.tooltip=Fine grained permissions for administrators that want to manage this client or apply roles defined by this client. manage-permissions-group.tooltip=Fine grained permissions for administrators that want to manage this group or the members of this group. manage-authz-group-scope-description=Policies that decide if an administrator can manage this group view-authz-group-scope-description=Policies that decide if an administrator can view this group view-members-authz-group-scope-description=Policies that decide if an administrator can view the members of this group token-exchange-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client. token-exchange-authz-idp-scope-description=Policies that decide which clients are allowed exchange tokens for an external token minted by this identity provider. manage-authz-client-scope-description=Policies that decide if an administrator can manage this client configure-authz-client-scope-description=Reduced management permissions for administrator. Cannot set scope, template, or protocol mappers. view-authz-client-scope-description=Policies that decide if an administrator can view this client map-roles-authz-client-scope-description=Policies that decide if an administrator can map roles defined by this client map-roles-client-scope-authz-client-scope-description=Policies that decide if an administrator can apply roles defined by this client to the client scope of another client map-roles-composite-authz-client-scope-description=Policies that decide if an administrator can apply roles defined by this client as a composite to another role map-role-authz-role-scope-description=Policies that decide if an administrator can map this role to a user or group map-role-client-scope-authz-role-scope-description=Policies that decide if an administrator can apply this role to the client scope of a client map-role-composite-authz-role-scope-description=Policies that decide if an administrator can apply this role as a composite to another role manage-group-membership-authz-users-scope-description=Policies that decide if an administrator can manage group membership for all users in the realm. This is used in conjunction with specific group policy impersonate-authz-users-scope-description=Policies that decide if administrator can impersonate other users map-roles-authz-users-scope-description=Policies that decide if administrator can map roles for all users user-impersonated-authz-users-scope-description=Policies that decide which users can be impersonated. These policies are applied to the user being impersonated. manage-membership-authz-group-scope-description=Policies that decide if an administrator can add or remove users from this group manage-members-authz-group-scope-description=Policies that decide if an administrator can manage the members of this group # KEYCLOAK-6771 Certificate Bound Token # https://tools.ietf.org/html/draft-ietf-oauth-mtls-08#section-3 advanced-client-settings=Advanced Settings advanced-client-settings.tooltip=Expand this section to configure advanced settings of this client tls-client-certificate-bound-access-tokens=OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled tls-client-certificate-bound-access-tokens.tooltip=This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens. subjectdn=Subject DN subjectdn-tooltip=A regular expression for validating Subject DN in the Client Certificate. Use "(.*?)(?:$)" to match all kind of expressions. pkce-code-challenge-method=Proof Key for Code Exchange Code Challenge Method pkce-code-challenge-method.tooltip=Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method. key-not-allowed-here=Key '{{character}}' is not allowed here. # KEYCLOAK-10927 Implement LDAPv3 Password Modify Extended Operation advanced-ldap-settings=Advanced Settings ldap-query-supported-extensions=Query Supported Extensions ldap-query-supported-extensions.tooltip=This will query LDAP server for supported extensions, controls and features. Some advanced settings of the LDAP provider will be then automatically configured based on the capabilities/extensions/features supported by LDAP server. For example if LDAPv3 Password Modify extension is supported by LDAP server, corresponding switch will be enabled for LDAP provider. notifications.info.header=Info! notifications.success.header=Success! notifications.error.header=Error! notifications.warn.header=Warning! dialogs.delete.title=Delete {{type}} dialogs.delete.message=Are you sure you want to permanently delete the {{type}} {{name}}? dialogs.delete.confirm=Delete dialogs.cancel=Cancel dialogs.ok=Ok