diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_de.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_de.properties
index beaeb4dcc2..46b663c0ec 100644
--- a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_de.properties
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_de.properties
@@ -6,9 +6,14 @@ cancel=de Cancel
onText=AN
offText=AUS
client=de Client
+clients=de Clients
clear=de Clear
selectOne=de Select One...
+true=de True
+false=de False
+
+
# Realm settings
realm-detail.enabled.tooltip=de Users and clients can only access a realm if it's enabled
registrationAllowed=de User registration
@@ -112,7 +117,7 @@ active-sessions=de Active Sessions
sessions=de Sessions
not-before=de Not Before
not-before.tooltip=de Revoke any tokens issued before this date.
-set-to-now=de Set To Now
+set-to-now=de Set to now
push=de Push
push.tooltip=de For every client that has an admin URL, notify them of the new revocation policy.
@@ -127,3 +132,322 @@ multivalued.label=de Multivalued
multivalued.tooltip=de Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim
selectRole.label=de Select Role
selectRole.tooltip=de Enter role in the textbox to the left, or click this button to browse and select the role you want
+
+# client details
+clients.tooltip=de Clients are trusted browser apps and web services in a realm. These clients can request a login. You can also define client specific roles.
+search.placeholder=de Search...
+create=de Create
+import=de Import
+client-id=de Client ID
+base-url=de Base URL
+actions=de Actions
+not-defined=de Not defined
+edit=de Edit
+delete=de Delete
+no-results=de No results
+no-clients-available=de No clients available
+add-client=de Add Client
+select-file=de Select file
+view-details=de View details
+clear-import=de Clear import
+client-id.tooltip=de Specifies ID referenced in URI and tokens. For example 'my-client'
+client.name.tooltip=de Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}
+client.enabled.tooltip=de Disabled clients cannot initiate a login or have obtain access tokens.
+consent-required=de Consent Required
+consent-required.tooltip=de If enabled users have to consent to client access.
+direct-grants-only=de Direct Grants Only
+direct-grants-only.tooltip=de When enabled, client can only obtain grants from grant REST API.
+client-protocol=de Client Protocol
+client-protocol.tooltip=de 'OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.
+access-type=de Access Type
+access-type.tooltip=de 'Confidential' clients require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' clients are web services that never initiate a login.
+service-accounts-enabled=de Service Accounts Enabled
+service-accounts-enabled.tooltip=de Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client.
+include-authnstatement=de Include AuthnStatement
+include-authnstatement.tooltip=de Should a statement specifying the method and timestamp be included in login responses?
+sign-documents=de Sign Documents
+sign-documents.tooltip=de Should SAML documents be signed by the realm?
+sign-assertions=de Sign Assertions
+sign-assertions.tooltip=de Should assertions inside SAML documents be signed? This setting isn't needed if document is already being signed.
+signature-algorithm=de Signature Algorithm
+signature-algorithm.tooltip=de The signature algorithm to use to sign documents.
+canonicalization-method=de Canonicalization Method
+canonicalization-method.tooltip=de Canonicalization Method for XML signatures.
+encrypt-assertions=de Encrypt Assertions
+encrypt-assertions.tooltip=de Should SAML assertions be encrypted with client's public key using AES?
+client-signature-required=de Client Signature Required
+client-signature-required.tooltip=de Will the client sign their saml requests and responses? And should they be validated?
+force-post-binding=de Force POST Binding
+force-post-binding.tooltip=de Always use POST binding for responses.
+front-channel-logout=de Front Channel Logout
+front-channel-logout.tooltip=de When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.
+force-name-id-format=de Force Name ID Format
+force-name-id-format.tooltip=de Ignore requested NameID subject format and use admin console configured one.
+name-id-format=de Name ID Format
+name-id-format.tooltip=de The name ID format to use for the subject.
+root-url=de Root URL
+root-url.tooltip=de Root URL appended to relative URLs
+valid-redirect-uris=de Valid Redirect URIs
+valid-redirect-uris.tooltip=de Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
+base-url.tooltip=de Default URL to use when the auth server needs to redirect or link back to the client.
+admin-url=de Admin URL
+admin-url.tooltip=de URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other adminstrative tasks. Usually this is set to the base URL of the client.
+master-saml-processing-url=de Master SAML Processing URL
+master-saml-processing-url.tooltip=de If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overiden for each binding and service in the Fine Grain SAML Endpoint Configuration.
+idp-sso-url-ref=de IDP Initiated SSO URL Name
+idp-sso-url-ref.tooltip=de URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
+idp-sso-relay-state=de IDP Initiated SSO Relay State
+idp-sso-relay-state.tooltip=de Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
+web-origins=de Web Origins
+web-origins.tooltip=de Allowed CORS origins. To permit all origins of Valid Redirect URIs add '+'. To permit all origins add '*'.
+fine-saml-endpoint-conf=de Fine Grain SAML Endpoint Configuration
+fine-saml-endpoint-conf.tooltip=de Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service.
+assertion-consumer-post-binding-url=de Assertion Consumer Service POST Binding URL
+assertion-consumer-post-binding-url.tooltip=de SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
+assertion-consumer-redirect-binding-url=de Assertion Consumer Service Redirect Binding URL
+assertion-consumer-redirect-binding-url.tooltip=de SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
+logout-service-binding-post-url=de Logout Service POST Binding URL
+logout-service-binding-post-url.tooltip=de SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding
+logout-service-redir-binding-url=de Logout Service Redirect Binding URL
+logout-service-redir-binding-url.tooltip=de SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.
+
+# client import
+import-client=de Import Client
+format-option=de Format Option
+select-format=de Select a Format
+import-file=de Import File
+
+# client tabs
+settings=de Settings
+credentials=de Credentials
+saml-keys=de SAML Keys
+roles=de Roles
+mappers=de Mappers
+mappers.tootip=de Protocol mappers perform transformation on tokens and documents. They an do things like map user data into protocol claims, or just transform any requests going between the client and auth server.
+scope=de Scope
+scope.tooltip=de Scope mappings allow you to restrict which user role mappings are included within the access token requested by the client.
+sessions.tooltip=de View active sessions for this client. Allows you to see which users are active and when they logged in.
+offline-access=de Offline Access
+offline-access.tooltip=de View offline sessions for this client. Allows you to see which users retrieve offline token and when they retrieve it. To revoke all tokens for the client, go to Revocation tab and set not before value to now.
+clustering=de Clustering
+installation=de Installation
+installation.tooltip=de Helper utility for generating various client adapter configuration formats which you can download or cut and paste to configure your clients.
+service-account-roles=de Service Account Roles
+service-account-roles.tooltip=de Allows you to authenticate role mappings for the service account dedicated to this client.
+
+# client credentials
+client-authenticator=de Client Authenticator
+client-authenticator.tooltip=de Client Authenticator used for authentication this client against Keycloak server
+certificate.tooltip=de Client Certificate for validate JWT issued by client and signed by Client private key from your keystore.
+no-client-certificate-configured=de No client certificate configured
+gen-new-keys-and-cert=de Generate new keys and certificate
+import-certificate=de Import Certificate
+gen-client-private-key=de Generate Client Private Key
+generate-private-key=de Generate Private Key
+archive-format=de Archive Format
+archive-format.tooltip=de Java keystore or PKCS12 archive format.
+key-alias=de Key Alias
+key-alias.tooltip=de Archive alias for your private key and certificate.
+key-password=de Key Password
+key-password.tooltip=de Password to access the private key in the archive
+store-password=de Store Password
+store-password.tooltip=de Password to access the archive itself
+generate-and-download=de Generate and Download
+client-certificate-import=de Client Certificate Import
+import-client-certificate=de Import Client Certificate
+jwt-import.key-alias.tooltip=de Archive alias for your certificate.
+secret=de Secret
+regenerate-secret=de Regenerate Secret
+add-role=de Add Role
+role-name=de Role Name
+composite=de Composite
+description=de Description
+no-client-roles-available=de No client roles available
+scope-param-required=de Scope Param Required
+scope-param-required.tooltip=de This role will only be granted if scope parameter with role name is used during authorization/token request.
+composite-roles=de Composite Roles
+composite-roles.tooltip=de When this role is (un)assigned to a user any role associated with it will be (un)assigned implicitly.
+realm-roles=de Realm Roles
+available-roles=de Available Roles
+add-selected=de Add selected
+associated-roles=de Associated Roles
+composite.associated-realm-roles.tooltip=de Realm level roles associated with this composite role.
+composite.available-realm-roles.tooltip=de Realm level roles associated with this composite role.
+remove-selected=de Remove selected
+client-roles=de Client Roles
+select-client-to-view-roles=de Select client to view roles for client
+available-roles.tooltip=de Roles from this client that you can associate to this composite role.
+client.associated-roles.tooltip=de Client roles associated with this composite role.
+add-builtin=de Add Builtin
+category=de Category
+type=de Type
+no-mappers-available=de No mappers available
+add-builtin-protocol-mappers=de Add Builtin Protocol Mappers
+add-builtin-protocol-mapper=de Add Builtin Protocol Mapper
+scope-mappings=de Scope Mappings
+full-scope-allowed=de Full Scope Allowed
+full-scope-allowed.tooltip=de Allows you to disable all restrictions.
+scope.available-roles.tooltip=de Realm level roles that can be assigned to scope.
+assigned-roles=de Assigned Roles
+assigned-roles.tooltip=de Realm level roles assigned to scope.
+effective-roles=de Effective Roles
+realm.effective-roles.tooltip=de Assigned realm level roles that may have been inherited from a composite role.
+select-client-roles.tooltip=de Select client to view roles for client
+assign.available-roles.tooltip=de Client roles available to be assigned.
+client.assigned-roles.tooltip=de Assigned client roles.
+client.effective-roles.tooltip=de Assigned client roles that may have been inherited from a composite role.
+basic-configuration=de Basic configuration
+node-reregistration-timeout=de Node Re-registration Timeout
+node-reregistration-timeout.tooltip=de Interval to specify max time for registered clients cluster nodes to re-register. If cluster node won't send re-registration request to Keycloak within this time, it will be unregistered from Keycloak
+registered-cluster-nodes=de Registered cluster nodes
+register-node-manually=de Register node manually
+test-cluster-availability=de Test cluster availability
+last-registration=de Last registration
+node-host=de Node host
+no-registered-cluster-nodes=de No registered cluster nodes available
+cluster-nodes=de Cluster Nodes
+add-node=de Add Node
+active-sessions.tooltip=de Total number of active user sessions for this client.
+show-sessions=de Show Sessions
+show-sessions.tooltip=de Warning, this is a potentially expensive operation depending on number of active sessions.
+user=de User
+from-ip=de From IP
+session-start=de Session Start
+first-page=de First Page
+previous-page=de Previous Page
+next-page=de Next Page
+client-revoke.not-before.tooltip=de Revoke any tokens issued before this date for this client.
+client-revoke.push.tooltip=de If admin URL is configured for this client, push this policy to that client.
+select-a-format=de Select a Format
+download=de Download
+offline-tokens=de Offline Tokens
+offline-tokens.tooltip=de Total number of offline tokens for this client.
+show-offline-tokens=de Show Offline Tokens
+show-offline-tokens.tooltip=de Warning, this is a potentially expensive operation depending on number of offline tokens.
+token-issued=de Token Issued
+key-export=de Key Export
+key-import=de Key Import
+export-saml-key=de Export SAML Key
+import-saml-key=de Import SAML Key
+realm-certificate-alias=de Realm Certificate Alias
+realm-certificate-alias.tooltip=de Realm certificate is stored in archive too. This is the alias to it.
+signing-key=de Signing Key
+saml-signing-key=de SAML Signing Key.
+private-key=de Private Key
+generate-new-keys=de Generate new keys
+export=de Export
+encryption-key=de Encryption Key
+saml-encryption-key.tooltip=de SAML Encryption Key.
+service-accounts=de Service Accounts
+service-account.available-roles.tooltip=de Realm level roles that can be assigned to service account.
+service-account.assigned-roles.tooltip=de Realm level roles assigned to service account.
+service-account-is-not-enabled-for=de Service account is not enabled for {{client}}
+create-protocol-mappers=de Create Protocol Mappers
+create-protocol-mapper=de Create Protocol Mapper
+protocol=de Protocol
+protocol.tooltip=de Protocol.
+id=de ID
+mapper.name.tooltip=de Name of the mapper.
+mapper.consent-required.tooltip=de When granting temporary access, must the user consent to providing this data to the client?
+consent-text=de Consent Text
+consent-text.tooltip=de Text to display on consent page.
+mapper-type=de Mapper Type
+select-role=de Select role
+select-role.tooltip=de Enter role in the textbox to the left, or click this button to browse and select the role you want.
+
+# realm identity providers
+identity-providers=de Identity Providers
+table-of-identity-providers=de Table of identity providers
+add-provider.placeholder=de Add provider...
+provider=de Provider
+gui-order=de GUI order
+redirect-uri=de Redirect URI
+redirect-uri.tooltip=de The redirect uri to use when configuring the identity provider.
+alias=de Alias
+identity-provider.alias.tooltip=de The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
+identity-provider.enabled.tooltip=de Enable/disable this identity provider.
+authenticate-by-default=de Authenticate by Default
+identity-provider.authenticate-by-default.tooltip=de Indicates if this provider should be tried by default for authentication even before displaying login screen.
+store-tokens=de Store Tokens
+identity-provider.store-tokens.tooltip=de Enable/disable if tokens must be stored after authenticating users.
+stored-tokens-readable=de Stored Tokens Readable
+identity-provider.stored-tokens-readable.tooltip=de Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
+update-profile-on-first-login=de Update Profile on First Login
+on=de On
+on-missing-info=de On missing info
+off=de Off
+update-profile-on-first-login.tooltip=de Define conditions under which a user has to update their profile during first-time login.
+trust-email=de Trust Email
+trust-email.tooltip=de If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
+gui-order.tooltip=de Number defining order of the provider in GUI (eg. on Login page).
+openid-connect-config=de OpenID Connect Config
+openid-connect-config.tooltip=de OIDC SP and external IDP configuration.
+authorization-url=de Authorization URL
+authorization-url.tooltip=de The Authorization Url.
+token-url=de Token URL
+token-url.tooltip=de The Token URL.
+logout-url=de Logout URL
+identity-provider.logout-url.tooltip=de End session endpoint to use to logout user from external IDP.
+backchannel-logout=de Backchannel Logout
+backchannel-logout.tooltip=de Does the external IDP support backchannel logout?
+user-info-url=de User Info URL
+user-info-url.tooltip=de The User Info Url. This is optional.
+identity-provider.client-id.tooltip=de The client or client identifier registered within the identity provider.
+client-secret=de Client Secret
+show-secret=de Show secret
+hide-secret=de Hide secret
+client-secret.tooltip=de The client or client secret registered within the identity provider.
+issuer=de Issuer
+issuer.tooltip=de The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
+default-scopes=de Default Scopes
+identity-provider.default-scopes.tooltip=de The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'.
+prompt=de Prompt
+unspecified.option=de unspecified
+none.option=de none
+consent.option=de consent
+login.option=de login
+select-account.option=de select_account
+prompt.tooltip=de Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+validate-signatures=de Validate Signatures
+identity-provider.validate-signatures.tooltip=de Enable/disable signature validation of external IDP signatures.
+validating-public-key=de Validating Public Key
+identity-provider.validating-public-key.tooltip=de The public key in PEM format that must be used to verify external IDP signatures.
+import-external-idp-config=de Import External IDP Config
+import-external-idp-config.tooltip=de Allows you to load external IDP metadata from a config file or to download it from a URL.
+import-from-url=de Import from URL
+identity-provider.import-from-url.tooltip=de Import metadata from a remote IDP discovery descriptor.
+import-from-file=de Import from file
+identity-provider.import-from-file.tooltip=de Import metadata from a downloaded IDP discovery descriptor.
+saml-config=de SAML Config
+identity-provider.saml-config.tooltip=de SAML SP and external IDP configuration.
+single-signon-service-url=de Single Sign-On Service URL
+saml.single-signon-service-url.tooltip=de The Url that must be used to send authentication requests (SAML AuthnRequest).
+single-logout-service-url=de Single Logout Service URL
+saml.single-logout-service-url.tooltip=de The Url that must be used to send logout requests.
+nameid-policy-format=de NameID Policy Format
+nameid-policy-format.tooltip=de Specifies the URI reference corresponding to a name identifier format. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
+http-post-binding-response=de HTTP-POST Binding Response
+http-post-binding-response.tooltip=de Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
+http-post-binding-for-authn-request=de HTTP-POST Binding for AuthnRequest
+http-post-binding-for-authn-request.tooltip=de Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
+want-authn-requests-signed=de Want AuthnRequests Signed
+want-authn-requests-signed.tooltip=de Indicates whether the identity provider expects signed a AuthnRequest.
+force-authentication=de Force Authentication
+identity-provider.force-authentication.tooltip=de Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
+validate-signature=de Validate Signature
+saml.validate-signature.tooltip=de Enable/disable signature validation of SAML responses.
+validating-x509-certificate=de Validating X509 Certificate
+validating-x509-certificate.tooltip=de The certificate in PEM format that must be used to check for signatures.
+saml.import-from-url.tooltip=de Import metadata from a remote IDP SAML entity descriptor.
+social.client-id.tooltip=de The client identifier registered with the identity provider.
+social.client-secret.tooltip=de The client secret registered with the identity provider.
+social.default-scopes.tooltip=de The scopes to be sent when asking for authorization. See documentation for possible values, separator and default value'.
+key=de Key
+stackoverflow.key.tooltip=de The Key obtained from Stack Overflow client registration.
+
+realms=de Realms
+realm=de Realm
+
+identity-provider-mappers=de Identity Provider Mappers
+create-identity-provider-mapper=de Create Identity Provider Mapper
+add-identity-provider-mapper=de Add Identity Provider Mapper
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 54044587e4..6c47bf4a48 100644
--- a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -6,9 +6,14 @@ cancel=Cancel
onText=ON
offText=OFF
client=Client
+clients=Clients
clear=Clear
selectOne=Select One...
+true=True
+false=False
+
+
# Realm settings
realm-detail.enabled.tooltip=Users and clients can only access a realm if it's enabled
registrationAllowed=User registration
@@ -112,7 +117,7 @@ active-sessions=Active Sessions
sessions=Sessions
not-before=Not Before
not-before.tooltip=Revoke any tokens issued before this date.
-set-to-now=Set To Now
+set-to-now=Set to now
push=Push
push.tooltip=For every client that has an admin URL, notify them of the new revocation policy.
@@ -126,4 +131,321 @@ userSession.modelNote.tooltip=Name of stored user session note within the UserSe
multivalued.label=Multivalued
multivalued.tooltip=Indicates if attribute supports multiple values. If true, then the list of all values of this attribute will be set as claim. If false, then just first value will be set as claim
selectRole.label=Select Role
-selectRole.tooltip=Enter role in the textbox to the left, or click this button to browse and select the role you want
+selectRole.tooltip=Enter role in the textbox to the left, or click this button to browse and select the role you want.
+
+# client details
+clients.tooltip=Clients are trusted browser apps and web services in a realm. These clients can request a login. You can also define client specific roles.
+search.placeholder=Search...
+create=Create
+import=Import
+client-id=Client ID
+base-url=Base URL
+actions=Actions
+not-defined=Not defined
+edit=Edit
+delete=Delete
+no-results=No results
+no-clients-available=No clients available
+add-client=Add Client
+select-file=Select file
+view-details=View details
+clear-import=Clear import
+client-id.tooltip=Specifies ID referenced in URI and tokens. For example 'my-client'
+client.name.tooltip=Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example: ${my_client}
+client.enabled.tooltip=Disabled clients cannot initiate a login or have obtain access tokens.
+consent-required=Consent Required
+consent-required.tooltip=If enabled users have to consent to client access.
+direct-grants-only=Direct Grants Only
+direct-grants-only.tooltip=When enabled, client can only obtain grants from grant REST API.
+client-protocol=Client Protocol
+client-protocol.tooltip='OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.
+access-type=Access Type
+access-type.tooltip='Confidential' clients require a secret to initiate login protocol. 'Public' clients do not require a secret. 'Bearer-only' clients are web services that never initiate a login.
+service-accounts-enabled=Service Accounts Enabled
+service-accounts-enabled.tooltip=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client.
+include-authnstatement=Include AuthnStatement
+include-authnstatement.tooltip=Should a statement specifying the method and timestamp be included in login responses?
+sign-documents=Sign Documents
+sign-documents.tooltip=Should SAML documents be signed by the realm?
+sign-assertions=Sign Assertions
+sign-assertions.tooltip=Should assertions inside SAML documents be signed? This setting isn't needed if document is already being signed.
+signature-algorithm=Signature Algorithm
+signature-algorithm.tooltip=The signature algorithm to use to sign documents.
+canonicalization-method=Canonicalization Method
+canonicalization-method.tooltip=Canonicalization Method for XML signatures.
+encrypt-assertions=Encrypt Assertions
+encrypt-assertions.tooltip=Should SAML assertions be encrypted with client's public key using AES?
+client-signature-required=Client Signature Required
+client-signature-required.tooltip=Will the client sign their saml requests and responses? And should they be validated?
+force-post-binding=Force POST Binding
+force-post-binding.tooltip=Always use POST binding for responses.
+front-channel-logout=Front Channel Logout
+front-channel-logout.tooltip=When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout.
+force-name-id-format=Force Name ID Format
+force-name-id-format.tooltip=Ignore requested NameID subject format and use admin console configured one.
+name-id-format=Name ID Format
+name-id-format.tooltip=The name ID format to use for the subject.
+root-url=Root URL
+root-url.tooltip=Root URL appended to relative URLs
+valid-redirect-uris=Valid Redirect URIs
+valid-redirect-uris.tooltip=Valid URI pattern a browser can redirect to after a successful login or logout. Simple wildcards are allowed i.e. 'http://example.com/*'. Relative path can be specified too i.e. /my/relative/path/*. Relative paths will generate a redirect URI using the request's host and port. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
+base-url.tooltip=Default URL to use when the auth server needs to redirect or link back to the client.
+admin-url=Admin URL
+admin-url.tooltip=URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other adminstrative tasks. Usually this is set to the base URL of the client.
+master-saml-processing-url=Master SAML Processing URL
+master-saml-processing-url.tooltip=If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overiden for each binding and service in the Fine Grain SAML Endpoint Configuration.
+idp-sso-url-ref=IDP Initiated SSO URL Name
+idp-sso-url-ref.tooltip=URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
+idp-sso-relay-state=IDP Initiated SSO Relay State
+idp-sso-relay-state.tooltip=Relay state you want to send with SAML request when you want to do IDP Initiated SSO.
+web-origins=Web Origins
+web-origins.tooltip=Allowed CORS origins. To permit all origins of Valid Redirect URIs add '+'. To permit all origins add '*'.
+fine-saml-endpoint-conf=Fine Grain SAML Endpoint Configuration
+fine-saml-endpoint-conf.tooltip=Expand this section to configure exact URLs for Assertion Consumer and Single Logout Service.
+assertion-consumer-post-binding-url=Assertion Consumer Service POST Binding URL
+assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
+assertion-consumer-redirect-binding-url=Assertion Consumer Service Redirect Binding URL
+assertion-consumer-redirect-binding-url.tooltip=SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding.
+logout-service-binding-post-url=Logout Service POST Binding URL
+logout-service-binding-post-url.tooltip=SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding
+logout-service-redir-binding-url=Logout Service Redirect Binding URL
+logout-service-redir-binding-url.tooltip=SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding.
+
+# client import
+import-client=Import Client
+format-option=Format Option
+select-format=Select a Format
+import-file=Import File
+
+# client tabs
+settings=Settings
+credentials=Credentials
+saml-keys=SAML Keys
+roles=Roles
+mappers=Mappers
+mappers.tootip=Protocol mappers perform transformation on tokens and documents. They an do things like map user data into protocol claims, or just transform any requests going between the client and auth server.
+scope=Scope
+scope.tooltip=Scope mappings allow you to restrict which user role mappings are included within the access token requested by the client.
+sessions.tooltip=View active sessions for this client. Allows you to see which users are active and when they logged in.
+offline-access=Offline Access
+offline-access.tooltip=View offline sessions for this client. Allows you to see which users retrieve offline token and when they retrieve it. To revoke all tokens for the client, go to Revocation tab and set not before value to now.
+clustering=Clustering
+installation=Installation
+installation.tooltip=Helper utility for generating various client adapter configuration formats which you can download or cut and paste to configure your clients.
+service-account-roles=Service Account Roles
+service-account-roles.tooltip=Allows you to authenticate role mappings for the service account dedicated to this client.
+
+# client credentials
+client-authenticator=Client Authenticator
+client-authenticator.tooltip=Client Authenticator used for authentication this client against Keycloak server
+certificate.tooltip=Client Certificate for validate JWT issued by client and signed by Client private key from your keystore.
+no-client-certificate-configured=No client certificate configured
+gen-new-keys-and-cert=Generate new keys and certificate
+import-certificate=Import Certificate
+gen-client-private-key=Generate Client Private Key
+generate-private-key=Generate Private Key
+archive-format=Archive Format
+archive-format.tooltip=Java keystore or PKCS12 archive format.
+key-alias=Key Alias
+key-alias.tooltip=Archive alias for your private key and certificate.
+key-password=Key Password
+key-password.tooltip=Password to access the private key in the archive
+store-password=Store Password
+store-password.tooltip=Password to access the archive itself
+generate-and-download=Generate and Download
+client-certificate-import=Client Certificate Import
+import-client-certificate=Import Client Certificate
+jwt-import.key-alias.tooltip=Archive alias for your certificate.
+secret=Secret
+regenerate-secret=Regenerate Secret
+add-role=Add Role
+role-name=Role Name
+composite=Composite
+description=Description
+no-client-roles-available=No client roles available
+scope-param-required=Scope Param Required
+scope-param-required.tooltip=This role will only be granted if scope parameter with role name is used during authorization/token request.
+composite-roles=Composite Roles
+composite-roles.tooltip=When this role is (un)assigned to a user any role associated with it will be (un)assigned implicitly.
+realm-roles=Realm Roles
+available-roles=Available Roles
+add-selected=Add selected
+associated-roles=Associated Roles
+composite.associated-realm-roles.tooltip=Realm level roles associated with this composite role.
+composite.available-realm-roles.tooltip=Realm level roles associated with this composite role.
+remove-selected=Remove selected
+client-roles=Client Roles
+select-client-to-view-roles=Select client to view roles for client
+available-roles.tooltip=Roles from this client that you can associate to this composite role.
+client.associated-roles.tooltip=Client roles associated with this composite role.
+add-builtin=Add Builtin
+category=Category
+type=Type
+no-mappers-available=No mappers available
+add-builtin-protocol-mappers=Add Builtin Protocol Mappers
+add-builtin-protocol-mapper=Add Builtin Protocol Mapper
+scope-mappings=Scope Mappings
+full-scope-allowed=Full Scope Allowed
+full-scope-allowed.tooltip=Allows you to disable all restrictions.
+scope.available-roles.tooltip=Realm level roles that can be assigned to scope.
+assigned-roles=Assigned Roles
+assigned-roles.tooltip=Realm level roles assigned to scope.
+effective-roles=Effective Roles
+realm.effective-roles.tooltip=Assigned realm level roles that may have been inherited from a composite role.
+select-client-roles.tooltip=Select client to view roles for client
+assign.available-roles.tooltip=Client roles available to be assigned.
+client.assigned-roles.tooltip=Assigned client roles.
+client.effective-roles.tooltip=Assigned client roles that may have been inherited from a composite role.
+basic-configuration=Basic configuration
+node-reregistration-timeout=Node Re-registration Timeout
+node-reregistration-timeout.tooltip=Interval to specify max time for registered clients cluster nodes to re-register. If cluster node won't send re-registration request to Keycloak within this time, it will be unregistered from Keycloak
+registered-cluster-nodes=Registered cluster nodes
+register-node-manually=Register node manually
+test-cluster-availability=Test cluster availability
+last-registration=Last registration
+node-host=Node host
+no-registered-cluster-nodes=No registered cluster nodes available
+cluster-nodes=Cluster Nodes
+add-node=Add Node
+active-sessions.tooltip=Total number of active user sessions for this client.
+show-sessions=Show Sessions
+show-sessions.tooltip=Warning, this is a potentially expensive operation depending on number of active sessions.
+user=User
+from-ip=From IP
+session-start=Session Start
+first-page=First Page
+previous-page=Previous Page
+next-page=Next Page
+client-revoke.not-before.tooltip=Revoke any tokens issued before this date for this client.
+client-revoke.push.tooltip=If admin URL is configured for this client, push this policy to that client.
+select-a-format=Select a Format
+download=Download
+offline-tokens=Offline Tokens
+offline-tokens.tooltip=Total number of offline tokens for this client.
+show-offline-tokens=Show Offline Tokens
+show-offline-tokens.tooltip=Warning, this is a potentially expensive operation depending on number of offline tokens.
+token-issued=Token Issued
+key-export=Key Export
+key-import=Key Import
+export-saml-key=Export SAML Key
+import-saml-key=Import SAML Key
+realm-certificate-alias=Realm Certificate Alias
+realm-certificate-alias.tooltip=Realm certificate is stored in archive too. This is the alias to it.
+signing-key=Signing Key
+saml-signing-key=SAML Signing Key.
+private-key=Private Key
+generate-new-keys=Generate new keys
+export=Export
+encryption-key=Encryption Key
+saml-encryption-key.tooltip=SAML Encryption Key.
+service-accounts=Service Accounts
+service-account.available-roles.tooltip=Realm level roles that can be assigned to service account.
+service-account.assigned-roles.tooltip=Realm level roles assigned to service account.
+service-account-is-not-enabled-for=Service account is not enabled for {{client}}
+create-protocol-mappers=Create Protocol Mappers
+create-protocol-mapper=Create Protocol Mapper
+protocol=Protocol
+protocol.tooltip=Protocol.
+id=ID
+mapper.name.tooltip=Name of the mapper.
+mapper.consent-required.tooltip=When granting temporary access, must the user consent to providing this data to the client?
+consent-text=Consent Text
+consent-text.tooltip=Text to display on consent page.
+mapper-type=Mapper Type
+
+# realm identity providers
+identity-providers=Identity Providers
+table-of-identity-providers=Table of identity providers
+add-provider.placeholder=Add provider...
+provider=Provider
+gui-order=GUI order
+redirect-uri=Redirect URI
+redirect-uri.tooltip=The redirect uri to use when configuring the identity provider.
+alias=Alias
+identity-provider.alias.tooltip=The alias uniquely identifies an identity provider and it is also used to build the redirect uri.
+identity-provider.enabled.tooltip=Enable/disable this identity provider.
+authenticate-by-default=Authenticate by Default
+identity-provider.authenticate-by-default.tooltip=Indicates if this provider should be tried by default for authentication even before displaying login screen.
+store-tokens=Store Tokens
+identity-provider.store-tokens.tooltip=Enable/disable if tokens must be stored after authenticating users.
+stored-tokens-readable=Stored Tokens Readable
+identity-provider.stored-tokens-readable.tooltip=Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role.
+update-profile-on-first-login=Update Profile on First Login
+on=On
+on-missing-info=On missing info
+off=Off
+update-profile-on-first-login.tooltip=Define conditions under which a user has to update their profile during first-time login.
+trust-email=Trust Email
+trust-email.tooltip=If enabled then email provided by this provider is not verified even if verification is enabled for the realm.
+gui-order.tooltip=Number defining order of the provider in GUI (eg. on Login page).
+openid-connect-config=OpenID Connect Config
+openid-connect-config.tooltip=OIDC SP and external IDP configuration.
+authorization-url=Authorization URL
+authorization-url.tooltip=The Authorization Url.
+token-url=Token URL
+token-url.tooltip=The Token URL.
+logout-url=Logout URL
+identity-provider.logout-url.tooltip=End session endpoint to use to logout user from external IDP.
+backchannel-logout=Backchannel Logout
+backchannel-logout.tooltip=Does the external IDP support backchannel logout?
+user-info-url=User Info URL
+user-info-url.tooltip=The User Info Url. This is optional.
+identity-provider.client-id.tooltip=The client or client identifier registered within the identity provider.
+client-secret=Client Secret
+show-secret=Show secret
+hide-secret=Hide secret
+client-secret.tooltip=The client or client secret registered within the identity provider.
+issuer=Issuer
+issuer.tooltip=The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
+default-scopes=Default Scopes
+identity-provider.default-scopes.tooltip=The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'.
+prompt=Prompt
+unspecified.option=unspecified
+none.option=none
+consent.option=consent
+login.option=login
+select-account.option=select_account
+prompt.tooltip=Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+validate-signatures=Validate Signatures
+identity-provider.validate-signatures.tooltip=Enable/disable signature validation of external IDP signatures.
+validating-public-key=Validating Public Key
+identity-provider.validating-public-key.tooltip=The public key in PEM format that must be used to verify external IDP signatures.
+import-external-idp-config=Import External IDP Config
+import-external-idp-config.tooltip=Allows you to load external IDP metadata from a config file or to download it from a URL.
+import-from-url=Import from URL
+identity-provider.import-from-url.tooltip=Import metadata from a remote IDP discovery descriptor.
+import-from-file=Import from file
+identity-provider.import-from-file.tooltip=Import metadata from a downloaded IDP discovery descriptor.
+saml-config=SAML Config
+identity-provider.saml-config.tooltip=SAML SP and external IDP configuration.
+single-signon-service-url=Single Sign-On Service URL
+saml.single-signon-service-url.tooltip=The Url that must be used to send authentication requests (SAML AuthnRequest).
+single-logout-service-url=Single Logout Service URL
+saml.single-logout-service-url.tooltip=The Url that must be used to send logout requests.
+nameid-policy-format=NameID Policy Format
+nameid-policy-format.tooltip=Specifies the URI reference corresponding to a name identifier format. Defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
+http-post-binding-response=HTTP-POST Binding Response
+http-post-binding-response.tooltip=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
+http-post-binding-for-authn-request=HTTP-POST Binding for AuthnRequest
+http-post-binding-for-authn-request.tooltip=Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used.
+want-authn-requests-signed=Want AuthnRequests Signed
+want-authn-requests-signed.tooltip=Indicates whether the identity provider expects signed a AuthnRequest.
+force-authentication=Force Authentication
+identity-provider.force-authentication.tooltip=Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context.
+validate-signature=Validate Signature
+saml.validate-signature.tooltip=Enable/disable signature validation of SAML responses.
+validating-x509-certificate=Validating X509 Certificate
+validating-x509-certificate.tooltip=The certificate in PEM format that must be used to check for signatures.
+saml.import-from-url.tooltip=Import metadata from a remote IDP SAML entity descriptor.
+social.client-id.tooltip=The client identifier registered with the identity provider.
+social.client-secret.tooltip=The client secret registered with the identity provider.
+social.default-scopes.tooltip=The scopes to be sent when asking for authorization. See documentation for possible values, separator and default value'.
+key=Key
+stackoverflow.key.tooltip=The Key obtained from Stack Overflow client registration.
+
+realms=Realms
+realm=Realm
+
+identity-provider-mappers=Identity Provider Mappers
+create-identity-provider-mapper=Create Identity Provider Mapper
+add-identity-provider-mapper=Add Identity Provider Mapper
diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
index 442fa0db1b..91f909f2c8 100644
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
@@ -1,13 +1,13 @@