cancel=Cancel deleteConfirm_other=Are you sure you want to delete these groups. trusted-hosts.label=Trusted Hosts deletedSuccess=Provider successfully deleted. searchAttributes=Search attributes userID=User ID anyResource=Any resource importAdded_zero=No records added. createClientPolicy=Create client policy clientSignature=Client signature required persistent=Persistent sync-ldap-roles-to-keycloak=Sync LDAP roles to Keycloak eventTypes.PERMISSION_TOKEN.name=Permission token permissionsDisable=Disable permissions? eventTypes.FEDERATED_IDENTITY_LINK_ERROR.description=Federated identity link error secretHasExpired=Secret has expired, please generate a new one by clicking the "Regenerate" button above requiredRoles=Please add at least one role. addLdapWizardTitle=Add LDAP user federation provider wantAssertionsSignedHelp=Indicates whether this service provider expects a signed Assertion. disableConfirm=Are you sure you want to disable the provider '{{provider}}' eventTypes.CUSTOM_REQUIRED_ACTION.description=Custom required action flowName=Flow name userInfoResponseEncryptionContentEncryptionAlgorithm=User info response encryption content encryption algorithm eventTypes.IDENTITY_PROVIDER_FIRST_LOGIN_ERROR.name=Identity provider first login error searchByRoleName=Search by role name credentialType=Type passLoginHint=Pass login_hint openIdConnectCompatibilityModesHelp=This section is used to configure settings for backward compatibility with older OpenID Connect / OAuth 2 adaptors. It's useful especially if your client uses older version of Keycloak / RH-SSO adapter. emptyClientScopes=This client doesn't have any added client scopes requiredGroups=Please add at least one group. httpPostBindingAuthnRequestHelp=Indicates whether the AuthnRequest must be sent using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. policyEnforcementMode=Policy enforcement mode eventTypes.CLIENT_UPDATE.name=Client update addMultivaluedLabel=Add {{fieldLabel}} notRepeat=Not repeat secretRotated=Secret rotated userFedDeleteConfirmTitle=Delete user federation provider? userCredentialsHelpTextLabel=User Credentials Help Text role=Role displayName=Display name applyToResourceTypeHelp=Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type. cibaIntervalHelp=The minimum amount of time in seconds that the CD (Consumption Device) must wait between polling requests to the token endpoint. If set to 0, the CD must use 5 as the default value according to the CIBA specification. envelopeFrom=Envelope from eventTypes.UPDATE_TOTP.name=Update totp updateCibaError=Could not update CIBA policy\: {{error}} policyUrl=Policy URL clientDescriptionHelp=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description} rolesPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up. passwordPoliciesHelp.regexPattern=Requires that the password matches one or more defined Java regular expression patterns. oAuthDPoP=OAuth 2.0 DPoP Bound Access Tokens Enabled invalidRealmName=Realm name can't contain special characters validRedirectURIsHelp=Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http\://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request. realmNameTitle={{name}} realm subjectNameId=Subject NameID credentialsList=Credentials List usermodel.clientRoleMapping.clientId.label=Client ID clientId=Client ID serviceProviderEntityId=Service provider entity ID internationalizationHelp=If enabled, you can choose which locales you support for this realm and which locale is the default. managePriorityOrder=Manage priority order contextualAttributesHelp=Any attribute provided by a running environment or execution context. clientLoginTimeoutHelp=Max time a client has to finish the access token protocol. This should normally be 1 minute. emptyMappers=No mappers artifactBindingUrlHelp=URL to send the HTTP ARTIFACT messages to. You can leave this blank if you are using a different binding. This value should be set when forcing ARTIFACT binding together with IdP initiated login. artifactBindingUrl=Artifact Binding URL clientsList=Clients list userId=User ID eventTypes.CLIENT_UPDATE_ERROR.description=Client update error eventTypes.UPDATE_EMAIL.description=Update email eventTypes.VALIDATE_ACCESS_TOKEN.description=Validate access token dedicatedScopeExplain=This is a client scope which includes the dedicated mappers and scope updateOtpError=Could not update OTP policy\: {{error}} addressClaim.postal_code.label=User Attribute Name for Postal Code defaultRoles=Default roles samlSignatureKeyNameHelp=Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counter-party, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works. clientScopeTypes.default=Default invalidateRotatedSecret=Invalidate rotated secret? noDirectUsers=No direct users whoCanEditHelp=If enabled, users or administrators can view and edit the attribute. Otherwise, users or administrators don't have access to write to the attribute. eventTypes.LOGIN.name=Login addressClaim.country.tooltip=Name of User Attribute, which will be used to map to 'country' subclaim inside 'address' token claim. Defaults to 'country' . uuidLdapAttribute=UUID LDAP attribute scopeNameHelp=Name of the client scope. Must be unique in the realm. Name should not contain space characters as it is used as value of scope parameter requiredUserActions=Required user actions noConsentsText=The consents will only be recorded when users try to access a client that is configured to require consent. In that case, users will get a consent page which asks them to grant access to the client. addStep=Add step clientAssertionAudience=Client assertion audience permissionPoliciesHelp=Specifies all the policies that must be applied to the scopes defined by this policy or permission. userInitiatedActionLifespanHelp=Maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired. This value is recommended to be short because it's expected that the user would react to self-created action quickly. clearFileExplain=Are you sure you want to clear this file? userModelAttribute=User model attribute eventTypes.LOGOUT_ERROR.name=Logout error allowRemoteResourceManagement=Remote resource management syncRegistrationsHelp=Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. This setting is effectively appplied only with WRITABLE edit mode. resetPasswordAllowed=Forgot password emptyExecution=No steps passwordPolicyHintsEnabledHelp=Applicable just for writable MSAD. If on, then updating password of MSAD user will use LDAP_SERVER_POLICY_HINTS_OID extension, which means that advanced MSAD password policies like 'password history' or 'minimal password age' will be applied. This extension works just for MSAD 2008 R2 or newer. expirationValueNotValid=Value should should be greater or equal to 1 eventTypes.UPDATE_CONSENT.name=Update consent forceArtifactBinding=Force artifact binding eventTypes.REFRESH_TOKEN_ERROR.description=Refresh token error eventTypes.IMPERSONATE.name=Impersonate updateFirstLogin=Update first login columnDisplayDescription=Display description flowUsedBy=Use of this flow client-updater-trusted-hosts.label=Trusted hosts updateExecutorSuccess=Executor updated successfully ldapAttributeHelp=Name of mapped attribute on LDAP object. For example 'cn', 'sn', 'mail', 'street', etc. assertionLifespan=Assertion Lifespan export=Export claimFilterNameHelp=Name of the essential claim revocationDescription=This is a way to revoke all active sessions and access tokens. Not before means you can revoke any tokens issued before the date. eventTypes.CODE_TO_TOKEN_ERROR.description=Code to token error termsOfServiceUrl=Terms of service URL requestObject.request_uri\ only=Request URI only passwordPolicy=Password policy backchannelLogout=Backchannel logout addressClaim.street.label=User Attribute Name for Street rolesScope=If there is no role scope mapping defined, each user is permitted to use this client scope. If there are role scope mappings defined, the user must be a member of at least one of the roles. applyToResourceTypeFlag=Apply to resource type offlineSessionIdleHelp=Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire. eventTypes.UPDATE_TOTP.description=Update totp testError=Error when trying to connect to LDAP\: '{{error}}' groupObjectClassesHelp=Object class (or classes) of the group object. It's divided by commas if more classes needed. In typical LDAP deployment it could be 'groupOfNames'. In Active Directory it's usually 'group'. filterByClients=Filter by clients claims=Claims createPolicyOfType=Create {{policyType}} policy realmRolePrefix=Realm role prefix flowUsedByDescription=This flow is used by the following {{value}} createClientScope=Create client scope includeRepresentation=Include representation expireTimeHelp=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value. singleLogoutServiceUrl=Single logout service URL noRolesInstructions-roles=You haven't created any roles in this realm. Create a role to get started. editIdPMapper=Edit Identity Provider Mapper representation=Representation remove=Remove userProfile=User profile confirmPasswordDoesNotMatch=Password and confirmation does not match. eventTypes.DELETE_ACCOUNT_ERROR.description=Delete account error provider=Provider flows=Flows passwordPoliciesHelp.length=The minimum number of characters required for the password. root=Root removeImportedUsersSuccess=Imported users have been removed. eventTypes.VERIFY_PROFILE_ERROR.name=Verify profile error signAssertionsHelp=Should assertions inside SAML documents be signed? This setting is not needed if document is already being signed. authnContextClassRefsHelp=Ordered list of requested AuthnContext ClassRefs. sessionsType.directGrant=Direct grant validateSignature=Validate Signatures useLowerCaseBearerType=Use lower-case bearer type in token responses headers=Headers ldapAttributeNameHelp=Name of the LDAP attribute, which will be added to the new user during registration createAGroup=Create a group effectiveProtocolMappersHelp=Contains all default client scopes and selected optional scopes. All protocol mappers and role scope mappings of all those client scopes will be used when generating access token issued for your client exportSuccess=Realm successfully exported. scopePermissions.groups.manage-description=Policies that decide if an administrator can manage this group testClusterFail=Failed verified availability for\: {{failedNodes}}. Fix or unregister failed cluster nodes and try again eventExplain=Events are records of user and admin events in this realm. To configure the tracking of these events, go to <1>Event configs. queryExtensions=Query Supported Extensions signingKeysConfig=Signing keys config validateBindDn=You must enter the DN of the LDAP admin addedGroupMembership=Added group membership resourceDeletedSuccess=The resource successfully deleted userObjectClasses=User object classes useRefreshTokensHelp=If this is on, a refresh_token will be created and added to the token response. If this is off then no refresh_token will be generated. getStarted=To get started, select a provider from the list below. times.hours=Hours signedJWTConfirm=Generate a private key and certificate for the client from the Keys tab. permit=Permit webOrigins=Web origins searchAdminEventsBtn=Search admin events deleteDialogDescription=Are you sure you want to permanently delete the attributes group <1>{{group}}? importResourceSuccess=The resource was successfully imported inputTypeCols=Input cols eventTypes.LOGOUT.description=Logout deleteNodeBody=Are you sure you want to permanently delete the node "{{node}}" lifespan=Expires In storedTokensReadableHelp=Enable/disable if new users can read any stored tokens. This assigns the broker.read-token role. authenticationFlowTypeHelp=What kind of form is it usersAdded_one={{count}} user added to the group resourcesAndScopes=Resources and Scopes editUsernameHelp=If enabled, the username field is editable, readonly otherwise. eventTypes.UPDATE_CONSENT_ERROR.description=Update consent error overrideActionTokensHelp=Override default settings of maximum time before an action permit sent by a user (such as a forgot password e-mail) is expired for specific action. This value is recommended to be short because it's expected that the user would react to self-created action quickly. searchByName=Search by name executorTypeSwitchHelpText=Executor Type Switch Help Text attributeConsumingServiceNameHelp=Name of the Attribute Consuming Service profile to advertise in the SP metadata. overrideActionTokens=Override Action Tokens deleteGrantsError=Error deleting grants. defaultGroupAdded_other=Added {{count}} groups to the default groups used.SPECIFIC_CLIENTS=Specific clients freeMemory=Free memory applyPolicy=Apply policy userFedDeleteConfirm=If you delete this user federation provider, all associated data will be removed. directGrantHelp=Select the flow you want to use for direct grant authentication. unlockUsersSuccess=Any temporarily locked users are now unlocked jsonType.tooltip=JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values. emptyPrimaryAction=Add predefined mapper enableClientSignatureRequired=Enable "Client signature required"? supportedApplicationsHelp=Applications that are known to work with the current OTP policy enableStartTLS=Enable StartTLS syncModeOverride=Sync mode override addAssociatedRolesError=Could not associate roles {{error}} removeUserText=Do you want to remove {{numSelected}} users?. These users will no longer have permissions of the role {{role}} and the associated roles of it. diagramView=Diagram view removeImportedUsers=Remove imported users? conditionsHelpItem=Conditions help item accountLinkingOnly=Account linking only clientPoliciesPoliciesHelpText=Client Policy allows to bind client profiles with various conditions to specify when exactly is enforced behavior specified by executors of the particular client profile. anyClient=The condition is satisfied by any client on any event. editFlow=Edit flow noDefaultGroupsInstructions=Default groups allow you to automatically assign group membership whenever any new user is created or imported throughout <1>identity brokering. Add default groups to get started tokenSaveSuccess=New initial access token has been created usermodel.attr.label=User Attribute eventTypes.REGISTER.name=Register eventTypes.USER_DISABLED_BY_PERMANENT_LOCKOUT.name=User disabled by permanent lockout deleteUser=Delete user addedNodeSuccess=Node successfully added eventTypes.INTROSPECT_TOKEN_ERROR.description=Introspect token error webAuthnPolicyUserVerificationRequirementHelp=Communicates to an authenticator to confirm actually verifying a user. syncModes.import=Import realmSaveError=Realm could not be updated\: {{error}} authDataDescription=Represents a token carrying authorization data as a result of the processing of an authorization request. This representation is basically what Keycloak issues to clients asking for permission. Check the `authorization` claim for the permissions that where granted based on the current authorization request. allowRemoteResourceManagementHelp=Should resources be managed remotely by the resource server? If false, resources can be managed only from this Admin UI. generatedAccessTokenIsDisabled=Generated access token is disabled when no user is selected addNewProvider=Add new provider userInfoResponseEncryptionKeyManagementAlgorithm=User info response encryption key management algorithm changedUsersSyncPeriod=Changed users sync period keystoreHelp=Path to keys file userRegistration=User registration save=Save helpFileUploadClient=Upload a JSON or XML file generateSuccess=New key pair and certificate generated successfully userAttributeValueHelp=Value you want to hardcode whoCanViewHelp=If enabled, users or administrators can view the attribute. Otherwise, users or administrators don't have access to the attribute. eventTypes.IDENTITY_PROVIDER_LOGIN.description=Identity provider login includeClients=Include clients copySuccess=Successfully copied to clipboard\! eventTypes.LOGOUT_ERROR.description=Logout error clientProfilesHelp=Client profiles applied on this policy. deleteClientPolicyError=Could not delete policy\: {{error}} selectAttribute=Select attribute resourceAttributeHelp=The attributes associated wth the resource. updateCredentialUserLabelSuccess=The user label has been changed successfully. product=Product credentialUserLabel=User Label passwordPoliciesHelp.passwordBlacklist=Prevents the use of a password that is in a blacklist file. bindTypeHelp=Type of the authentication method used during LDAP bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (bind credential + bind password authentication) mechanisms are available. whoWillAppearPopoverText=Groups are hierarchical. When you select Direct Membership, you see only the child group that the user joined. Ancestor groups are not included. eventTypes.VERIFY_EMAIL.description=Verify email eventTypes.REFRESH_TOKEN_ERROR.name=Refresh token error partialImportHeaderText=Partial import allows you to import users, clients, and other resources from a previously exported json file. disableSuccess=Provider successfully disabled validatingPublicKeyIdHelp=Explicit ID of the validating public key given above if the key ID. Leave blank if the key above should be used always, regardless of key ID specified by external IDP; set it if the key should only be used for verifying if the key ID from external IDP matches. eventTypes.IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR.name=Identity provider link account error subtree=Subtree userFederation=User federation effectiveRoleScopeMappingsHelp=Selected Optional Client Scopes, which will be used when issuing access token for this client. You can see above what value of OAuth Scope Parameter needs to be used when you want to have these optional client scopes applied when the initial OpenID Connect Authentication request will be sent from your client adapter disable=Disable membershipLdapAttribute=Membership LDAP attribute availableIdPs=Available identity providers updateClientConditionSuccess=Condition updated successfully. attributes=Attributes roleDeleteConfirmDialog=This action will permanently delete the role "{{selectedRoleName}}" and cannot be undone. clientDelete=Delete {{clientId}} ? userDeletedSuccess=The user has been deleted revokeClientScopesTitle=Revoke all granted client scopes? contentSecurityPolicyReportOnlyHelp=For testing Content Security Policies <1>Learn more eventTypes.PERMISSION_TOKEN.description=Permission token allow-default-scopes.label=Allow Default Scopes minuteHelp=Defines the minute when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided. updateCibaSuccess=CIBA policy successfully updated newRoleNameHelp=The new role name. The new name format corresponds to where in the access token the role will be mapped to. So, a new name of 'myapp.newname' will map the role to that position in the access token. A new name of 'newname' will map the role to the realm roles in the token. mapperTypeFullNameLdapMapper=full-name-ldap-mapper searchUserByAttributeMissingKeyError=Specify a attribute key eventTypes.INVALID_SIGNATURE.name=Invalid signature topLevelFlowTypeHelp=What kind of top level flow is it? Type 'client' is used for authentication of clients (applications) when generic is for users and everything else authDetailsHelp=Export and download all resource settings for this resource server. policyProvider.regex=Define regex conditions for your permissions. clientImportError=Could not import client\: {{error}} members=Members scopePermissions.clients.token-exchange-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client. realmCertificateAliasHelp=Realm certificate is stored in archive too. This is the alias to it. scopePermissions.roles.map-role-client-scope-description=Policies that decide if an administrator can apply this role to the client scope of a client createIdentityProviderError=Could not create the identity provider\: {{error}} eventTypes.SEND_VERIFY_EMAIL_ERROR.description=Send verify email error deleteClientPolicyConfirm=This action will permanently delete the policy {{policyName}}. This cannot be undone. cibaAuthRequestedUserHint=Authentication Requested User Hint samlKeysExportError=Could not export keys due to\: {{error}} webAuthnPolicyCreateTimeout=Timeout comparison=Comparison passwordPoliciesHelp.digits=The number of numerical digits required in the password string. deletedSuccessClientScope=The client scope has been deleted notBeforeError=Error clearing "Not Before" for realm\: {{error}} columnDisplayName=Display name noUsersFoundErrorStorage=No users found, could be due to wrongly configured federated provider {{error}} lookAround=Look around window storeTokensHelp=Enable/disable if tokens must be stored after authenticating users. revert=Revert eventTypes.IDENTITY_PROVIDER_RETRIEVE_TOKEN.description=Identity provider retrieve token dependentPermission=Dependent permission disableNonce=Disable nonce addAssociatedRolesSuccess=Associated roles have been added groupDeleted_one=Group deleted userHelp=Optionally select user, for whom the example access token will be generated. If you do not select a user, example access token will not be generated during evaluation loginScreenCustomization=Login screen customization policiesConfigType=Configure via\: exportWarningTitle=Export with caution emailVerifiedHelp=Has the user's email been verified? duplicateFlow=Duplicate flow addExecution=Add execution noSearchResultsInstructions=Click on the search bar above to search for groups addedNodeFail=Could not add node\: '{{error}}' groupMembership=Group membership maxLength=Max length {{length}} prompts.unspecified=Unspecified revokeClientScopes=Are you sure you want to revoke all granted client scopes for {{clientId}}? cibaBackhannelTokenDeliveryModes.poll=Poll policies=Policies parentClientScope=Parent client scope reorder=Reorder allTypes=All types backchannelLogoutSessionRequired=Backchannel logout session required ldapFilter=LDAP filter eventTypes.PUSHED_AUTHORIZATION_REQUEST_ERROR.name=Pushed authorization request error editAttribute=Edit attribute webAuthnPolicyRpEntityNameHelp=Human-readable server name as WebAuthn Relying Party postBrokerLoginFlowAlias=Post login flow refreshTokenMaxReuse=Refresh Token Max Reuse partialExportHeaderText=Partial export allows you to export realm configuration, and other associated resources into a json file. clientScopes=Client scopes loadingRealms=Loading realms… eventTypes.SEND_RESET_PASSWORD_ERROR.description=Send reset password error httpPostBindingLogout=HTTP-POST binding logout updateMessageBundleSuccess=Success\! Message bundle updated. permissionDescription=A description for this permission. policyClientHelp=Specifies which client(s) are allowed by this policy. multivalued.label=Multivalued buildIn=Built-in roleCreateExplain=This is some description scopePermissions.identityProviders.token-exchange-description=Policies that decide which clients are allowed exchange tokens for an external token minted by this identity provider. algorithmNotSpecified=Algorithm not specified rememberMe=Remember me flow.registration=Registration flow showLess=Show less registeredClusterNodes=Registered cluster nodes connectionAndAuthenticationSettings=Connection and authentication settings deleteConfirmUsers=Delete user? storePassword=Store password defaultGroups=Default groups eventTypes.TOKEN_EXCHANGE_ERROR.name=Token exchange error flow.browser=Browser flow unlinkUsersSuccess=Unlink of users finished successfully. addressClaim.street.tooltip=Name of User Attribute, which will be used to map to 'street_address' subclaim inside 'address' token claim. Defaults to 'street' . webAuthnPolicyCreateTimeoutHint=Timeout needs to be between 0 seconds and 8 hours addValidator=Add validator attributeImporter=Import declared SAML attribute if it exists in assertion into the specified user property or attribute. userInfoSettings=User info settings createAttributeError=Error\! User Profile configuration has not been saved {{error}}. password=Password eventTypes.VERIFY_EMAIL.name=Verify email httpPostBindingResponseHelp=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. mapperTypeHardcodedAttributeMapper=hardcoded-attribute-mapper eventTypes.IMPERSONATE.description=Impersonate forbidden_other=Forbidden, permissions needed\: clientAuthorization=Authorization identityProvidersPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up. removeMappingConfirm_other=Are you sure you want to remove {{count}} roles kerberosWizardDescription=Text needed here. welcome=Welcome to events=Events importHelp=Import a JSON file containing authorization settings for this resource server. mapperType=Mapper type importResources=The following settings and data will be imported\: validateConnectionUrl=You must enter a connection URL attributeConsumingServiceIndexHelp=Index of the Attribute Consuming Service profile to request during authentication. clientSessionSettings=Client session settings cibaAuthRequestedUserHintHelp=The way of identifying the end-user for whom authentication is being requested. Currently only "login_hint" is supported. leaveGroupConfirmDialog_other=Are you sure you want to remove {{username}} from the {{count}} selected groups? createTokenHelp=An initial access token can only be used to create clients removeImportedUsersError=Could not remove imported users\: '{{error}}' eventTypes.OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR.description=Oauth2 device code to token error typeHelp=Client scopes, which will be added as default scopes to each created client linkedIdPs=Linked identity providers htmlDisplayName=HTML Display name groupObjectClasses=Group object classes requiredActionPlaceholder=Select action bindCredentials=Bind credentials logoutSettings=Logout settings validateServerPrincipal=You must enter a server principal addMessageBundle=Add message bundle realmName=Realm name searchEventType=Search saved event type idpInitiatedSsoRelayStateHelp=Relay state you want to send with SAML request when you want to do IDP Initiated SSO. otpHashAlgorithmHelp=What hashing algorithm should be used to generate the OTP. joinGroup=Join Group eventTypes.REMOVE_TOTP_ERROR.description=Remove totp error eventTypes.EXECUTE_ACTION_TOKEN_ERROR.description=Execute action token error unlinkAccountConfirm=Are you sure you want to permanently unlink this account from {{provider}}? x509CertificateHelp=X509 Certificate encoded in PEM format samlEndpointsLabel=SAML 2.0 Service Provider Metadata passCurrentLocaleHelp=Pass the current locale to the identity provider as a ui_locales parameter. lessThan=Must be less than {{value}} webAuthnPolicyRequireResidentKeyHelp=It tells an authenticator create a public key credential as Resident Key or not. logoutServiceRedirectBindingURL=Logout Service Redirect Binding URL createIdentityProviderSuccess=Identity provider successfully created emptyMappersInstructions=If you want to add mappers, please click the button below to add some predefined mappers or to configure a new mapper. dayMonth=Day clientRolesHelp=The condition checks whether one of the specified client roles exists on the client to determine whether the policy is applied. This effectively allows client administrator to create client role of specified name on the client to make sure that particular client policy will be applied on requests of this client. Condition is checked during most of OpenID Connect requests (Authorization requests, token requests, introspection endpoint request, etc.) validatingX509Certs=Validating X509 certificates eventTypes.CLIENT_UPDATE.description=Client update searchInitialAccessToken=Search token guiOrder=Display Order friendlyName=Friendly name of attribute to search for in assertion. You can leave this blank and specify a name instead. testSuccess=Successfully connected to LDAP userInfoUrl=User Info URL displayOnConsentScreen=Display on consent screen noClientPolicies=No client policies defaultAdminInitiatedActionLifespanHelp=Maximum time before an action permit sent to a user by administrator is expired. This value is recommended to be long to allow administrators to send e-mails for users that are currently offline. The default timeout can be overridden immediately before issuing the token. syncUsersSuccess=Sync of users finished successfully. updatedCredentialMoveError=User Credential configuration hasn't been saved searchForRoles=Search role by name refresh=Refresh roleDeletedSuccess=The role has been deleted advancedClaimToRole=If all claims exist, grant the user the specified realm or client role. directGrant=Direct Grant Flow maxLifespanHelp=Max lifespan of cache entry in milliseconds associatedRolesModalTitle=Add roles to {{name}} nameIdFormatHelp=The name ID format to use for the subject. detailsHelp=this is information about the details adminEvents=Admin events serviceAccountHelp=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client. urisHelp=Set of URIs which are protected by resource. eventTypes.IDENTITY_PROVIDER_RESPONSE.name=Identity provider response confirmClientSecretTitle=Regenerate secret for this client? serverPrincipal=Server principal deleteConfirmGroup_one=Are you sure you want to delete this group '{{groupName}}'. signDocuments=Sign documents noTokens=No initial access tokens addMapper=Add mapper webauthnPolicy=Webauthn Policy userAttributeName=User attribute name to store SAML attribute. Use email, lastName, and firstName to map to those predefined user properties. displayDescriptionField=Display description eventTypes.DELETE_ACCOUNT.description=Delete account eventTypes.RESTART_AUTHENTICATION_ERROR.description=Restart authentication error evictionHour=Eviction hour notBefore=Not before onDragFinish=Dragging finished {{list}} otpSupportedApplications.totpAppMicrosoftAuthenticatorName=Microsoft Authenticator ldapMappersList=LDAP Mappers bindDnHelp=DN of the LDAP admin, which will be used by Keycloak to access LDAP server newClientProfileName=Client profile name eventTypes.OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR.name=Oauth2 device code to token error eventTypes.TOKEN_EXCHANGE.description=Token exchange continue=Continue editProvider=Edit provider included.client.audience.label=Included Client Audience backchannelLogoutUrlHelp=URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout request will be sent to the client is this case. updateScopeSuccess=Authorization scope successfully updated userInfoResponseEncryptionKeyManagementAlgorithmHelp=JWA Algorithm used for key management in encrypting User Info Endpoint responses. This option is needed if you want encrypted User Info Endpoint responses. If left empty, User Info Endpoint responses are not encrypted. authnContextDeclRefsHelp=Ordered list of requested AuthnContext DeclRefs. inherent=Inherited tableTitle=Attributes groups generateNewKeys=Generate new keys updateClientPolicySuccess=Client policy updated unlock=Unlock validateRealm=You must enter a realm attributeValue=Attribute Value eventTypes.CLIENT_DELETE_ERROR.description=Client delete error clientScopesHelp=It uses the scopes requested or assigned in advance to the client to determine whether the policy is applied to this client. Condition is evaluated during OpenID Connect authorization request and/or token request. revokeRefreshToken=Revoke Refresh Token mappingUpdatedSuccess=Mapping successfully updated logoUrlHelp=URL that references a logo for the Client application operationTypes=Operation types loginWithEmailAllowed=Login with email expireTime=Expire time requestObject.request\ or\ request_uri=Request or Request URI policyProvider.user=Define conditions for your permissions where a set of one or more users is permitted to access an object. protocolTypes.openid-connect=OpenID Connect clientTypeHelp='OpenID Connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information. addOpenIdProvider=Add OpenID Connect provider memory=Memory eventTypes.CLIENT_LOGIN.name=Client login mapper.nameid.format.tooltip=Name ID Format using Mapper hideOnLoginPageHelp=If hidden, login with this provider is possible only if requested explicitly, for example using the 'kc_idp_hint' parameter. eventTypes.UPDATE_PROFILE.description=Update profile assignRolesTo=Assign roles to {{client}} orderChangeError=Could not change display order of identity providers {{error}} policyProvider.client-scope=Define conditions for your permissions where a set of one or more client scopes is permitted to access an object. secretExpiresOn=Secret expires on {{time}} searchClientByName=Search client by name loginTimeout=Login timeout attributeName=Attribute [Name] updateError=Could not update the provider {{error}} importUsersHelp=If true, LDAP users will be imported into the Keycloak DB and synced by the configured sync policies. emptyClientProfilesInstructions=There are no profiles, select 'Create client profile' to create a new client profile policyProvider.js=Define conditions for your permissions using JavaScript. It is one of the rule-based policy types supported by Keycloak, and provides flexibility to write any policy based on the Evaluation API. idpType.social=Social login krbPrincipalAttribute=Kerberos principal attribute fineGrainSamlEndpointConfig=Fine Grain SAML Endpoint Configuration hours=Hours eventTypes.RESET_PASSWORD_ERROR.name=Reset password error yes=Yes showRemaining=Show ${remaining} searchProfile=Search profile eventTypes.UPDATE_EMAIL_ERROR.name=Update email error removeConfirm_other=Are you sure you want to remove these groups. renameGroup=Rename group configure=Configure searchScopeHelp=For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details. jumpToSection=Jump to section noUsersEmptyStateDescription=Only the users with this role directly assigned will appear under this tab. If you need to find users assigned to this role, go to manage=Manage searchForSession=Search session temporaryLockedHelp=The user may be locked due to multiple failed attempts to log in. kerberosIntegration=Kerberos integration useEntityDescriptorHelp=Import metadata from a remote IDP SAML entity descriptor. decisionStrategies.CONSENSUS=Consensus saveProviderSuccess=The provider has been saved successfully. dedicatedScopes=Dedicated scopes noSessionsDescription=There are currently no active sessions in this realm. createGroupText=Create attributes group otpPolicyCodeReusable=Reusable token addRedirectUri=Add valid redirect URIs time=Time disableSigningExplain=If you disable "{{key}}", the Keycloak database will be updated and you may need to download a new adapter for this client. mapperTypeRoleLdapMapperHelp=Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client used.DEFAULT=Default authenticationCreateFlowHelp=Create flow credentialResetEmailSuccess=Email sent to user. sslType.all=All requests discoveryEndpointHelp=Import metadata from a remote IDP discovery descriptor. excludeSessionStateFromAuthenticationResponse=Exclude Session State From Authentication Response required=Required field linkedIdPsText=The identity providers which are already linked to this user account lastUpdated=Last updated credentialResetBtn=Credential Reset socialProfileJSONFieldPathHelp=Path of field in Social Provider User Profile JSON data to get value from. You can use dot notation for nesting and square brackets for array index. E.g. 'contact.address[0].country'. userModelAttributeHelp=Name of the UserModel property or attribute you want to map the LDAP attribute into. For example 'firstName', 'lastName, 'email', 'street' etc. userList=User list eventTypes.RESET_PASSWORD.name=Reset password exportWarningDescription=If there is a great number of groups, roles or clients in your realm, the operation may make server unresponsive for a while. importRole=Import role deleteClientProfileConfirm=This action will permanently delete the profile {{profileName}}. This cannot be undone. signServiceProviderMetadataHelp=Enable/disable signature of the provider SAML metadata. oAuthMutual=OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled keystore=Keystore eventTypes.EXECUTE_ACTION_TOKEN.description=Execute action token eventTypes.CLIENT_INFO.description=Client info updateClientProfilesError=Provided JSON is incorrect\: Unexpected token { in JSON canonicalizationHelp=Canonicalization Method for XML signatures. authorizationHelp=Enable/Disable fine-grained authorization support for a client sessions=Sessions mapperCreateSuccess=Mapper created successfully. fullSyncPeriodHelp=Period for full synchronization in seconds resourceTypeHelp=Specifies that this permission must be applied to all resource instances of a given type. encryptionAlgorithmHelp=Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If algorithm is not configured, then any supported algorithm is allowed and decryption key will be chosen based on the algorithm configured in SAML document itself. socialUserAttributeName=User attribute name to store information. priority=Priority jsonType.label=Claim JSON Type fullScopeAllowed=Full scope allowed syncModes.inherit=Inherit masterSamlProcessingUrlHelp=If configured, this URL will be used for every binding to both the SP's Assertion Consumer and Single Logout Services. This can be individually overridden for each binding and service in the Fine Grain SAML Endpoint Configuration. addedGroupMembershipError=Error adding group membership authenticatorAttachment.platform=Platform configSaveSuccess=Successfully saved the execution config regenerate=Regenerate ignoreMissingGroups=Ignore missing groups sslType.external=External requests showMetaData=Show metadata webAuthnPolicyAttestationConveyancePreferenceHelp=Communicates to an authenticator the preference of how to generate an attestation statement. top-level-flow-type.basic-flow=Basic flow groupRemoveError=Error removing group {error} temporaryPasswordHelpText=If enabled, the user must change the password on next login requestObjectEncryption=Request object encryption algorithm exportAuthDetailsSuccess=Successfully exported authorization details. connectionPooling=Connection pooling wantAuthnRequestsSignedHelp=Indicates whether the identity provider expects a signed AuthnRequest. policyCodeHelp=The JavaScript code providing the conditions for this policy. eventTypes.IMPERSONATE_ERROR.description=Impersonate error eventTypes.IDENTITY_PROVIDER_RESPONSE.description=Identity provider response shouldBeANumber=Should be a number validatorDialogColNames.colDescription=Description requestObjectEncoding=Request object content encryption algorithm idTokenEncryptionKeyManagementAlgorithmHelp=JWA Algorithm used for key management in encrypting ID tokens. This option is needed if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted. idpInitiatedSsoUrlNameHelp=URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be\: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name} keyPassword=Key password attributeFriendlyName=Attribute [Friendly Name] clearAllFilters=Clear all filters scopePermissions.clients.map-roles-composite-description=Policies that decide if an administrator can apply roles defined by this client as a composite to another role roleObjectClassesHelp=Object class (or classes) of the role object. It's divided by commas if more classes are needed. In typical LDAP deployment it could be 'groupOfNames'. In Active Directory it's usually 'group'. emptyAddClientScopes=No client scopes changeTypeTo=Change type to generateKeys=Generate keys? searchForUser=Search user groupRemove_one=Group removed savePasswordError=Error saving password\: {{error}} allGroups=All groups deleteNode=Delete node? rdnLdapAttributeHelp=Name of the LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as the Username LDAP attribute, however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'. addAaguids=Add AAGUID createPolicy=Create client policy disablePolicyConfirm=Users and clients can't access the policy if it's disabled. Are you sure you want to continue? useDiscoveryEndpoint=Use discovery endpoint clearAdminEvents=Clear admin events eventTypes.CLIENT_DELETE.name=Client delete clientLoginTimeout=Client Login Timeout mapperSaveSuccess=Mapper saved successfully. noRolesAssociatedInstructions=To add roles to this role press the 'Add role' button alwaysDisplayInUIHelp=Always list this client in the Account UI, even if the user does not have an active session. eventTypes.UPDATE_PASSWORD.name=Update password eventTypes.UPDATE_CONSENT.description=Update consent realmSaveSuccess=Realm successfully updated notBeforePushFail=Failed to push "not before" to\: {{failedNodes}} executorTypeTextHelpText=Executor Type Text Help Text eventTypes.IDENTITY_PROVIDER_LOGIN_ERROR.description=Identity provider login error readTimeout=Read timeout userInfoResponseEncryptionContentEncryptionAlgorithmHelp=JWA Algorithm used for content encryption in encrypting User Info Endpoint responses. If User Info response encryption key management algorithm is specified, the default for this value is A128CBC-HS256. accessTokenSignatureAlgorithm=Access token signature algorithm createUser=Create user logoutAllDescription=If you sign out all active sessions, active subjects in this realm will be signed out. credentialResetEmailError=Failed\: {{error}} flow-type.form-flow=Form useKerberosForPasswordAuthenticationHelp=User Kerberos login module for authenticating username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API guiOrderHelp=Specify order of the provider in GUI (such as in Consent page) as integer signDocumentsHelp=Should SAML documents be signed by the realm? resetPassword=Reset password requireSslHelp=Is HTTPS required? 'None' means HTTPS is not required for any client IP address. 'External requests' means localhost and private IP addresses can access without HTTPS. 'All requests' means HTTPS is required for all IP addresses. policyDeletedSuccess=The Policy successfully deleted manageServiceAccountUser=To manage detail and group mappings, click on the username <1>{{link}} addClientProfileSuccess=New client profile added helpDisabled=Help off deleteResource=Permanently delete resource? validRequestURIsHelp=List of valid URIs, which can be used as values of 'request_uri' parameter during OpenID Connect authentication request. There is support for the same capabilities like for Valid Redirect URIs. For example wildcards or relative paths. emptyAddClientScopesInstructions=There are no client scopes left to add changeTypeIntro={{count}} selected client scopes will be changed to secretSizeHelp=Size in bytes for the generated secret clientSecret=Client Secret inputType=Input type claimHelp=Name of claim to search for in token. You can reference nested claims by using a '.', i.e. 'address.locality'. To use dot (.) literally, escape it with backslash. (\\.) regexClaimValues=Regex Claim Values iconUri=Icon URI allowed-protocol-mappers.label=Allowed Protocol Mappers group=Group addAssociatedRolesText=Add associated roles enabledFeatures=Enabled features groupsClaimHelp=If defined, the policy will fetch user's groups from the given claim within an access token or ID token representing the identity asking permissions. If not defined, user's groups are obtained from your realm configuration. createGroup=Create group validatingPublicKeyId=Validating public key id clientAuthentications.client_secret_jwt=JWT signed with client secret created=Created minutes=Minutes displayOnClient=Display client on screen certSubject=CERT_SUBJECT userCredentialsHelpText=The top level handlers allow you to shift the priority of the credential for the user, the topmost credential having the highest priority. The handlers within one expandable panel allow you to change the visual order of the credentials, the topmost credential will show at the most left. ldapAdvancedSettingsDescription=This section contains all the other options for more fine-grained configuration of the LDAP storage provider. usersDN=Users DN secretSize=Secret size included.custom.audience.label=Included Custom Audience max-clients.label=Max Clients Per Realm requestObjectSignatureAlgorithm=Request object signature algorithm searchForGroups=Search group noRolesAssociated=No associated roles eventTypes.IDENTITY_PROVIDER_POST_LOGIN_ERROR.name=Identity provider post login error emptyStateMessage=No attributes groups tokenLifespan.expires=Expires in oidcAttributeImporter=Import declared claim if it exists in ID, access token, or the claim set returned by the user profile endpoint into the specified user property or attribute. requestObject.request\ only=Request only waitIncrementSeconds=Wait increment requiredForLabel.admins=Only admins clientScopeSuccess=Scope mapping updated clientPolicySearch=Search client policy refreshTokens=Refresh tokens eventTypes.UPDATE_EMAIL_ERROR.description=Update email error credentials=Credentials webAuthnPolicyCreateTimeoutHelp=Timeout value for creating user's public key credential in seconds. if set to 0, this timeout option is not adapted. policyType.hotp=Counter based claimFilterValue=Essential claim value eventTypes.REGISTER_ERROR.name=Register error priorityHelp=Priority of the provider emptyPolicies=No policies manageOrderTableAria=List of identity providers in the order listed on the login page disableError=Could not disable the provider {{error}} anyAlgorithm=Any algorithm enableSSL=Enable SSL general=General failureFactor=Max login failures updateClientPoliciesSuccess=The client policies configuration was updated advancedSettings=Advanced settings attributeValueHelp=Value the attribute must have. If the attribute is a list, then the value must be contained in the list. eventTypes.FEDERATED_IDENTITY_LINK.description=Federated identity link adminTheme=Admin theme alias=Alias eventTypes.SEND_IDENTITY_PROVIDER_LINK_ERROR.name=Send identity provider link error userEvents=User events inputTypePlaceholder=Input placeholder otpPolicyPeriodErrorHint=Value needs to be between 1 second and 2 minutes introduction=If you want to leave this page and manage this realm, please click the corresponding menu items in the left navigation bar. clearUserEvents=Clear user events descriptionHelp=Help text for the description of the new flow addCustomProvider=Add custom provider permissionType=Specifies that this permission must be applied to all resources instances of a given type. policyEnforcementModes.ENFORCING=Enforcing rowSaveBtnAriaLabel=Save edits for {{messageBundle}} permanentLockout=Permanent lockout debug=Debug webAuthnPolicyRequireResidentKey=Require resident key notBeforePushSuccess=Successfully push "not before" to\: {{successNodes}} unlockUsersConfirm=All the users that are temporarily locked will be unlocked. clear=Clear idpType.custom=Custom eventTypes.LOGOUT.name=Logout deletedErrorClientScope=Could not delete client scope\: {{error}} groupsClaim=Groups claim roleMappingUpdatedError=Could not update role mapping {{error}} client-updater-source-groups.label=Groups frontchannelLogoutUrlHelp=URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If not provided, it defaults to the base url. authenticationOverridesHelp=Override realm authentication flow bindings. requiredActions=Required actions selectLocales=Select locales policyDecisionStagey=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. usermodel.prop.tooltip=Name of the property method in the UserModel interface. For example, a value of 'email' would reference the UserModel.getEmail() method. kc.identity.authc.method=Authentication Method regexAttributeValues=Regex Attribute Values otpTypeHelp=totp is Time-Based One Time Password. 'hotp' is a counter base one time password in which the server keeps a counter to hash against. setAsDefaultAction=Set as default action keyForCodeExchange=Proof Key for Code Exchange Code Challenge Method clientProfiles=Client profiles endpointsHelp=Shows the configuration of the Service Provider endpoint mapperTypeLdapAttributeMapper=hardcoded-ldap-attribute-mapper unlockAllUsers=Unlock all users noGroupsText=You haven't added this user to any groups. Join a group to get started. createClientPolicyError=Could not create policy due to\: {{error}} eventTypes.EXECUTE_ACTIONS_ERROR.name=Execute actions error path=Path overwritten=Overwritten mapperNameHelp=Name of the mapper deleteProviderError=Error deleting the provider supportedLocalesHelp=The locales to support for this realm. The user chooses one of these locales on the login screen. comparisonHelp=Specifies the comparison method used to evaluate the requested context classes or statements. The default is "Exact". generatedIdTokenIsDisabled=Generated id token is disabled when no user is selected nodeHost=Node host eventTypes.REGISTER_NODE_ERROR.description=Register node error eventListenersHelpTextHelp=Configure what listeners receive events for the realm. acrToLoAMapping=ACR to LoA Mapping advancedSettingsSaml=This section is used to configure advanced settings of this client resetCredentialsError=Error resetting users credentials\: {{error}} eventTypes.INTROSPECT_TOKEN.name=Introspect token unspecified=Unspecified deleteMappingTitle=Delete mapping? profile=Profile active=Active generateKeysDescription=If you generate new keys, you can download the keystore with the private key automatically and save it on your client's side. Keycloak server will save just the certificate and public key, but not the private key. addSubFlowTitle=Add a sub-flow useTruststoreSpiHelp=Specifies whether LDAP connection will use the Truststore SPI with the truststore configured in command-line options. 'Always' means that it will always use it. 'Never' means that it will not use it. Note that even if Keycloak truststore is not configured, the default java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used. forcePostBindingHelp=Always use POST binding for responses. executorName=Name VERIFY_EMAIL=Verify Email (VERIFY_EMAIL) realmCertificateAlias=Realm certificate alias roleName=Role name addOrigins=Add Origin evictionDayHelp=Day of the week the entry will become invalid actionTokens=Action tokens permissionResources=Specifies that this permission must be applied to a specific resource instance. testConnectionHint.withoutEmail=To test the connection you must first configure an e-mail address for the current user ({{userName}}). includeOneTimeUseConditionHelp=Should a OneTimeUse Condition be included in login responses? availableIdPsText=All the configured identity providers in this realm are listed here. You can link the user account to any of the IdP accounts. accessTokenLifespanHelp=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout editableRowsTable=Editable rows table redirectURIHelp=The redirect uri to use when configuring the identity provider. permissionsEnabled=Permissions enabled saveRealmError=Could not create realm {{error}} attestationPreference.none=None pairwiseSubAlgorithmSalt.label=Salt addGroupsToGroupPolicy=Add groups to group policy deniedScopes=Denied scopes updateClientProfilesSuccess=The client profiles configuration was updated flow.docker\ auth=Docker authentication flow useEntityDescriptor=Use entity descriptor loginActionTimeout=Login action timeout windowsDomainQN=Windows Domain Qualified Name deleteClientError=Could not delete profile\: {{error}} validRedirectURIs=Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http\://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request. UPDATE_PROFILE=Update Profile (UPDATE_PROFILE) assertionConsumerServicePostBindingURL=Assertion Consumer Service POST Binding URL removeImported=Remove imported endpoints=Endpoints roleSaveError=Could not save role\: {{error}} keySize=Key size membershipUserLdapAttributeHelp=Used just if Membership Attribute Type is UID. It is the name of the LDAP attribute on user, which is used for membership mappings. Usually it will be 'uid'. For example if the value of 'Membership User LDAP Attribute' is 'uid' and LDAP group has 'memberUid\: john', then it is expected that particular LDAP user will have attribute 'uid\: john'. validatingX509CertsHelp=The certificate in PEM format that must be used to check for signatures. Multiple certificates can be entered, separated by comma (,). samlCapabilityConfig=SAML capabilities accessTokenSignatureAlgorithmHelp=JWA algorithm used for signing access tokens. derFormatted=DER formatted periodicChangedUsersSyncHelp=Whether periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not signatureAlgorithmHelp=The signature algorithm to use to sign documents. Note that 'SHA1' based algorithms are deprecated and can be removed in the future. It is recommended to stick to some more secure algorithm instead of '*_SHA1' allow-default-scopes.tooltip=If on, newly registered clients will be allowed to have client scopes mentioned in realm default client scopes or realm optional client scopes emailVerified=Email verified addExecutionHelp=Execution can have a wide range of actions, from sending a reset email to validating an OTP requestObjectRequiredHelp=Specifies if the client needs to provide a request object with their authorization requests, and what method they can use for this. If set to "not required", providing a request object is optional. In all other cases, providing a request object is mandatory. If set to "request", the request object must be provided by value. If set to "request_uri", the request object must be provided by reference. If set to "request or request_uri", either method can be used. clientScopesRolesScope=If there is no role scope mapping defined, each user is permitted to use this client scope. If there are role scope mappings defined, the user must be a member of at least one of the roles. passwordPoliciesHelp.notUsername=The password cannot match the username. removeConfirm_one=Are you sure you want to remove this group createUserProviderSuccess=User federation provider successfully created countHelp=Specifies how many clients can be created using the token mapperTypeHardcodedLdapGroupMapper=hardcoded-ldap-group-mapper Monday=Monday resetCredentialsSuccess=The password has been reset successfully. added=Added authnContextDeclRefs=AuthnContext DeclRefs clientAssertionAudienceHelp=The audience to use for the client assertion. The default value is the IDP's token endpoint URL. externalRoleToRole=Looks for an external role in a keycloak access token. If external role exists, grant the user the specified realm or client role. attributeGroup=Attribute group deleteExecutionError=Could not delete execution\: {{error}} hideInheritedRoles=Hide inherited roles consentRequired=Consent required selectMethodType.import=Import standardFlow=Standard flow votedToStatus=\ voted to {{status}} credentialResetConfirmText=Are you sure you want to send email to user clientScopeType.default=Default helpFileUpload=Upload a JSON file addProvider_one=Add {{provider}} provider clientPoliciesPolicies=Client Policies Policies editUSernameHelp=If enabled, the username is editable, otherwise it is read-only. removeAllAssociatedRoles=Remove all associated roles flowCreatedSuccess=Flow created fineGrainOpenIdConnectConfiguration=Fine grain OpenID Connect configuration flow.reset\ credentials=Reset credentials flow eventTypes.DELETE_ACCOUNT_ERROR.name=Delete account error eventTypes.CLIENT_DELETE_ERROR.name=Client delete error noRolesInstructions-client=You haven't created any roles for this client. Create a role to get started. test=Test leaveGroup_one=Leave group {{name}}? count=Count noPasswordPoliciesInstructions=You haven't added any password policies to this realm. Add a policy to get started. testAuthentication=Test authentication groupNameLdapAttributeHelp=Name of LDAP attribute, which is used in group objects for name and RDN of group. Usually it will be 'cn'. In this case typical group/role object may have DN like 'cn\=Group1,ouu\=groups,dc\=example,dc\=org'. deleteError=Could not delete the provider {{error}} attributeDisplayName=Display name pkceEnabled=Use PKCE userProviderSaveSuccess=User federation provider successfully saved month=Month valueLabel=Value dropNonexistingGroupsDuringSyncHelp=If this flag is true, then during sync of groups from LDAP to Keycloak, we will keep just those Keycloak groups that still exist in LDAP. The rest will be deleted. expiration=Expiration addKerberosWizardTitle=Add Kerberos user federation provider noPasswordPolicies=No password policies resourceTypes=Resource types deleteConfirmTitle_one=Delete group? eventTypes.UPDATE_PROFILE_ERROR.description=Update profile error webAuthnUpdateSuccess=Updated webauthn policies successfully authorizationSignedResponseAlg=Authorization response signature algorithm mapperTypeFullNameLdapMapperHelp=Used to map the full-name of a user from single attribute in LDAP (usually 'cn' attribute) to firstName and lastName attributes of UserModel in Keycloak DB includeInUserInfo.label=Add to userinfo onDragMove=Dragging item {{item}} back=Back deleteScopeConfirm=If you delete this authorization scope, some permissions will be affected. updateOtpSuccess=OTP policy successfully updated title=Authentication deleteAttributeError=Attribute not deleted enableClientSignatureRequiredExplain=If you enable "Client signature required", the adapter of this client will be updated. You may need to download a new adapter for this client. You need to generate or import keys for this client otherwise the authentication will not work. policiesConfigTypes.formView=Form view residentKey.No=No nodeReRegistrationTimeout=Node Re-registration timeout fineGrainSamlEndpointConfigHelp=This section to configure exact URLs for Assertion Consumer and Single Logout Service. connectionURL=Connection URL validateCustomUserSearchFilter=Filter must be enclosed in parentheses, for example\: (filter) accessTokenLifespan=Access Token Lifespan loginWithEmailHelpText=Allow users to log in with their email address. eventTypes.IDENTITY_PROVIDER_LINK_ACCOUNT.name=Identity provider link account deleteMessageBundleSuccess=Successfully removed the message from the bundle retry=Press here to refresh and continue selectAttributes=Select attributes firstBrokerLoginFlowAliasHelp=Alias of authentication flow, which is triggered after first login with this identity provider. Term 'First Login' means that no Keycloak account is currently linked to the authenticated identity provider account. owner=Owner eventTypes.VERIFY_PROFILE.description=Verify profile executorAuthenticatorMultiSelectHelpText=Executor Authenticator MultiSelect Help Text eventTypes.FEDERATED_IDENTITY_LINK_ERROR.name=Federated identity link error eventTypes.EXECUTE_ACTIONS.name=Execute actions encryptAssertions=Encrypt assertions disableConfirmTitle=Disable realm? custom=Custom Attribute... keyTab=Key tab addSamlProvider=Add SAML provider permission=Permission saveEventListeners=Save Event Listeners capabilityConfig=Capability config mapperTypeMsadUserAccountControlManagerHelp=Mapper specific to MSAD. It's able to integrate the MSAD user account state into Keycloak account state (account enabled, password is expired etc). It's using userAccountControl and pwdLastSet MSAD attributes for that. For example if pwdLastSet is 0, the Keycloak user is required to update the password; if userAccountControl is 514 (disabled account) the Keycloak user is disabled as well etc. Mapper is also able to handle the exception code from LDAP user authentication. home=Home bindFlow=Bind flow userAttributeValue=User Attribute Value browserFlowHelp=Select the flow you want to use for browser authentication. tokenLifespan.never=Never expires notFound=Could not find the resource that you are looking for passMaxAge=Pass max_age disablePolicyConfirmTitle=Disable policy? eventTypes.LOGIN_ERROR.description=Login error linkAccount=Link account attestationPreference.direct=Direct eventTypes.OAUTH2_DEVICE_AUTH_ERROR.description=Oauth2 device authentication error unlinkUsers=Unlink users userLdapFilter=User LDAP filter emailVerification=Email Verification configSaveError=Could not save the execution config\: {{error}} clientAuthenticatorTypeHelp=Client Authenticator used for authentication of this client against Keycloak server cachePolicyHelp=Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX_LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry. eventTypes.CUSTOM_REQUIRED_ACTION_ERROR.description=Custom required action error eventTypes.SEND_RESET_PASSWORD.name=Send reset password requiredFor=Required for scopePermissions.users.map-roles-description=Policies that decide if administrator can map roles for all users bindCredentialsHelp=Password of LDAP admin. This field is able to obtain its value from vault, use ${vault.ID} format. searchForAdminEvent=Search admin event unitLabel=Select a time unit webAuthnPolicySignatureAlgorithms=Signature algorithms eventTypes.GRANT_CONSENT_ERROR.name=Grant consent error action=Action shortVerificationUri=Short verification_uri in Device Authorization flow placeholderText=Select one deleteCredentialsError=Error deleting users credentials\: {{error}} authDefaultActionTooltip=If enabled, any new user will have this required action assigned to it. validateBindCredentials=You must enter the password of the LDAP admin evictionMinuteHelp=Minute of the hour the entry will become invalid includeAuthnStatement=Include AuthnStatement validatorType=Validator type attributesHelp=Name and (regex) value of the attributes to search for in token. The configured name of an attribute is searched in SAML attribute name and attribute friendly name fields. Every given attribute description must be met to set the role. If the attribute is an array, then the value must be contained in the array. If an attribute can be found several times, then one match is sufficient. samlAttributeToRole=If an attribute exists, grant the user the specified realm or client role. enableStartTls=Enable StartTLS addIdPMapper=Add Identity Provider Mapper createPermissionSuccess=Successfully created the permission roleAuthentication=Role authentication homeURL=Home URL eventTypes.REVOKE_GRANT_ERROR.name=Revoke grant error contentSecurityPolicyReportOnly=Content-Security-Policy-Report-Only firstBrokerLoginFlowAlias=First login flow missingAttributes=No attributes have been defined yet. Click the below button to add attributes, key and value are required for a key pair. testConnectionError=Error\! {{error}} authenticatedAccessPoliciesHelp=Those Policies are used when Client Registration Service is invoked by authenticated request. This means that the request contains Initial Access Token or Bearer Token. deleteClientPolicyProfileSuccess=Profile successfully removed from the policy. reGenerateSigningExplain=If you regenerate signing key for client, the Keycloak database will be updated and you may need to download a new adapter for this client. evaluate=Evaluate enableLdapv3Password=Enable the LDAPv3 password modify extended operation status=Status dragInstruction=Click and drag to change priority clients=Clients clientName=Name syncModes.force=Force deleteMappingConfirm=Are you sure you want to delete this mapping? createClientProfileSuccess=New client profile created eventTypes.CLIENT_LOGIN_ERROR.description=Client login error explainBearerOnly=This is a special OIDC type. This client only allows bearer token requests and cannot participate in browser logins. noMessageBundlesInstructions=Add a message bundle to get started. clearFile=Clear this file allowCreate=Allow create providerUpdatedError=Could not update client policy due to {{error}} usersAddedError=Could not add users to the group\: {{error}} orderChangeErrorUserFed=Could not change the priority order of user federation providers {{error}} scopeParameterPlaceholder=Select scope parameters deleteClientPolicyConfirmTitle=Delete policy? validateRdnLdapAttribute=You must enter an RDN LDAP attribute policyUrlHelp=URL that the Relying Party Client provides to the End-User to read about the how the profile data will be used fromDisplayName=From display name affirmative=Affirmative clientRoles=Client roles removeRoles=Remove roles flowNameDescriptionHelp=Help text for the name description of the new flow maxFailureWaitSecondsHelp=Max time a user will be locked out. groupsPath=Groups path useRealmRolesMapping=Use realm roles mapping identityProviderEntityId=Identity provider entity ID userInfoSignedResponseAlgorithm=User info signed response algorithm selectGroup=Select group scopePermissions.groups.view-members-description=Policies that decide if an administrator can view the members of this group tableOfGroups=Table of groups allowed-protocol-mappers.tooltip=Whitelist of allowed protocol mapper providers. If there is an attempt to register client, which contains some protocol mappers, which were not whitelisted, registration request will be rejected. policyProvider.role=Define conditions for your permissions where a set of one or more roles is permitted to access an object. targetOptions.brokerId=BROKER_ID eventTypes.VERIFY_PROFILE.name=Verify profile useRealmRolesMappingHelp=If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings. forwardParameters=Forwarded query parameters isAccessTokenJWTHelp=The Access Token received from the Identity Provider is a JWT and its claims will be accessible for mappers. frontchannelLogoutUrl=Front-channel logout URL testConnectionHint.withoutEmailAction=Configure e-mail address webAuthnUpdateError=Could not update webauthn policies due to {{error}} paginationHelp=Whether the LDAP server supports pagination oAuthMutualHelp=This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens. deleteProviderTitle=Delete key provider? scopes=Scopes accessTokens=Access tokens columnName=Name flowType=Flow type syncLDAPGroupsSuccessful=Data successfully synced {{result}} policyEnforcementModes.PERMISSIVE=Permissive subject=Subject DN use=Use defaultAdminInitiated=Default Admin-Initiated Action Lifespan chooseAMapperType=Choose a mapper type startTimeHelp=Defines the time before which the policy MUST NOT be granted. Only granted if current date/time is after or equal to this value. noGroupsInThisRealm=No groups in this realm searchUserByAttributeKeyAlreadyInUseError=Attribute key already in use executorClientAuthenticator=Executor Client Authenticator addWebOrigins=Add web origins clientScopeExplain=Client scopes are a common set of protocol mappers and roles that are shared between multiple clients. attributeNameHelp=Name of attribute to search for in assertion. You can leave this blank and specify a friendly name instead. linkAccountTitle=Link account to {{provider}} invalidateRotatedSuccess=Rotated secret successfully removed userSessionAttributeHelp=Name of user session attribute you want to hardcode updateSuccessIdentityProvider=Provider successfully updated host=Host forbidden_one=Forbidden, permission needed\: backchannelLogoutRevokeOfflineSessions=Backchannel logout revoke offline sessions supportedApplications=Supported applications shortVerificationUriTooltipHelp=If set, this value will be return as verification_uri in Device Authorization flow. This uri need to redirect to {server-root}/realms/{realm}/device kerberosPrincipal=Kerberos Principal resourceAttribute=Resource attribute addressClaim.region.label=User Attribute Name for Region applyToResourceTypeFlagHelp=Specifies if this permission should be applied to all resources with a given type. In this case, this permission will be evaluated for all instances of a given resource type. managePriorityInfo=Priority is the order of providers when doing a user lookup. You can drag the row handlers to change the priorities. deletedErrorIdentityProvider=Could not delete the provider {{error}} included.custom.audience.tooltip=This is used just if 'Included Client Audience' is not filled. The specified value will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences. includeInIdToken.label=Add to ID token steps=Steps tokenDeleteConfirm=Are you sure you want to permanently delete the initial access token {{id}} flowCreateError=Could not create flow\: {{error}} readTimeoutHelp=LDAP read timeout in milliseconds. This timeout applies for LDAP read operations. registrationAccessTokenHelp=The registration access token provides access for clients to the client registration service. host-sending-registration-request-must-match.tooltip=If on, any request to Client Registration Service is allowed just if it was sent from some trusted host or domain. profilesConfigTypes.formView=Form view validatorDeletedSuccess=Success\! User Profile configuration has been saved. canonicalization=Canonicalization method deleteConfirmTitle=Delete realm? includeInAccessTokenResponse.label=Add to access token response SSOSessionMax=SSO Session Max clientScope=Client scope inheritedFrom=Inherited from clientScopeSearch.name=Name deleteConditionSuccess=The condition has been deleted clientProfile=Client profile details syncAllUsers=Sync all users allowedClockSkewHelp=Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero. disableConfirmIdentityProvider=Are you sure you want to disable the provider '{{provider}}' clientSaveError=Client could not be updated\: {{error}} tokenSaveError=Could not create initial access token {{error}} certificate=Certificate deleteConfirmExecutionMessage=Are you sure you want to permanently delete the execution "<1>{{name}}". offlineSessionMaxLimitedHelp=Enable offline session max delete=Delete userGroupsRetrieveStrategyHelp=Specify how to retrieve groups of user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE means that roles of user will be retrieved by sending LDAP query to retrieve all groups where 'member' is our user. GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE means that groups of user will be retrieved from 'memberOf' attribute of our user or from the other attribute specified by 'Member-Of LDAP Attribute'. hour=Hour connectionTimeoutHelp=LDAP connection timeout in milliseconds repeat=Repeat defaultSigAlgHelp=Default algorithm used to sign tokens for the realm save-admin-events=If enabled, admin events are saved to the database, which makes events available to the Admin UI. policyGroups=Specifies which user(s) are allowed by this policy. searchForProtocol=Search protocol mapper eventTypes.CLIENT_INFO.name=Client info eventTypes.OAUTH2_DEVICE_CODE_TO_TOKEN.description=Oauth2 device code to token eventTypes.UPDATE_TOTP_ERROR.name=Update totp error client-updater-source-groups.tooltip=Name of groups to check. Condition evaluates to true if the entity, who creates/updates client is member of some of the specified groups. Configured groups are specified by their simple name, which must match to the name of the Keycloak group. No support for group hierarchy is used here. webAuthnPolicyRpId=Relying party ID ldapRolesDnHelp=LDAP DN where roles of this tree are saved. For example, 'ou\=finance,dc\=example,dc\=org' serviceAccount=Service accounts roles providerUpdatedSuccess=Client policy updated successfully assertionConsumerServiceRedirectBindingURL=Assertion Consumer Service Redirect Binding URL createClientScopeError=Could not create client scope\: '{{error}}' deleteRole=Delete this role SSOSessionSettings=SSO Session Settings directAccessHelp=This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client. groupHelp=Group to add the user in. Fill the full path of the group including path. For example\: '/root-group/child-group'. clientPolicyNameHelp=Display name of the policy addressClaim.country.label=User Attribute Name for Country downloadType=this is information about the download type clustering=Clustering createSuccess=Identity provider successfully created mapperAttributeName=Attribute Name setPassword=Set password client-updater-source-roles.tooltip=The condition is checked during client registration/update requests and it evaluates to true if the entity (usually user), who is creating/updating client is member of the specified role. For reference the realm role, you can use the realm role name like 'my_realm_role' . For reference client role, you can use the client_id.role_name for example 'my_client.my_client_role' will refer to client role 'my_client_role' of client 'my_client'. createRole=Create role clientDeletedSuccess=The client has been deleted eventTypes.IDENTITY_PROVIDER_RESPONSE_ERROR.description=Identity provider response error editModeLdapHelp=READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP. enableServiceAccount=Enable service account roles signOutAllActiveSessionsQuestion=Sign out all active sessions? addPostLogoutRedirectUri=Add valid post logout redirect URIs SSOSessionMaxRememberMe=SSO Session Max Remember Me pkceMethod=PKCE Method noRoles-user=No roles for this user moveGroupEmptyInstructions=There are no sub groups, select 'Move here' to move the selected group as a subgroup of this group hmacGenerated=hmac-generated unlockSuccess=User successfully unlocked unlockError=Could not unlock user due to {{error}} hourHelp=Defines the hour when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided. deleteClientProfileConfirmTitle=Delete profile? syncLDAPGroupsError=Data could not be synced due {{error}} saveSuccess=User federation provider successfully saved generatedAccessToken=Generated access token resetPasswordConfirmation=New password confirmation testConnection=Test connection archiveFormat=Archive format requestObjectEncryptionHelp=JWE algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', encryption is optional and any algorithm is allowed. importSuccess=New certificate imported attributeConsumingServiceName=Attribute Consuming Service Name invalidJsonError=Unable to save user profile, the provided information is not valid JSON. promptHelp=Specifies whether the Authorization Server prompts the End-User for re-authentication and consent. deleteBtn=Delete defaultLocale=Default locale addLdapWizardDescription=Text needed here aggregate.attrs.label=Aggregate attribute values removedGroupMembershipError=Error removing group membership allowPasswordAuthenticationHelp=Enable/disable possibility of username/password authentication against Kerberos database deleteExecutorSuccess=Success\! The executor was deleted. eventTypes.SEND_RESET_PASSWORD_ERROR.name=Send reset password error eventTypes.IDENTITY_PROVIDER_FIRST_LOGIN.name=Identity provider first login noRoles-groups=No roles for this group enableSwitchSuccess={{switch}} changed successfully eventTypes.INTROSPECT_TOKEN_ERROR.name=Introspect token error usernameHelperText=Enter the username of the user for this identity provider. includeInAccessToken.tooltip=Should the claim be added to the access token? noScopeCreateHint=You'll need to create an authorization scope first. eventTypes.CLIENT_INITIATED_ACCOUNT_LINKING_ERROR.name=Client initiated account linking error clientScopesCondition=Expected Scopes backchannelLogoutSessionRequiredHelp=Specifying whether a sid (session ID) Claim is included in the Logout Token when the Backchannel Logout URL is used. global=Global userAttributeHelp=Name of user attribute you want to hardcode searchForMapper=Search for mapper oidcCibaGrantHelp=This enables support for OIDC CIBA Grant, which means that the user is authenticated via some external authentication device instead of the user's browser. includeOneTimeUseCondition=Include OneTimeUse Condition clientUpdaterSourceRoles=Updating entity role enableSwitchError=Could not enable / disable due to {{error}} deleteClientPolicyProfileConfirm=This action will permanently delete {{profileName}} from the policy {{policyName}}. This cannot be undone. deleteExecutorProfileConfirm=The action will permanently delete {{executorName}}. This cannot be undone. confirmClientSecretBody=If you regenerate secret, the Keycloak database will be updated and you will need to download a new adapter for this client. keysList=Keys list generatedUserInfo=Generated user info clientRegistration=Client registration masterSamlProcessingUrl=Master SAML Processing URL samlIdentityProviderMetadata=SAML 2.0 Identity Provider Metadata importParseError=Could not parse the file {{error}} validTo=Valid to addMember=Add member eventTypes.CLIENT_INFO_ERROR.name=Client info error scopeParameterHelp=You can copy/paste this value of scope parameter and use it in initial OpenID Connect Authentication Request sent from this client adapter. Default client scopes and selected optional client scopes will be used when generating token issued for this client idTokenEncryptionKeyManagementAlgorithm=ID token encryption key management algorithm authenticatorAttachment.not\ specified=Not specified oidcCibaGrant=OIDC CIBA Grant displayDescriptionHintHelp=A text that should be used as a tooltip when rendering user-facing forms. ssoSessionIdle=Time a session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. searchKey=Search key deleteClientSuccess=Client profile deleted emptyClientScopesPrimaryAction=Add client scopes addStepTo=Add step to {{name}} eventTypes.AUTHREQID_TO_TOKEN_ERROR.description=Authreqid to token error deleteAttributeConfirm=Are you sure you want to permanently delete the attribute {{attributeName}}? chooseResources=Choose the resources you want to import selectOne=Select an option emailTheme=Email theme eventTypes.UPDATE_PASSWORD.description=Update password policiesConfigTypes.jsonEditor=JSON editor eventConfigSuccessfully=Successfully saved configuration scopePermissions.users.impersonate-description=Policies that decide if administrator can impersonate other users deleteResourceWarning=The permissions below will be removed when they are no longer used by other resources\: permissionScopesHelp=Specifies that this permission must be applied to one or more scopes. moveTo=Move to registerNodeManually=Register node manually redirectURI=Redirect URI publicKeys=Public keys emptyEventsInstructions=There are no more events types left to add periodicFullSync=Periodic full sync removeConfirmTitle_other=Remove groups? clientAccesstypeTooltip=Access Type of the client, for which the condition will be applied. emptyBuiltInMappersInstructions=All built in mappers were added to this client assertionLifespanHelp=Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The "SessionNotOnOrAfter" attribute is not modified and continue using the "SSO Session Max" time defined at realm level. noTokensInstructions=You haven't created any initial access tokens. Create an initial access token by clicking "Create". editUsername=If enabled, the username field is editable, readonly otherwise. ldapAttributeValueHelp=Value of the LDAP attribute, which will be added to the new user during registration. You can either hardcode any value like 'foo' but you can also use some special tokens. Only supported token right now is '${RANDOM}', which will be replaced with some randomly generated string. lastRegistration=Last registration advancedSettingsOpenid-connect=This section is used to configure advanced settings of this client related to OpenID Connect protocol requireSsl=Require SSL reevaluate=Re-evaluate clientOfflineSessionMax=Client Offline Session Max eventTypes.SEND_VERIFY_EMAIL.description=Send verify email eventTypes.REVOKE_GRANT_ERROR.description=Revoke grant error descriptionLanding=This is the description for the user federation landing page moveHere=Move here noKeys=No keys batchSizeHelp=Count of LDAP users to be imported from LDAP to Keycloak within a single transaction createClientConditionSuccess=Condition created successfully. kerberosKeyTab=Kerberos Key Tab principalAttribute=Principal attribute mapperTypeLdapAttributeMapperHelp=This mapper is supported just if syncRegistrations is enabled. New users registered in Keycloak will be written to the LDAP with the hardcoded value of some specified attribute. userRegistrationHelpText=Enable/disable the registration page. A link for registration will show on login page too. activeHelp=Set if the keys can be used for signing addMapperExplain=If you want more fine-grain control, you can create protocol mapper on this client realmRoles=Realm roles fineGrainOpenIdConnectConfigurationHelp=This section is used to configure advanced settings of this client related to OpenID Connect protocol. searchForUserDescription=This realm may have a federated provider. Viewing all users may cause the system to slow down, but it can be done by searching for "*". Please search for a user above. expirationHelp=Sets the expiration for events. Expired events are periodically deleted from the database. webAuthnPolicySignatureAlgorithmsHelp=What signature algorithms should be used for Authentication Assertion. setToNowError=Error\! Failed to set notBefore to current date and time. eventTypes.UNREGISTER_NODE_ERROR.description=Unregister node error clientScopeTypes.optional=Optional nameIdFormat=Name ID format eventTypes.SEND_VERIFY_EMAIL_ERROR.name=Send verify email error addMessageBundleSuccess=Success\! The message bundle has been added. validRedirectUri=Valid redirect URIs webauthnIntro=What is this form used for? wantAssertionsEncryptedHelp=Indicates whether this service provider expects an encrypted Assertion. roleObjectClasses=Role object classes deleteClientScope_other=Delete {{count}} client scopes deleteCredentialsConfirmTitle=Delete credentials? expires=Expires OVERWRITE=Overwrite user-clearEvents=Deletes all user events in the database. eventTypes.REFRESH_TOKEN.name=Refresh token userAttribute=User Attribute revoke=Revoke admin=Admin syncUsersError=Could not sync users\: '{{error}}' generatedAccessTokenHelp=See the example access token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself webAuthnPolicyAcceptableAaguidsHelp=The list of AAGUID of which an authenticator can be registered. keyPasswordHelp=Password for the private key frontchannelLogout=Front channel logout clientUpdaterTrustedHostsTooltip=List of Hosts, which are trusted. In case that client registration/update request comes from the host/domain specified in this configuration, condition evaluates to true. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted. titleRoles=Realm roles mapperTypeGroupLdapMapperHelp=Used to map group mappings of groups from some LDAP DN to Keycloak group mappings sectorIdentifierUri.tooltip=Providers that use pairwise sub values and support Dynamic Client Registration SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names. It also provides a way for Clients to change redirect_uri domains without having to reregister all their users. eventTypes.REVOKE_GRANT.name=Revoke grant rdnLdapAttribute=RDN LDAP attribute usedBy=Used by replyToDisplayName=Reply to display name xRobotsTag=X-Robots-Tag bindType=Bind type tokenDeleteSuccess=Initial access token deleted successfully contextualInfo=Contextual Information syncModeHelp=Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are\: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider. temporaryPassword=Temporary applyPolicyHelp=Specifies all the policies that must be applied to the scopes defined by this policy or permission. addKerberosWizardDescription=Text needed here sslType.none=None dateTo=Date(to) eventTypes.REVOKE_GRANT.description=Revoke grant keyPlaceholder=Type a key eventTypes.OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR.name=Oauth2 device verify user code error addAuthnContextDeclRef=Add AuthnContext DeclRef eventTypes.SEND_IDENTITY_PROVIDER_LINK.description=Send identity provider link eventTypes.IDENTITY_PROVIDER_RETRIEVE_TOKEN.name=Identity provider retrieve token userInfo=User info consentScreenText=Consent screen text addRoles=Add roles clientPoliciesProfilesHelpText=Client Profile allows to setup set of executors, which are enforced for various actions done with the client. Actions can be admin actions like creating or updating client, or user actions like authentication to the client. archiveFormatHelp=Java keystore or PKCS12 archive format. xContentTypeOptions=X-Content-Type-Options groupsDescription=A group is a set of attributes and role mappings that can be applied to a user. You can create, edit, and delete groups and manage their child-parent organization. addValidatorRole=Add {{validatorName}} validator protocolTypes.all=All keyAlias=Key alias prefix=A prefix for each Realm Role (optional). xContentTypeOptionsHelp=Default value prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type <1>Learn more privateKeyMask=PRIVATE KEY NOT SET UP OR KNOWN signOutAllActiveSessions=Sign out all active sessions addExecutorSuccess=Success\! Executor created successfully executorTypeSelectHelpText=Executor Type Select Help Text useDiscoveryEndpointHelp=If this setting is enabled, the discovery endpoint will be used to fetch the provider config. Keycloak can load the config from the endpoint and automatically update the config if the source has any updates eventTypes.USER_INFO_REQUEST_ERROR.name=User info request error createUserProviderError=User federation provider could not be created\: {{error}} learnMore=Learn more onDragCancel=Dragging cancelled. List is unchanged. removeUser=Remove users ownerManagedAccess=User-Managed access enabled eventTypes.USER_DISABLED_BY_PERMANENT_LOCKOUT.description=User disabled by permanent lockout userModelAttributeNameHelp=Name of the model attribute to be added when importing user from LDAP templateHelp=Template to use to format the username to import. Substitutions are enclosed in ${}. For example\: '${ALIAS}.${CLAIM.sub}'. ALIAS is the provider alias. CLAIM. references an ID or Access token claim. The substitution can be converted to upper or lower case by appending |uppercase or |lowercase to the substituted value, e.g. '${CLAIM.sub | lowercase} permissions=Permissions emptyExecutionInstructions=You can start defining this flow by adding a sub-flow or an execution offlineSessionSettings=Offline session settings unAssignRole=Unassign deleteScope=Permanently delete authorization scope? eventTypes.CODE_TO_TOKEN.description=Code to token oAuthDevicePollingIntervalHelp=The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint. passwordDataTitle=Password data accountThemeHelp=Select a theme for the user account management console. clientPolicies=Client policies NONE=NONE keystorePasswordHelp=Password for the keys clientSettings=Client details deleteClientPolicyConditionConfirm=This action will permanently delete {{condition}}. This cannot be undone. selectATheme=Select a theme permissionsList=Permission list attributeGroupHelp=user.profile.attribute.group.tooltip createRealm=Create realm eventTypes.VALIDATE_ACCESS_TOKEN_ERROR.description=Validate access token error mapperSaveError=Error saving mapper\: {{error}} eventTypes.CLIENT_LOGIN_ERROR.name=Client login error passwordPoliciesHelp.passwordHistory=Prevents a recently used password from being reused. displayOnConsentScreenHelp=If on, and this client scope is added to some client with consent required, the text specified by 'Consent Screen Text' will be displayed on consent screen. If off, this client scope will not be displayed on the consent screen requirements.DISABLED=Disabled mapperTypeHardcodedLdapGroupMapperHelp=Users imported from LDAP will be automatically added into this configured group. titleUsers=Users whoWillAppearLinkText=Who will appear in this group list? ldapFullNameAttribute=LDAP full name attribute createClientError=Could not create client\: '{{error}}' deleteConfirmClientScopes=Are you sure you want to delete this client scope forceAuthenticationHelp=Indicates whether the identity provider must authenticate the presenter directly rather than rely on a previous security context. testClusterAvailability=Test cluster availability reGenerateSigning=Regenerate signing key for this client authorizationEncryptedResponseAlgHelp=JWA Algorithm used for key management in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted. deleteConfirmGroup_other=Are you sure you want to delete these groups. scopePermissions.users.manage-description=Policies that decide if an administrator can manage all users in the realm defaultACRValuesHelp=Default values to be used as voluntary ACR in case that there is no explicit ACR requested by 'claims' or 'acr_values' parameter in the OIDC request. membershipAttributeType=Membership attribute type eventTypes.PUSHED_AUTHORIZATION_REQUEST.name=Pushed authorization request included.client.audience.tooltip=The Client ID of the specified audience client will be included in audience (aud) field of the token. If there are existing audiences in the token, the specified value is just added to them. It won't override existing audiences. searchGroup=Search group allowCreateHelp=Allow the external identity provider to create a new identifier to represent the principal. allResults=All results addressClaim.locality.tooltip=Name of User Attribute, which will be used to map to 'locality' subclaim inside 'address' token claim. Defaults to 'locality' . keyForCodeExchangeHelp=Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method. includeInAccessTokenResponse.tooltip=Should the claim be added to the access token response? Should only be used for informative and non-sensitive data removeMappingConfirm_one=Are you sure you want to remove this role? oidcSettings=OpenID Connect settings otpPolicyDigitsHelp=How many digits should the OTP have? clientAuthentications.client_secret_post=Client secret sent as post prompts.select_account=Select account defaultACRValues=Default ACR Values valueError=A value must be provided. noConsents=No consents orderChangeSuccessUserFed=Successfully changed the priority order of user federation providers noUsersEmptyStateDescriptionContinued=to find them. Users that already have this role as an effective role cannot be added here. userProviderSaveError=User federation provider could not be saved\: {{error}} executorsHelpText=Executors, which will be applied for this client profile ldapSearchingAndUpdatingSettings=LDAP searching and updating authenticationAliasHelp=Name of the configuration SSOSessionIdle=SSO Session Idle deleteClientPolicyConditionConfirmTitle=Delete condition? initialCounterErrorHint=Value needs to be between 1 and 120 connectionTimeout=Connection timeout passLoginHintHelp=Pass login_hint to identity provider. monthHelp=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided. eventTypes.CLIENT_LOGIN.description=Client login registrationAccessToken=Registration access token headerName=header name issuerHelp=The issuer identifier for the issuer of the response. If not provided, no validation will be performed. uiDisplayNameHelp=Display name of provider when linked in the Admin UI titleSessions=Sessions dedicatedScopeName={{clientName}}-dedicated mapperTypeUserAttributeLdapMapper=user-attribute-ldap-mapper deleteAttributeConfirmTitle=Delete attribute? importSkipped_zero=No records skipped. rootURL=Root URL appended to relative URLs contentSecurityPolicyHelp=Default value prevents pages from being included by non-origin iframes <1>Learn more policyUsers=Specifies which user(s) are allowed by this policy. logoutServicePostBindingURLHelp=SAML POST Binding URL for the client's single logout service. You can leave this blank if you are using a different binding generatedIdTokenNo=No generated id token byConfiguration=By configuration usersAdded_other={{count}} users added to the group userFedUnlinkUsersConfirmTitle=Unlink all users? passCurrentLocale=Pass current locale realmNameField=Realm name roleCreated=Role created socialProfileJSONFieldPath=Social Profile JSON Field Path noViewRights=You do not have rights to view this group. eventTypes.SEND_RESET_PASSWORD.description=Send reset password eventTypes.CLIENT_INITIATED_ACCOUNT_LINKING.name=Client initiated account linking resourceScopeError=Could not remove the authorization scope due to {{error}} identityInformation=Identity Information usermodel.clientRoleMapping.rolePrefix.label=Client Role prefix partialImport=Partial import cibaBackhannelTokenDeliveryModes.ping=Ping includeInTokenScopeHelp=If on, the name of this client scope will be added to the access token property 'scope' as well as to the Token Introspection Endpoint response. If off, this client scope will be omitted from the token and from the Token Introspection Endpoint response. savePassword=Save password noRolesInstructions-user=You haven't assigned any roles to this user. Assign a role to get started. signatureKeyNameHelp=Signed SAML documents contain identification of signing key in KeyName element. For Keycloak / RH-SSO counterparty, use KEY_ID, for MS AD FS use CERT_SUBJECT, for others check and use NONE if no other option works. sync-keycloak-roles-to-ldap=Sync Keycloak roles to LDAP decisionStrategies.UNANIMOUS=Unanimous cacheSettingsDescription=This section contains options useful for caching users, which were loaded from this user storage provider. groupsPathHelp=Keycloak group path the LDAP groups are added to. For example if value '/Applications/App1' is used, then LDAP groups will be available in Keycloak under group 'App1', which is child of top level group 'Applications'. The default value is '/' so LDAP groups will be mapped to the Keycloak groups at the top level. The configured group path must already exist in the Keycloak when creating this mapper. aesGenerated=aes-generated addPolicy=Add policy tokenClaimName.label=Token Claim Name executorsTable=Executors table extendToChildren=Extend to children from=From decisionStrategyHelp=The decision strategy dictates how permissions are evaluated and how a final decision is obtained. 'Affirmative' means that at least one permission must evaluate to a positive decision in order to grant access to a resource and its scopes. 'Unanimous' means that all permissions must evaluate to a positive decision in order for the final decision to be also positive. deleteClientPolicyProfileError=Could not delete profile from the policy\: {{error}} greaterThan=Must be greater than {{value}} hideOnLoginPage=Hide on login page couldNotCreateGroup=Could not create group {{error}} defaultRole=This role serves as a container for both realm and client default roles. It cannot be removed. eventConfigs=Event configs conditionsHelp=Conditions, which will be evaluated to determine if client policy should be applied during particular action or not. disableProvider=Disable provider? eventTypes.UNREGISTER_NODE.name=Unregister node anonymousAccessPoliciesHelp=Those Policies are used when the Client Registration Service is invoked by unauthenticated request. This means that the request does not contain Initial Access Token nor Bearer Token. clientScopeError=Could not update scope mapping {{error}} saveRealmSuccess=Realm created successfully createToken=Create initial access token clientsClientTypeHelp='OpenID Connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information. orderChangeSuccess=Successfully changed display order of identity providers emptyPoliciesInstructions=If you want to create a policy, please click the button below to create the policy. createScopeSuccess=Authorization scope created successfully logoUrl=Logo URL accessTokenLifespanImplicitFlowHelp=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than the SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is a separate timeout different to 'Access Token Lifespan' noRealmRolesToAssign=There are no realm roles to assign logoutUrl=Logout URL regexPatternHelp=Specifies the regex pattern. searchForUserEvent=Search user event usernameLdapAttributeHelp=Name of the LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak. federationLink=Federation link webAuthnPolicyPasswordlessFormHelp=Policy for passwordless WebAuthn authentication. This one will be used by 'Webauthn Register Passwordless' required action and 'WebAuthn Passwordless Authenticator' authenticator. Typical usage is, when WebAuthn will be used as first-factor authentication. Having both 'WebAuthn Policy' and 'WebAuthn Passwordless Policy' allows to use WebAuthn as both first factor and second factor authenticator in the same realm. unlinkUsersError=Could not unlink users\: '{{error}}' roleHelpHelp=Role to grant to user. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole. storedTokensReadable=Stored tokens readable defaultRoleDeleteError=You cannot delete a default role. unknownUser=Anonymous displayHeaderField=Display name userVerify.not\ specified=Not specified usermodel.prop.label=Property userFedUnlinkUsersConfirm=Do you want to unlink all the users? Any users without a password in the database will not be able to authenticate anymore. searchUserByAttributeDescription=It supports setting multiple attributes as the search filter by setting different keys or values. Only one value can be typed for a key. eventTypes.REMOVE_FEDERATED_IDENTITY.name=Remove federated identity membership=Membership eventTypes.RESET_PASSWORD.description=Reset password authenticationOverrides=Authentication flow overrides client-scopes-condition.label=Expected Scopes deleteAttributeSuccess=Attribute deleted artifactResolutionService=Artifact Resolution Service clientProfilesSubTab=Client profiles subtab selectEncryptionType=Select Encryption type mapperTypeMsadLdsUserAccountControlMapper=msad-user-account-control-mapper realmSettingsExplain=Realm settings are settings that control the options for users, applications, roles, and groups in the current realm. mappingUpdatedError=Could not update mapping\: '{{error}}' manageDisplayOrder=Manage display order exactSearch=Exact search value=Value filenamePlaceholder=Upload a PEM file or paste key below deleteConfirm_one=Are you sure you want to delete this group '{{groupName}}'. userProfileEnabledHelp=If enabled, allows managing user profiles. scopeDisplayNameHelp=A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope. times.seconds=Seconds removeMappingTitle=Remove role? executorTypeSelectAlgorithm=Executor Type Select Algorithm resources=Resources userRolesRetrieveStrategy=User roles retrieve strategy importKey=Import key events-disable-title=Unsave events? ellipticCurve=Elliptic Curve forceArtifactBindingHelp=Should response messages be returned to the client through the SAML ARTIFACT binding system? forceAuthentication=Force authentication connectionPoolingHelp=Determines if Keycloak should use connection pooling for accessing LDAP server. unlink=Unlink groupRemove_other=Groups removed claimFilterName=Essential claim deletePolicy=Permanently delete policy? assertionConsumerServiceRedirectBindingURLHelp=SAML Redirect Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding. searchFor=Search role by name providers=Add providers writeOnly=Write only noRolesInstructions-clientScopes=You haven't created any roles for this client scope. Create a role to get started. removeImportedUsersMessage=Do you really want to remove all imported users? The option "Unlink users" makes sense just for the Edit Mode "Unsynced" and there should be a warning that "unlinked" users without the password in Keycloak database won't be able to authenticate. noGroupsInThisSubGroup=No groups in this sub group validateUserObjectClasses=You must enter one or more user object classes encryptionAlgorithm=Encryption Algorithm requiredForLabel.users=Only users groupUpdated=Group updated hideMetaData=Hide metadata customAttribute=Custom Attribute… themes=Themes clientType=Client type addClientScope=Add client scope notBeforeSuccess=Success\! "Not before" set for realm clientPoliciesSubTab=Client policies subtab quickLoginCheckMilliSecondsHelp=If a failure happens concurrently too quickly, lock out the user. unanimous=Unanimous policy-name=The name of this policy. syncRegistrations=Sync Registrations eventTypes.REMOVE_TOTP.name=Remove totp clientHelp=Select the client making this authorization request. If not provided, authorization requests would be done based on the client you are in. eventTypes.CLIENT_REGISTER_ERROR.name=Client register error unlockUsersError=Could not unlock all users {{error}} serviceProviderEntityIdHelp=The Entity ID that will be used to uniquely identify this SAML Service Provider. disabledFeatures=Disabled features eventTypes.UPDATE_CONSENT_ERROR.name=Update consent error noAdminUrlSet=No push sent. No admin URI configured or no registered cluster nodes available authData=Authorization data realmInfo=Realm info chooseAPolicyType=Choose a policy type signOut=Sign out deleteExecutorError=Could not delete executor\: {{error}} userProfileError=Could not update user profile settings\: {{error}} validatorDialogColNames.colName=Role name clientUpdaterSourceRolesTooltip=The condition is checked during client registration/update requests and it evaluates to true if the entity (usually user), who is creating/updating client is member of the specified role. For reference the realm role, you can use the realm role name like 'my_realm_role' . For reference client role, you can use the client_id.role_name for example 'my_client.my_client_role' will refer to client role 'my_client_role' of client 'my_client'. UPDATE_PASSWORD=Update password (UPDATE_PASSWORD) version=Version synchronizationSettings=Synchronization settings certificateHelp=Client Certificate for validate JWT issued by client and signed by Client private key from your keystore. resetPasswordError=Error resetting password\: {{error}} associatedPermissions=Associated permission encryptionKeysConfigExplain=If you enable the "Encryption assertions" below, you must configure the encryption keys by generating or importing keys, and the SAML assertions will be encrypted with the client's public key using AES. preserveGroupInheritanceHelp=Flag whether group inheritance from LDAP should be propagated to Keycloak. If false, then all LDAP groups will be mapped as flat top-level groups in Keycloak. Otherwise group inheritance is preserved into Keycloak, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups. createScopeBasedPermission=Create scope-based permission showMore=Show more operationType=Operation type userInitiatedActionLifespan=User-Initiated Action Lifespan decisionStrategy=Decision strategy roleMappingUpdatedSuccess=Role mapping updated securityDefences=Security defenses realmSettings=Realm settings emptyStateInstructions=If you want to add an attributes group click the button below. logoutAllSessionsError=Error\! Failed to log out of all sessions\: {{error}}. eventTypes.VERIFY_EMAIL_ERROR.name=Verify email error partialExport=Partial export eventTypes.CLIENT_REGISTER.description=Client register generalOptions=General options decisionStrategies.AFFIRMATIVE=Affirmative helpEnabled=Help on defaultGroupsHelp=Default groups allow you to automatically assign groups membership whenever any new user is created or imported through <1>identity brokering. times.years=Years userLdapFilterHelp=Additional LDAP filter for filtering searched users. Leave this empty if you don't need an additional filter. Make sure that it starts with '(' and ends with ')'. generatedIdToken=Generated ID token effectiveRoleScopeMappings=Effective role scope mappings clientAuthenticator=Client Authenticator importAdded_other={{count}} records added. oAuthDeviceCodeLifespanHelp=Max time before the device code and user code are expired. This value needs to be a long enough lifetime to be usable (allowing the user to retrieve their secondary device, navigate to the verification URI, login, etc.), but should be sufficiently short to limit the usability of a code obtained for phishing. dynamicScopeHelp=If on, this scope will be considered a Dynamic Scope, which will be comprised of a static and a variable portion. attributePermissionDescription=This section contains permissions for who can edit and who can view the attribute. providerDetails=Provider details groupDeleteError=Error deleting group {{error}} editGroupText=Edit attributes group updateFirstLoginHelp=Update profile on first login deleteGroup=Delete group eventTypes.VERIFY_EMAIL_ERROR.description=Verify email error close=Close usersDNHelp=Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou\=users,dc\=example,dc\=com' assuming that your typical user will have DN like 'uid\='john',ou\=users,dc\=example,dc\=com'. addKeycloakOpenIdProvider=Add Keycloak OpenID Connect provider clientSessionMax=Client Session Max deleteClientPolicy=Delete client policy authenticatorAttachment.cross-platform=Cross platform whoCanView=Who can view? lastAccess=Last access emptyClientScopesInstructions=There are currently no client scopes linked to this client. You can add existing client scopes to this client to share protocol mappers and roles. clientAuthentications.private_key_jwt=JWT signed with private key uiDisplayName=UI display name createClientSuccess=Client created successfully adminEventsSettings=Admin events settings cibaInterval=Interval totalMemory=Total memory usernameTemplateImporter=Format the username to import. resourceNameHelp=A unique name for this resource. The name can be used to uniquely identify a resource, useful when querying for a specific resource. times.minutes=Minutes disableUserInfo=Disable user info authorizationEncryptedResponseEnc=Authorization response encryption content encryption algorithm editCondition=Edit condition ssoSessionMaxRememberMe=Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value. forcePostBinding=Force POST binding usersExplain=Users are the users in the current realm. passMaxAgeHelp=Pass max_age to identity provider. exportFail=Could not export realm\: '{{error}}' flowTypeHelp=What kind of form is it targetHelp=Destination field for the mapper. LOCAL (default) means that the changes are applied to the username stored in local database upon user import. BROKER_ID and BROKER_USERNAME means that the changes are stored into the ID or username used for federation user lookup, respectively. setPasswordConfirm=Set password? attributeDisplayNameHelp=Display name for the attribute. Supports keys for localized values as well. For example\: ${profile.attribute.phoneNumber}. assignedType=Assigned type modeHelp=LDAP_ONLY means that all group mappings of users are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where group mappings are retrieved from both LDAP and DB and merged together. New group joins are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where group mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB. identityProvider=Identity provider forgotPasswordHelpText=Show a link on login page for user to click when they have forgotten their credentials. identityProviderLinks=Identity provider links mapperTypeMsadLdsUserAccountControlMapperHelp=Mapper specific to MSAD LDS. It's able to integrate the MSAD LDS user account state into Keycloak account state (account enabled, password is expired etc). It's using msDS-UserAccountDisabled and pwdLastSet is 0, the Keycloak user is required to update password, if msDS-UserAccountDisabled is 'TRUE' the Keycloak user is disabled as well etc. Mapper is also able to handle exception code from LDAP user authentication. leave=Leave loginSettings=Login settings deleteMessageBundleError=Error removing the message from the bundle, {{error}} finish=Finish eventTypes.LOGIN_ERROR.name=Login error validations=Validations updatedRequiredActionError=Could not update required action\: {{error}} createChildGroup=Create child group x509Certificate=X509 Certificate addressClaim.formatted.label=User Attribute Name for Formatted Address metadataOfDiscoveryEndpoint=Metadata of the discovery endpoint add=Add createPolicySuccess=Successfully created the policy notVerified=Not verified encryptionKeysConfig=Encryption keys config updateClientProfileSuccess=Client profile updated successfully openIDEndpointConfiguration=OpenID Endpoint Configuration prompts.login=Login users=Users keyTabHelp=Location of Kerberos KeyTab file containing the credentials of server principal. For example, /etc/krb5.keytab wantAssertionsEncrypted=Want Assertions encrypted noClientPoliciesInstructions=There are no client policies. Select 'Create client policy' to create a new client policy. deleteValidatorConfirmMsg=Are you sure you want to permanently delete the validator {{validatorName}}? uris=URIs jwksUrlConfig=JWKS URL configs forceNameIdFormatHelp=Ignore requested NameID subject format and use Admin UI configured one. validateKeyTab=You must enter a key tab editUsernameAllowed=Edit username searchType.attribute=Attribute search saveProviderError=Error saving provider\: {{error}} port=Port searchForPermission=Search for permission ldapFilterHelp=LDAP Filter adds an additional custom filter to the whole query for retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all groups from LDAP. Otherwise make sure that filter starts with '(' and ends with ')'. clientUpdaterSourceGroupsTooltip=Name of groups to check. Condition evaluates to true if the entity, who creates/updates client is member of some of the specified groups. Configured groups are specified by their simple name, which must match to the name of the Keycloak group. No support for group hierarchy is used here. addRequestUri=Add valid request URIs selectACondition=Select a condition ldapAttributeValue=LDAP attribute value jwksUrlHelp=URL where identity provider keys in JWK format are stored. See JWK specification for more details. If you use external Keycloak identity provider, you can use URL like 'http\://broker-keycloak\:8180/realms/test/protocol/openid-connect/certs' assuming your brokered Keycloak is running on 'http\://broker-keycloak\:8180' and its realm is 'test' . eventTypes.CLIENT_DELETE.description=Client delete emptyResources=No resources roleHelp=Role to grant to user if all attributes are present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference a client role the syntax is clientname.clientrole, i.e. myclient.myrole ldapSynchronizationSettingsDescription=This section contains options related to synchronization of users from LDAP to the Keycloak database. addPredefinedMappers=Add predefined mappers updatedRequiredActionSuccess=Updated required action successfully roles=Roles displayOrder=Display order registrationAllowed=User registration choose=Choose... appliedByProviders=Applied by the following providers saveEventListenersSuccess=Event listener has been updated. eventTypes.IDENTITY_PROVIDER_LINK_ACCOUNT.description=Identity provider link account eventTypes.TOKEN_EXCHANGE.name=Token exchange skipped=Skipped eventTypes.RESTART_AUTHENTICATION.description=Restart authentication scopePermissions.users.manage-group-membership-description=Policies that decide if an administrator can manage group membership for all users in the realm. This is used in conjunction with specific group policy loginTheme=Login theme eventTypes.UPDATE_PASSWORD_ERROR.description=Update password error deleteConfirmRealmSetting=If you delete this realm, all associated data will be removed. scope=Scope evaluateExplain=This page allows you to see all protocol mappers and role scope mappings providerCreateError=Could not create client policy due to {{error}} includeRepresentationHelp=Include JSON representation for create and update requests. searchForClientScope=Search for client scope removeAttribute=Remove attribute deleteProviderSuccess=Success. The provider has been deleted. sessionsType.offline=Offline validatorDeletedError=Error saving User Profile\: {{error}} preserveGroupInheritance=Preserve group inheritance createClientScopeSuccess=Client scope created selectOrTypeAKey=Select or type a key resourceDetails=Resource details authorizationScopes=Authorization scopes fromDisplayNameHelp=A user-friendly name for the 'From' address (optional). identityProviderEntityIdHelp=The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed. noRoles-client=No roles for this client eventTypes.EXECUTE_ACTION_TOKEN_ERROR.name=Execute action token error eventTypes.USER_INFO_REQUEST_ERROR.description=User info request error policyRoles=Specifies the client roles allowed by this policy. roleMapping=Role mapping accountLinkingOnlyHelp=If true, users cannot log in through this provider. They can only link to this provider. This is useful if you don't want to allow login from the provider, but want to integrate with a provider refreshTokenMaxReuseHelp=Maximum number of times a refresh token can be reused. When a different token is used, revocation is immediate. eventTypes.REMOVE_FEDERATED_IDENTITY.description=Remove federated identity childGroups=Child groups eventTypes.IDENTITY_PROVIDER_LOGIN.name=Identity provider login exportAuthDetailsError=Error exporting authorization details\: {{error}} clientOfflineSessionIdleHelp=Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value. selectGroups=Select groups to join webAuthnPolicyAuthenticatorAttachmentHelp=Communicates to an authenticator an acceptable attachment pattern. username=Username mappedGroupAttributes=Mapped group attributes localization=Localization importConfig=Import config from file replyToDisplayNameHelp=A user-friendly name for the 'Reply-To' address (optional). webAuthnPolicyRpIdHelp=This is ID as WebAuthn Relying Party. It must be origin's effective domain. signingKeysConfigExplain=If you enable the "Client signature required" below, you must configure the signing keys by generating or importing keys, and the client will sign their saml requests and responses. The signature will be validated. newClientProfile=Create client profile consoleDisplayConnectionUrlHelp=Connection URL to your LDAP server enabledWhen=Enabled when clientAssertionSigningAlg=Client assertion signature algorithm homeURLHelp=Default URL to use when the auth server needs to redirect or link back to the client. ldapAttribute=LDAP attribute fullScopeAllowedHelp=Allows you to disable all restrictions. eventTypes.SEND_IDENTITY_PROVIDER_LINK_ERROR.description=Send identity provider link error otpType=OTP type algorithm=Algorithm grantedScopes=Granted scopes groupNameLdapAttribute=Group name LDAP attribute deleteProviderConfirm=Are you sure you want to permanently delete the key provider {{provider}}? removeConfirmTitle_one=Remove group? eventTypes.PUSHED_AUTHORIZATION_REQUEST_ERROR.description=Pushed authorization request error includeInTokenScope=Include in token scope eventType=Event saved type tokenDeleteConfirmTitle=Delete initial access token? useRefreshTokenForClientCredentialsGrant=Use refresh tokens for client credentials grant userDetails=User details sectorIdentifierUri.label=Sector Identifier URI inputTypeStep=Input step size mapperTypeHelp=Used to map single attribute from LDAP user to attribute of UserModel in Keycloak DB importWarning=The data and settings imported above may overwrite the data and settings that already exist. kerberosRequiredSettingsDescription=This section contains a few basic options common to all user storage providers. resetPasswordFor=Reset password for {{username}} duplicateEmailsAllowed=Duplicate emails deleteEventsConfirm=If you clear all events of this realm, all records will be permanently cleared in the database noGroupsInThisRealmInstructions=You haven't created any groups in this realm. Create a group to get started. eventTypes.REMOVE_TOTP_ERROR.name=Remove totp error groupUpdateError=Error updating group {{error}} logoutAllSessions=Logout all sessions membershipUserLdapAttribute=Membership user LDAP attribute noKeysDescription=You haven't created any active keys rememberMeHelpText=Show checkbox on login page to allow user to remain logged in between browser restarts until session expires. eventTypes.UPDATE_EMAIL.name=Update email notBeforeHelp=Revoke any tokens issued before this time for this client. To push the policy, you should set an effective admin URL in the Settings tab first. protocolTypes.saml=SAML idTokenSignatureAlgorithm=ID token signature algorithm displayHeaderHintHelp=A user-friendly name for the group that should be used when rendering a group of attributes in user-facing forms. Supports keys for localized values as well. For example\: ${profile.attribute.group.address}. providerInfo=Provider info ssoServiceUrl=Single Sign-On service URL inputHelperTextAfter=Helper text (under) the input field appliedByClients=Applied by the following clients createFlowHelp=You can create a top level flow within this from defaultLocaleHelp=The initial locale to use. It is used on the login screen and other screens in the Admin UI and Account UI. deleteConfirmFlowMessage=Are you sure you want to permanently delete the flow "<1>{{flow}}". webAuthnPolicyAuthenticatorAttachment=Authenticator Attachment logoutServiceSoapBindingUrlHelp=SAML SOAP Binding URL for the client's single logout service. You can leave this blank if you are using a different binding. kerberos=Kerberos noNodesInstructions=There are no nodes registered, you can add one manually. login=Login eventTypes.IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR.name=Identity provider retrieve token error local=Local noGroupsInThisSubGroupInstructions=You haven't created any groups in this sub group. validatorColNames.colName=Validator name userVerify.required=Required searchMembers=Search members keySizeHelp=Size for the generated keys otpSupportedApplications.totpAppGoogleName=Google Authenticator clientDeleteConfirmTitle=Delete client? policyDetails=Policy details changedUsersSyncHelp=Period for synchronization of changed or newly created LDAP users in seconds trustEmailHelp=If enabled, email provided by this provider is not verified even if verification is enabled for the realm. editModeKerberosHelp=READ_ONLY means that password updates are not allowed and user always authenticates with Kerberos password. UNSYNCED means that the user can change the password in the Keycloak database and this one will be used instead of the Kerberos password. invalidateRotatedSecretExplain=After invalidating rotated secret, the rotated secret will be removed automatically clientSessionMaxHelp=Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value. clientScopeDetails=Client scope details requiredHelp=Set the attribute as required. If enabled, the attribute must be set by users and administrators. Otherwise, the attribute is optional. clientScopeRemoveError=Could not remove the scope mapping {{error}} mapperTypeRoleLdapMapper=role-ldap-mapper testConnectionHint.withEmail=When testing the connection an e-mail will be sent to the current user ({{email}}). adminURLHelp=URL to the admin interface of the client. Set this if the client supports the adapter REST API. This REST API allows the auth server to push revocation policies and other administrative tasks. Usually this is set to the base URL of the client. otpPolicyPeriodHelp=How many seconds should an OTP token be valid? Defaults to 30 seconds. otpPolicyCodeReusableHelp=Possibility to use the same OTP code again after successful authentication. parentId=Parent ID storePasswordHelp=Password to access the archive itself directAccess=Direct access grants logoutServiceSoapBindingUrl=Logout Service SOAP Binding URL userFedDeletedSuccess=The user federation provider has been deleted. eventTypes.UNREGISTER_NODE.description=Unregister node whoWillAppearPopoverTextRoles=This tab shows only the users who are assigned directly to this role. To see users who are assigned this role as an associated role or through a group, go to showPassword=Show password field in clear text logic=Logic clientScopeSearch.type=Assigned type scopePermissions.groups.manage-membership-description=Policies that decide if an administrator can add or remove users from this group resourceType=Resource type copied=Authorization details copied. scopeName=A unique name for this scope. The name can be used to uniquely identify a scope, useful when querying for a specific scope. userObjectClassesHelp=All values of LDAP objectClass attribute for users in LDAP, divided by commas. For example\: 'inetOrgPerson, organizationalPerson'. Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes. userInfoUrlHelp=The User Info Url. This is optional. clientProfileSearch=Search addSavedTypes=Add saved types setPasswordFor=Set password for {{username}} eventTypes.CODE_TO_TOKEN.name=Code to token updateUserLocale=Update User Locale whoWillAppearPopoverTextUsers=Groups are hierarchical. When you select Direct Membership, you see only the child group that the user joined. Ancestor groups are not included. mapperCreateError=Error creating mapper. resetBtn=Reset mode=Mode kc.realm.name=Realm userFedDisableConfirmTitle=Disable user federation provider? impersonate=Impersonate eventTypes.CLIENT_REGISTER.name=Client register mappingTable=Table with predefined mapping requestObject.not\ required=Not required adminURL=Admin URL generatedAccessTokenNo=No generated access token always=Always pkceEnabledHelp=Use PKCE (Proof of Key-code exchange) for IdP Brokering settings=Settings webAuthnPolicyUserVerificationRequirement=User verification requirement failureFactorHelp=How many failures before wait is triggered. unlinkAccountTitle=Unlink account from {{provider}}? noNodes=No nodes registered singleLogoutServiceUrlHelp=The Url that must be used to send logout requests. authorizationEncryptedResponseAlg=Authorization response encryption key management algorithm useTruststoreSpi=Use Truststore SPI allowEcpFlowHelp=This client is allowed to use ECP flow for authenticating users. noSessions=No sessions clipboardCopyError=Error copying to clipboard. storeTokens=Store tokens usermodel.clientRoleMapping.rolePrefix.tooltip=A prefix for each client role (optional). deleteConfirmCurrentUser=Are you sure you want to permanently delete this user eventTypes.CLIENT_REGISTER_ERROR.description=Client register error addClientScopesTo=Add client scopes to {{clientName}} x509=X.509 Subject Name showDataBtn=Show data dedicatedScopeDescription=Dedicated scope and mappers for this client Sunday=Sunday editMode=Edit mode updatePasswordPolicySuccess=Password policies successfully updated passwordHelp=SMTP password. This field is able to obtain its value from vault, use ${vault.ID} format. clientUpdaterContext=The condition checks the context how is client created/updated to determine whether the policy is applied. For example it checks if client is created with admin REST API or OIDC dynamic client registration. And for the letter case if it is ANONYMOUS client registration or AUTHENTICATED client registration with Initial access token or Registration access token and so on. removedGroupMembership=Removed group membership deleteScopeWarning=The permissions below will be removed when they are no longer used by other authorization scopes\: compositeRoleOff=Composite role turned off fullSyncPeriod=Full sync period clientsExplain=Clients are applications and services that can request authentication of a user. addNode=Add node jwksUrl=JWKS URL policy-description=A description for this policy. defaultPasswordLabel=My password mapperUserAttributeName=User Attribute Name importClient=Import client deleteMapperSuccess=Mapper successfully deleted. scopeSaveError=Could not persist authorization scope due to {{error}} used.SPECIFIC_PROVIDERS=Specific providers deletedSuccessIdentityProvider=Provider successfully deleted. reload=Reload eventTypes.CLIENT_INITIATED_ACCOUNT_LINKING_ERROR.description=Client initiated account linking error eventTypes.IDENTITY_PROVIDER_LOGIN_ERROR.name=Identity provider login error scopePermissions.groups.view-description=Policies that decide if an administrator can view this group tokens=Tokens createFlow=Create flow encryptAssertionsHelp=Should SAML assertions be encrypted with client's public key using AES? oAuthDPoPHelp=This enables support for Demonstrating Proof-of-Possession (DPoP) bound tokens. The access and refresh tokens are bound to the key stored on the user agent. In order to prove the possession of the key, the user agent must send a signed proof alongside the token. unsavedChangesConfirm=You have unsaved changes. Do you really want to leave the page? disabledOff=Disabled off membershipLdapAttributeHelp=Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member'. However when 'Membership Attribute Type' is 'UID', then 'Membership LDAP Attribute' could be typically 'memberUid'. usersLeftError=Could not remove users from the group\: {{error}} addTypes=Add types pushedAuthorizationRequestRequiredHelp=Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method. requirement=Requirement any=Any minute=Minute useJwksUrl=Use JWKS URL wantAssertionsSigned=Want Assertions signed roleSaveSuccess=The role has been saved scopeParameter=Scope parameter unsigned=Unsigned userGroupsRetrieveStrategy=User groups retrieve strategy addSubFlow=Add sub-flow validatingPublicKeyHelp=The public key in PEM format that must be used to verify external IDP signatures. client-uris-must-match.label=Client URIs Must Match webAuthnPolicyAcceptableAaguids=Acceptable AAGUIDs noRoles-roles=No roles in this realm logoutServiceRedirectBindingURLHelp=SAML Redirect Binding URL for the client's single logout service. You can leave this blank if you are using a different binding. deleteMapperConfirm=Are you sure you want to permanently delete the mapper {{mapper}}? scopePermissions.roles.map-role-description=Policies that decide if an administrator can map this role to a user or group backchannelUrlInvalid=Backchannel logout URL is not a valid URL eventTypes.LOGIN.description=Login impersonateConfirm=Impersonate user? scopePermissions.clients.map-roles-client-scope-description=Policies that decide if an administrator can apply roles defined by this client to the client scope of another client accessTokenSuccess=Access token regenerated includeInIdToken.tooltip=Should the claim be added to the ID token? validRequestURIs=Valid request URIs allowPasswordAuthentication=Allow password authentication federationLinkHelp=UserStorageProvider this locally stored user was imported from. validateUsernameLDAPAttribute=You must enter a username LDAP attribute pairwiseSubAlgorithmSalt.tooltip=Salt used when calculating the pairwise subject identifier. If left blank, a salt will be generated. waitIncrementSecondsHelp=When failure threshold has been met, how much time should the user be locked out? allowKerberosAuthentication=Allow Kerberos authentication addressClaim.formatted.tooltip=Name of User Attribute, which will be used to map to 'formatted' subclaim inside 'address' token claim. Defaults to 'formatted' . predefinedMappingDescription=Choose any of the predefined mappings from this table allowedClockSkew=Allowed clock skew privateRSAKey=Private RSA Key createPermission=Create permission moveToGroup=Move {{group1}} to {{group2}} noRealmRoles=No realm roles events-disable-confirm=If "Save events" is disabled, subsequent events will not be displayed in the "Events" menu reqAuthnConstraints=Requested AuthnContext Constraints userProfileEnabled=User Profile Enabled eventTypes.PUSHED_AUTHORIZATION_REQUEST.description=Pushed authorization request addIdpMapperNameHelp=Name of the mapper. requirements.ALTERNATIVE=Alternative claimFilterValueHelp=Value of the essential claim (with regex support) credentialResetConfirm=Send Email permissionsEnabledHelp=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up. consentScreenTextHelp=Text that will be shown on the consent screen when this client scope is added to some client with consent required. Defaults to name of client scope if it is not filled realmRolesList=Realm roles roleList=Role list kerberosRealm=Kerberos realm scopePermissions.groups.manage-members-description=Policies that decide if an administrator can manage the members of this group consentRequiredHelp=If enabled, users have to consent to client access. flow.direct\ grant=Direct grant flow eventTypes.EXECUTE_ACTION_TOKEN.name=Execute action token groupName=Group name eventTypes.RESTART_AUTHENTICATION.name=Restart authentication authorizationUrl=Authorization URL eventTypes.VALIDATE_ACCESS_TOKEN.name=Validate access token contextualAttributes=Contextual Attributes replyTo=Reply to providerDescription=Provider description downloadAdapterConfig=Download adapter config scopePermissions.clients.view-description=Policies that decide if an administrator can view this client allowEcpFlow=Allow ECP flow rsa=rsa setPasswordConfirmText=Are you sure you want to set the password for the user {{username}}? updateErrorIdentityProvider=Could not update the provider {{error}} emptyProfiles=No client profiles configured createClientProfileError=Could not create client profile\: '{{error}}' usermodel.clientRoleMapping.clientId.tooltip=Client ID for role mappings. Just client roles of this client will be added to the token. If this is unset, client roles of all clients will be added to the token. targetOptions.local=LOCAL addMessageBundleError=Error creating message bundle, {{error}} pkceMethodHelp=PKCE Method to use encryption=Encryption addExecutorError=Executor not created scopePermissions.clients.manage-description=Policies that decide if an administrator can manage this client vendor=Vendor roleRemoveAssociatedText=This action will remove {{role}} from {{roleName}}. All the associated roles of {{role}} will also be removed. disabled=Disabled idpInitiatedSsoRelayState=IDP Initiated SSO Relay State attribute=Attribute clientScopesConditionTooltip=The list of expected client scopes. Condition evaluates to true if specified client request matches some of the client scopes. It depends also whether it should be default or optional client scope based on the 'Scope Type' configured. timestamp=Created date principalAttributeHelp=Name or Friendly Name of the attribute used to identify external users. nameIdPolicyFormat=NameID policy format idpInitiatedSsoUrlName=IDP-Initiated SSO URL name selectMethod=Select method deleteConfirmExecution=Delete execution? eventTypes.VALIDATE_ACCESS_TOKEN_ERROR.name=Validate access token error xFrameOptions=X-Frame-Options scopeDescriptionHelp=Description of the client scope deletedErrorRealmSetting=Could not delete realm\: {{error}} copyInitialAccessToken=Please copy and paste the initial access token before closing as it can not be retrieved later. consensus=Consensus scopePermissions.roles.map-role-composite-description=Policies that decide if an administrator can apply this role as a composite to another role emptyEvents=Nothing to add residentKey.Yes=Yes eventTypes.SEND_IDENTITY_PROVIDER_LINK.name=Send identity provider link ssoSessionIdleRememberMe=Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value. SSOSessionIdleRememberMe=SSO Session Idle Remember Me cibaBackchannelTokenDeliveryModeHelp=Specifies how the CD (Consumption Device) gets the authentication result and related tokens. This mode will be used by default for the CIBA clients, which do not have other mode explicitly set. eventTypes.REGISTER_NODE.description=Register node supported=Supported deleteAttributeText=Delete an attribute deleteNodeSuccess=Node successfully removed includeInIntrospection.label=Add to token introspection roleImportSuccess=Role import successful tokenUrl=Token URL executionConfig={{name}} config grantedClientScopes=Granted client scopes keyError=A key must be provided. addAnnotationText=Add annotation helpToggleInfo=This toggle will enable / disable part of the help info in the UI. Includes any help text, links and popovers. clientProfileName=Client profile name effectiveProtocolMappers=Effective protocol mappers userVerify.preferred=Preferred syncModes.legacy=Legacy allowRegexComparisonHelp=If OFF, then the Subject DN from given client certificate must exactly match the given DN from the 'Subject DN' property as described in the RFC8705 specification. The Subject DN can be in the RFC2553 or RFC1779 format. If ON, then the Subject DN from given client certificate should match regex specified by 'Subject DN' property. eventTypes.UPDATE_TOTP_ERROR.description=Update totp error titleEvents=Events signServiceProviderMetadata=Sign service provider metadata updateClientPoliciesError=Provided JSON is incorrect\: Unexpected token { in JSON acceptsPromptNoneHelp=This is just used together with Identity Provider Authenticator or when kc_idp_hint points to this identity provider. In case that client sends a request with prompt\=none and user is not yet authenticated, the error will not be directly returned to client, but the request with prompt\=none will be forwarded to this identity provider. roleDetails=Role details eventTypes.USER_INFO_REQUEST.name=User info request clientScopeType.none=None results=Results userRolesRetrieveStrategyHelp=Specify how to retrieve roles of user. LOAD_ROLES_BY_MEMBER_ATTRIBUTE means that roles fo user will be retrieved by sending LDAP query to retrieve all roles where 'member' is our user. GET_ROLES_FROM_USER_MEMBEROF means that roles of user will be retrieved from 'memberOf' attribute of our user. Or from the other attributes specified by 'Member-Of LDAP Attribute'. LOAD_ROLES_BY_MEMBER_ATTRIBUTE is applicable just in Active Directory and it means that roles of user will be retrieved recursively with usage of LDAP_MATCHING_RULE_IN_CHAIN LDAP extension. roleDeleteError=Could not delete role\: {{error}} selectScope=Select a scope attributeDefaultValue=Attribute default value eventTypes.UPDATE_PASSWORD_ERROR.name=Update password error addGroups=Add groups offlineSessionIdle=Offline Session Idle mapperAttributeFriendlyName=Friendly name addProvider=Add provider readOnlyHelp=Read-only attribute is imported from LDAP to UserModel, but it's not saved back to LDAP when user is updated in Keycloak. resourceDeletedError=Could not remove the resource {{error}} backchannelLogoutUrl=Backchannel logout URL requestObjectEncodingHelp=JWE algorithm, which client needs to use when encrypting the content of the OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', any algorithm is allowed. minimumQuickLoginWaitSeconds=Minimum quick login wait duplicate=Duplicate clientAccesstype=Client Access Type roleDeleteConfirm=Delete role? createClientProfileNameHelperText=The name must be unique within the realm disabledHelp=A disabled user cannot log in. eventTypes.UPDATE_PROFILE_ERROR.name=Update profile error adminThemeHelp=Select a theme for administration console. name=Name deleteConfirmDialog_other=Are you sure you want to permanently delete {{count}} selected users targetOptions.brokerUsername=BROKER_USERNAME clientList=Clients eventTypes.REGISTER_ERROR.description=Register error infoDisabledFeatures=Shows all disabled features. userSession.modelNote.label=User Session Note next=Next userLabel=User label pagination=Pagination changeAuthenticatorConfirm=If you change authenticator to {{clientAuthenticatorType}}, the Keycloak database will be updated and you may need to download a new adapter configuration for this client. import=Import otpHashAlgorithm=OTP hash algorithm importFail=Import failed\: {{error}} show=Show description=Description alwaysReadValueFromLdap=Always read value from LDAP searchUserEventsBtn=Search events addressClaim.postal_code.tooltip=Name of User Attribute, which will be used to map to 'postal_code' subclaim inside 'address' token claim. Defaults to 'postal_code' . generatedUserInfoNo=No generated user info allowed-client-scopes.label=Allowed Client Scopes providerId=Provider ID assignedClientScope=Assigned client scope savePasswordSuccess=The password has been set successfully. Tuesday=Tuesday idTokenEncryptionContentEncryptionAlgorithm=ID token encryption content encryption algorithm newRoleName=New role name listExplain=Identity providers are social networks or identity brokers that allow users to authenticate to Keycloak. emptyInstructions=Change your search criteria or add a user tableView=Table view addClientProfile=Add client profile maxFailureWaitSeconds=Max wait userEventsRegistered=User events registered renameAGroup=Rename group eventConfigError=Could not save event configuration {{error}} confirmAccessTokenTitle=Regenerate registration access token? target=Target impersonateConfirmDialog=Are you sure you want to log in as this user? If this user is in the same realm with you, your current login session will be logged out before you log in as this user. alwaysDisplayInUI=Always display in UI protocolMapper=Protocol... requiredSettings=Required Settings oneLevel=One Level userSaved=The user has been saved useRefreshTokens=Use refresh tokens standardFlowHelp=This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client. clientDeleteConfirm=If you delete this client, all associated data will be removed. derFormattedHelp=Activate this if the certificate is DER formatted in LDAP and not PEM formatted. eventTypes.IDENTITY_PROVIDER_POST_LOGIN.name=Identity provider post login scopePermissions.users.view-description=Policies that decide if an administrator can view all users in realm ldapGeneralOptionsSettingsDescription=This section contains a few basic options common to all user storage providers. importSkipped_one=One record skipped. eventTypes.OAUTH2_DEVICE_AUTH.description=Oauth2 device authentication notBeforeClearedSuccess=Success\! "Not Before" cleared for realm. policySaveError=Could not update the policy due to {{error}} experimental=Experimental idTokenSignatureAlgorithmHelp=JWA algorithm used for signing ID tokens. deleteResourceConfirm=If you delete this resource, some permissions will be affected. httpPostBindingResponse=HTTP-POST binding response tokenLifespan.inherited=Inherits from realm settings saveEvents=Save events issuer=Issuer policyEnforcementModeHelp=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource. selectAUser=Select a user groupCreated=Group created generateError=Could not generate new key pair and certificate {{error}} testClusterSuccess=Successfully verified availability for\: {{successNodes}} whoWillAppearLinkTextRoles=Who will appear in this user list? attestationPreference.not\ specified=Not specified importConfigHelp=Import metadata from a downloaded IDP discovery descriptor. targetClaim=Target claim assignRole=Assign role accessSettings=Access settings updateFlowSuccess=Flow successfully updated xXSSProtectionHelp=This header configures the Cross-site scripting (XSS) filter in your browser. Using the default behaviour, the browser will prevent rendering of the page when a XSS attack is detected. <1>Learn more authenticatedAccessPolicies=Authenticated access polices addExecutor=Add executor selectIfResourceExists=If a resource already exists, specify what should be done passwordPoliciesHelp.notEmail=The password cannot match the email address of the user. deleteAttributeGroupError=Could not delete user attributes group\: {{error}} trustEmail=Trust Email credentialReset=Credentials Reset eventTypes.CUSTOM_REQUIRED_ACTION_ERROR.name=Custom required action error deleteValidatorConfirmTitle=Delete validator? claimJsonType=JSON type that should be used to populate the json claim in the token. long, int, boolean, String and JSON are valid values. kc.client.network.ip_address=Client IPv4 Address signatureAndEncryption=Signature and Encryption reset=Reset hardcodedUserSessionAttribute=When a user is imported from a provider, hardcode a value to a specific user session attribute. conditionType=Condition type multiValued=Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim browse=Browse duplicateEmailsHelpText=Allow multiple users to have the same email address. Changing this setting will also clear the user's cache. It is recommended to manually update email constraints of existing users in the database after switching off support for duplicate email addresses. importOverwritten_zero=No records overwritten. usermodel.realmRoleMapping.rolePrefix.label=Realm Role prefix eventTypes.GRANT_CONSENT.name=Grant consent noProvidersLinked=No identity providers linked. Choose one from the list below. testConnectionSuccess=Success\! SMTP connection successful. E-mail was sent\! samlSettings=SAML settings userFedDisableConfirm=If you disable this user federation provider, it will not be considered for queries and imported users will be disabled and read-only until the provider is enabled again. userSessionAttribute=User Session Attribute enabled=Enabled forgotPassword=Forgot password searchUserByAttributeMissingValueError=Specify a attribute value passwordPoliciesHelp.maxLength=The maximum number of characters allowed in the password. moveGroupError=Could not move group {{error}} clientImportSuccess=Client imported successfully dragHelp=Press space or enter to begin dragging, and use the arrow keys to navigate up or down. Press enter to confirm the drag, or any other key to cancel the drag operation. startTime=Start time logicHelp=The logic dictates how the policy decision should be made. If 'Positive', the resulting effect (permit or deny) obtained during the evaluation of this policy will be used to perform a decision. If 'Negative', the resulting effect will be negated, in other words, a permit becomes a deny and vice-versa. allowRegexComparison=Allow regex pattern comparison noSessionsForUser=There are currently no active sessions for this user. eventTypes.IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR.description=Identity provider link account error implicitFlowHelp=This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client. user-events-cleared-error=Could not clear the user events {{error}} eventTypes.IMPERSONATE_ERROR.name=Impersonate error executorType=Executor type configureMappingDescription=Choose any of the mappings from this table keystorePassword=Keystore password mapperTypeHardcodedLdapRoleMapperHelp=Users imported from LDAP will be automatically added into this configured role. more={{count}} more clientNameHelp=Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example\: ${my_client} mappersList=Mappers list rootUrl=Root URL realmExplain=A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control. inputHelperTextBefore=Helper text (above) the input field webAuthnPolicyExtraOrigins=Extra Origins samlSignatureKeyName=SAML signature key name validateUsersDn=You must enter users DN importError=Could not import certificate {{error}} logicType.negative=Negative otpPolicy=OTP Policy noRolesInstructions-groups=You haven't created any roles for this group. Create a role to get started. cibaBackchannelTokenDeliveryMode=Backchannel Token Delivery Mode validateAttributeName=Attribute configuration without name is not allowed. eventTypes.RESET_PASSWORD_ERROR.description=Reset password error addUser=Add user eventTypes.REGISTER.description=Register includeAuthnStatementHelp=Should a statement specifying the method and timestamp be included in login responses? evaluateError=Could not evaluate due to\: {{error}} iconUriHelp=A URI pointing to an icon. eventTypes.OAUTH2_DEVICE_VERIFY_USER_CODE.name=Oauth2 device verify user code protocol=Protocol permissionsScopeName=Scope-name validPostLogoutRedirectURIsHelp=Valid URI pattern a browser can redirect to after a successful logout. A value of '+' or an empty field will use the list of valid redirect uris. A value of '-' will not allow any post logout redirect uris. Simple wildcards are allowed such as 'http\://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. manageAccount=Manage account oauthDeviceAuthorizationGrant=OAuth 2.0 Device Authorization Grant copyFlowError=Could not duplicate flow\: {{error}} roleRemoveAssociatedRoleConfirm=Remove associated role? httpPostBindingAuthnRequest=HTTP-POST binding for AuthnRequest includeInAccessToken.label=Add to access token samlKeysExportSuccess=Successfully exported keys usersInRole=Users in role policyProvider.group=Define conditions for your permissions where a set of one or more groups (and their hierarchies) is permitted to access an object. updatedUserProfileError=User Profile configuration hasn't been saved emptyPermissions=No permissions deletePermission=Permanently delete permission? selectUser=Select a user whose identity is going to be used to query permissions from the server. resultPermit=Result-Permit userFederationExplain=User federation provides access to external databases and directories, such as LDAP and Active Directory. emptyAuthorizationScopes=No authorization scopes noDefaultGroups=No default groups policyProvider.time=Define time conditions for your permissions. updateFlowError=Could not update flow\: {{error}} valuePlaceholder=Type a value usersLeft_other={{count}} users left the group updateClientContext=Update Client Context removeAssociatedRoles=Remove associated roles nameIdPolicyFormatHelp=Specifies the URI reference corresponding to a name identifier format. mappers=Mappers attributeGeneralSettingsDescription=This section contains a few basic settings common to all attributes. name-id-format=Name ID Format deleteRealm=Delete realm noRoles-clientScopes=No roles for this client scope deleteFlowError=Could not delete flow\: {{error}} eventTypes.IDENTITY_PROVIDER_POST_LOGIN.description=Identity provider post login roleImportError=Could not import role regexAttributeValuesHelp=If enabled attribute values are interpreted as regular expressions. userCreated=The user has been created residentKey.not\ specified=Not specified clientUpdaterSourceHost=The condition checks the host/domain of the entity who tries to create/update the client to determine whether the policy is applied. alwaysReadValueFromLdapHelp=If on, then during reading of the LDAP attribute value will always used instead of the value from Keycloak DB. usermodel.clientRoleMapping.tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.). The special token ${client_id} can be used and this will be replaced by the actual client ID. Example usage is 'resource_access.${client_id}.roles'. This is useful especially when you are adding roles from all the clients (Hence 'Client ID' switch is unset) and you want client roles of each client stored separately. scopePermissions.clients.map-roles-description=Policies that decide if an administrator can map roles defined by this client signAssertions=Sign assertions disableUserInfoHelp=Disable usage of User Info service to obtain additional user information? Default is to use this OIDC service. xFrameOptionsHelp=Default value prevents pages from being included by non-origin iframes <1>Learn more copyError=Error copying authorization details\: {{error}} validateSignatures=Enable/disable signature validation of SAML responses. authentication=Authentication eventTypes.DELETE_ACCOUNT.name=Delete account logoutUrlHelp=End session endpoint to use to logout user from external IDP. noUserDetails=No user details sync-ldap-groups-to-keycloak=Sync LDAP groups to Keycloak attestationPreference.indirect=Indirect frontchannelUrlInvalid=Front-channel logout URL is not a valid URL noCredentialsText=This user does not have any credentials. You can set password for this user. deletePolicyWarning=The aggregated polices below will be removed automatically\: validatingPublicKey=Validating public key permissionsListIntro=Edit the permission list by clicking the scope-name. It then redirects to the permission details page of the client named <1>{{realm}} deleteClientConditionSuccess=Condition deleted successfully. signatureAlgorithm=Signature algorithm deleteConfirmIdentityProvider=Are you sure you want to permanently delete the provider '{{provider}}'? resetActions=Reset Actions cibaExpiresInHelp=The expiration time of the "auth_req_id" in seconds since the authentication request was received. eventTypes.CLIENT_INFO_ERROR.description=Client info error batchSize=Batch size user=User scopesAsRequested=Scopes are requested updateErrorClientScope=Could not update client scope\: '{{error}}' eventTypes.OAUTH2_DEVICE_VERIFY_USER_CODE.description=Oauth2 device verify user code useKerberosForPasswordAuthentication=Use Kerberos for password authentication validateUuidLDAPAttribute=You must enter a UUID LDAP attribute client-scopes-condition.tooltip=The list of expected client scopes. Condition evaluates to true if specified client request matches some of the client scopes. It depends also whether it should be default or optional client scope based on the 'Scope Type' configured. rootURLHelp=Root URL appended to relative URLs anonymousAccessPolicies=Anonymous access polices createResourceBasedPermission=Create resource-based permission searchForRole=Search role xXSSProtection=X-XSS-Protection debugHelp=Enable/disable debug logging to standard output for Krb5LoginModule. validatorColNames.colConfig=Config createClient=Create client inputTypeRows=Input rows eventTypes.IDENTITY_PROVIDER_FIRST_LOGIN.description=Identity provider first login usedMemory=Used memory validatePasswordPolicyHelp=Determines if Keycloak should validate the password with the realm password policy before updating it. For the case when user's password is saved in LDAP, some Keycloak password policies will not work (Not Recently Used, Expire Password, Hashing Iterations, Hashing Algorithm) due the fact that Keycloak does not have direct control over the password storage. It is needed to enable password policies at the LDAP server layer if you want to leverage those password policies. quickLoginCheckMilliSeconds=Quick login check milliseconds createResourceSuccess=Resource created successfully documentation=Documentation fullNameLdapReadOnlyHelp=For Read-only, data is imported from LDAP to Keycloak DB, but it's not saved back to LDAP when the user is updated in Keycloak. roleExplain=Realm roles are the roles that you define for use in the current realm. whatIsDefaultGroups=What is the function of default groups? transient=Transient generalSettings=General settings addClientProfileError=Could not create client profile\: '{{error}}' overallResults=Overall Results requiredUserActionsHelp=Require an action when the user logs in. 'Verify email' sends an email to the user to verify their email address. 'Update profile' requires user to enter in new personal information. 'Update password' requires user to enter in a new password. 'Configure OTP' requires setup of a mobile password generator. requestObjectSignatureAlgorithmHelp=JWA algorithm, which client needs to use when sending OIDC request object specified by 'request' or 'request_uri' parameters. If set to 'any', Request object can be signed by any algorithm (including 'none' ). ldapKerberosSettingsDescription=This section contains options useful for the Kerberos integration. This is used only when the LDAP server is used together with Kerberos/SPNEGO for user authentication. deleteEvents=Clear events termsOfServiceUrlHelp=URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service clientSecretError=Could not regenerate client secret due to\: {{error}} resourcePath=Resource path useJwksUrlHelp=If the switch is on, identity provider public keys will be downloaded from given JWKS URL. This allows great flexibility because new keys will be always re-downloaded again when identity provider generates new keypair. If the switch is off, public key (or certificate) from the Keycloak DB is used, so when the identity provider keypair changes, you always need to import the new key to the Keycloak DB as well. mapperTypeHardcodedAttributeMapperHelp=This mapper will hardcode any model user attribute and some property (like emailVerified or enabled) when importing user from LDAP. downloadAdaptorTitle=Download adaptor configs client-roles.label=Client Roles keysFilter.PASSIVE=Passive keys revocation=Revocation scopeTypeHelp=Client scopes, which will be added as default scopes to each created client search=Search validateEditMode=You must select an edit mode copyFlowSuccess=Flow successfully duplicated cacheSettings=Cache settings searchForClient=Search for client permissionDeletedError=Could not delete permission due to {{error}} eventTypes.UPDATE_PROFILE.name=Update profile realmId=Realm ID eventTypes.PERMISSION_TOKEN_ERROR.description=Permission token error algorithmHelp=Intended algorithm for the key importFile=Import file userVerify.discouraged=Discouraged ldapRolesDn=LDAP roles DN displayOnClientHelp=Applicable only if 'Consent Required' is on for this client. If this switch is off, the consent screen will contain just the consents corresponding to configured client scopes. If on, there will be also one item on the consent screen about this client itself. requestObjectRequired=Request object required protocolHelp=Which SSO protocol configuration is being supplied by this client scope prompts.none=None resourcesHelp=Specifies that this permission must be applied to a specific resource instance. passwordConfirmation=Password confirmation aggregate.attrs.tooltip=Indicates if attribute values should be aggregated with the group attributes. If using OpenID Connect mapper the multivalued option needs to be enabled too in order to get all the values. Duplicated values are discarded and the order of values is not guaranteed with this option. helpLabel=More help for '{{label}}' noRoles=No roles for this user createAttribute=Create attribute Thursday=Thursday importOverwritten_one=One record overwritten. tokenDeleteError=Could not delete initial access token\: '{{error}}' eventTypes.REGISTER_NODE_ERROR.name=Register node error isMandatoryInLdap=Is mandatory in LDAP discoveryEndpoint=Discovery endpoint claimValue=Claim Value eventTypes.FEDERATED_IDENTITY_LINK.name=Federated identity link authenticationHelp=This defines the type of the OIDC client. When it's ON, the OIDC type is set to confidential access type. When it's OFF, it is set to public access type deleteClientConditionError=Error creating condition\: {{error}} noMappers=No Mappers couldNotLinkIdP=Could not link identity provider {{error}} otpPolicyPeriod=OTP Token period managePriorities=Manage priorities createClientPolicySuccess=New policy created frontendUrlHelp=Set the frontend URL for the realm. Use in combination with the default hostname provider to override the base URL for frontend requests for a specific realm. used.notInUse=Not in use emailSettings=Email settings samlEntityDescriptorHelp=Allows you to load external IDP metadata from a config file or to download it from a URL. generatedIdTokenHelp=See the example ID Token, which will be generated and sent to the client when selected user is authenticated. You can see claims and roles that the token will contain based on the effective protocol mappers and role scope mappings and also based on the claims/roles assigned to user himself createClientProfile=Create client profile passwordPoliciesHelp.specialChars=The number of special characters required in the password string. cachePolicy=Cache policy noCredentials=No credentials clientOfflineSessionIdle=Client Offline Session Idle eventListeners=Event listeners bindDn=Bind DN evictionHourHelp=Hour of the day the entry will become invalid permissionDetails=Permission details clipboardCopyDenied=Your browser is blocking access to the clipboard. Friday=Friday saveProviderListSuccess=The priority of the provider has been updated successfully. copyToClipboard=Copy to clipboard wantAuthnRequestsSigned=Want AuthnRequests signed usermodel.attr.tooltip=Name of stored user attribute which is the name of an attribute within the UserModel.attribute map. clientPoliciesProfiles=Client Policies Profiles eventTypes.SEND_VERIFY_EMAIL.name=Send verify email requiredForLabel.both=Both users and admins eventTypes.REGISTER_NODE.name=Register node addToFilter=Add to filter CONFIGURE_TOTP=Configure OTP (CONFIGURE_TOTP) eventTypes.EXECUTE_ACTIONS.description=Execute actions clientUpdaterSourceRolesHelp=The condition checks the role of the entity who tries to create/update the client to determine whether the policy is applied. userModelAttributeName=User model attribute name importResourceError=Could not import the resource due to {{error}} dynamicScope=Dynamic scope mapperTypeHardcodedLdapRoleMapper=hardcoded-ldap-role-mapper validateName=You must enter a name flowDetails=Flow details never=Never includeInIntrospection.tooltip=Should the claim be added to the token introspection? addressClaim.region.tooltip=Name of User Attribute, which will be used to map to 'region' subclaim inside 'address' token claim. Defaults to 'region' . IDK-periodicChangedUsersSyncHelp=Should newly created users be created within LDAP store? Priority affects which provider is chosen to sync the new user. logoutServiceArtifactBindingUrlHelp=SAML ARTIFACT Binding URL for the client's single logout service. You can leave this blank if you are using a different binding. claimToRole=If a claim exists, grant the user the specified realm or client role. logoutServicePostBindingURL=Logout Service POST Binding URL eventTypes.REMOVE_FEDERATED_IDENTITY_ERROR.name=Remove federated identity error assertionConsumerServicePostBindingURLHelp=SAML POST Binding URL for the client's assertion consumer service (login responses). You can leave this blank if you do not have a URL for this binding. createAuthorizationScope=Create authorization scope noGroups=No groups backchannelLogoutRevokeOfflineSessionsHelp=Specifying whether a "revoke_offline_access" event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event. roleID=Role ID roleNameLdapAttributeHelp=Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn'. In this case typical group/role object may have DN like 'cn\=role1,ou\=finance,dc\=example,dc\=org'. origin=Origin regexPattern=Regex pattern filteredByClaim=Verify essential claim rowCancelBtnAriaLabel=Cancel edits for {{messageBundle}} validateSignatureHelp=Enable/disable signature validation of external IDP signatures. searchForFlow=Search for flow verifyEmail=Verify email notBeforeIntro=In order to successfully push a revocation policy to the client, you need to set an Admin URL under the <1>Settings tab for this client first addressClaim.locality.label=User Attribute Name for Locality formatOption=Format option addAuthnContextClassRef=Add AuthnContext ClassRef showPasswordDataName=Name clientScopeTypes.none=None whoCanEdit=Who can edit? mappingCreatedSuccess=Mapping successfully created eventTypes.GRANT_CONSENT.description=Grant consent client=Client setToNow=Set to now eventTypes.OAUTH2_DEVICE_AUTH_ERROR.name=Oauth2 device authentication error addSubFlowHelp=Sub-Flows can be either generic or form. The form type is used to construct a sub-flow that generates a single flow for the user. Sub-flows are a special type of execution that evaluate as successful depending on how the executions they contain evaluate. implicitFlow=Implicit flow authorizationSignedResponseAlgHelp=JWA algorithm used for signing authorization response tokens when the response mode is jwt. associatedRolesRemoved=Associated roles have been removed keyAliasHelp=Alias for the private key whoWillAppearLinkTextUsers=Who will appear in this group list? tokenClaimName.tooltip=Name of the claim to insert into the token. This can be a fully qualified name like 'address.street'. In this case, a nested json object will be created. To prevent nesting and use dot literally, escape the dot with backslash (\\.). userName=Username clientProfileDescription=Description ellipticCurveHelp=Elliptic curve used in ECDSA fromPredefinedMapper=From predefined mappers attributesGroup=Attributes group ssoSessionMax=Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired. clientDeleteError=Could not delete client\: {{error}} optimizeLookup=Optimize REDIRECT signing key lookup joinGroupsFor=Join groups for user {{username}} temporaryLocked=Temporarily locked setup=Setup unlinkAccount=Unlink account executors=Executors eventTypes.CLIENT_UPDATE_ERROR.name=Client update error realm=Realm attributeConsumingServiceIndex=Attribute Consuming Service Index prompt=Prompt assign=Assign disableConfirmRealm=User and clients can't access the realm if it's disabled. Are you sure you want to continue? showAuthData=Show authorization data includeInUserInfo.tooltip=Should the claim be added to the userinfo? select=Select signature-algorithm=JWA algorithm, which the client needs to use when signing a JWT for authentication. If left blank, the client is allowed to use any appropriate algorithm for the particular client authenticator. advanced=Advanced initialCounter=Initial counter revokeRefreshTokenHelp=If enabled a refresh token can only be used up to 'Refresh Token Max Reuse' and is revoked when a different token is used. Otherwise refresh tokens are not revoked when used and can be used multiple times. nameField=Name ownerManagedAccessHelp=If enabled, the access to this resource can be managed by the resource owner. useLowerCaseBearerTypeHelp=If this is on, token responses will be set the with the type "bearer" in lower-case. By default, the server sets the type as "Bearer" as defined by RFC6750. addCondition=Add condition updateSuccessClientScope=Client scope updated connectionAndAuthentication=Connection & Authentication clientScopeType.optional=Optional permissionsDisableConfirm=If you disable the permissions, all the permissions in the list below will be delete automatically. In addition, the resources and scopes that are related will be removed eventTypes.REFRESH_TOKEN.description=Refresh token authorization=Authorization clientProfilesHelpItem=Client profiles help item userSessionAttributeValue=User Session Attribute Value dayMonthHelp=Defines the day of month when the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided. fullNameLdapWriteOnlyHelp=For Write-only, data is propagated to LDAP when a user is created or updated in Keycloak. But this mapper is not used to propagate data from LDAP back into Keycloak. This setting is useful if you configured separate firstName and lastName attribute mappers and you want to use those to read the attribute from LDAP into Keycloak. userFedDeleteError=Could not delete user federation provider\: '{{error}}' id=ID join=Join clientUpdaterSourceGroupsHelp=The condition checks the group of the entity who tries to create/update the client to determine whether the policy is applied. idTokenEncryptionContentEncryptionAlgorithmHelp=JWA Algorithm used for content encryption in encrypting ID tokens. This option is needed just if you want encrypted ID tokens. If left empty, ID Tokens are just signed, but not encrypted. messageBundleDescription=You can edit the supported locales. If you haven't selected supported locales yet, you can only edit the English locale. saveEventListenersError=Error saving event listener\: {{error}} scopesHelp=The scopes to be sent when asking for authorization. It can be a space-separated list of scopes. Defaults to 'openid'. multivalued.tooltip=Indicates if attribute supports multiple values. If true, the list of all values of this attribute will be set as claim. If false, just first value will be set as claim inputOptionLabelsI18nPrefix=Internationalization key prefix enabledHelp=Set if the keys are enabled nameHintHelp=A unique name for the group. This name will be used to reference the group when binding an attribute to a group. admin-events-cleared-error=Could not clear the admin events {{error}} usersPermissionsHint=Fine grained permissions for managing all users in realm. You can define different policies for who is allowed to manage users in the realm. isBinaryAttribute=Is binary attribute clientScopeList=Client scopes noValidMetaDataFound=No valid metadata was found at this URL\: '{{error}}' eventTypes.IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR.description=Identity provider retrieve token error usernameLdapAttribute=Username LDAP attribute updateResourceSuccess=Resource successfully updated displayNameHelp=Friendly name for Identity Providers. idpAccountEmailVerification=IdP account email verification template=Template deleteExecutionSuccess=Execution successfully deleted deleteConfirmTitle_other=Delete groups? profilesConfigTypes.jsonEditor=JSON editor testingConnection=Testing connection noUsersFoundError=No users found due to {{error}} clientUpdaterSourceGroups=Groups executorDetails=Executor details maxDeltaTimeSeconds=Failure reset time backchannelLogoutHelp=Does the external IDP support backchannel logout? eventTypes.REMOVE_FEDERATED_IDENTITY_ERROR.description=Remove federated identity error usermodel.realmRoleMapping.rolePrefix.tooltip=A prefix for each Realm Role (optional). exportSamlKeyTitle=Export SAML Keys eventTypes.OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR.description=Oauth2 device verify user code error eventTypes.EXECUTE_ACTIONS_ERROR.description=Execute actions error SKIP=Skip eventTypes.INTROSPECT_TOKEN.description=Introspect token infoEnabledFeatures=Shows enabled preview and experimental features. displayOrderHelp=Number defining the order of the providers in GUI (for example, on the Login page). The lowest number will be applied first. deleteCredentialsConfirm=Are you sure you want to delete these users credentials? requiredClientScope=Please add at least one client scope. keysIntro=If "Use JWKS URL switch" is on, you need to fill a valid JWKS URL. After saving, admin can download keys from the JWKS URL or keys will be downloaded automatically by Keycloak server when an unknown KID is seen during client authentication. logoutServiceArtifactBindingUrl=Logout Service ARTIFACT Binding URL passwordPoliciesHelp.lowerCase=The number of lowercase letters required in the password string. searchForProvider=Search for provider ldapSearchingAndUpdatingSettingsDescription=This section contains options related to searching the LDAP server for the available users. sessionsType.regularSSO=Regular SSO allowed-client-scopes.tooltip=Whitelist of the client scopes, which can be used on a newly registered client. Attempt to register client with some client scope, which is not whitelisted, will be rejected. By default, the whitelist is either empty or contains just realm default client scopes (based on 'Allow Default Scopes' configuration property) maxDeltaTimeSecondsHelp=When will failure count be reset? executorsHelpItem=Executors help item contentSecurityPolicy=Content-Security-Policy client-uris-must-match.tooltip=If on, all Client URIs (Redirect URIs and others) are allowed just if they match some trusted host or domain. off=Off frontchannelLogoutHelp=When true, logout requires a browser redirect to client. When false, server performs a background invocation for logout. updateSuccess=Provider successfully updated hide=Hide isMandatoryInLdapHelp=If true, attribute is mandatory in LDAP. Hence if there is no value in Keycloak DB, the empty value will be set to be propagated to LDAP. client-accesstype.label=Client Access Type eventTypes.IDENTITY_PROVIDER_POST_LOGIN_ERROR.description=Identity provider post login error skipCustomizationAndFinish=Skip customization and finish mappingDeletedSuccess=Mapping successfully deleted addIdentityProvider=Add {{provider}} provider flowDescriptionHelp=Help text for the description of the new flow kc.time.date_time=Date/Time (MM/dd/yyyy hh\:mm\:ss) principalType=Principal type ignoreMissingGroupsHelp=Ignore missing groups in the group hierarchy. updatedCredentialMoveSuccess=User Credential configuration has been saved deleteExecutorProfileConfirmTitle=Delete executor? auth=Auth accessTokenLifespanImplicitFlow=Access Token Lifespan For Implicit Flow createAttributeSuccess=Success\! User Profile configuration has been saved. annotations=Annotations confirmAccessTokenBody=If you regenerate registration access token, the access data regarding the client registration service will be updated. remainingCount=Remaining count eventTypes.INVALID_SIGNATURE.description=Invalid signature download=Download authScopes=Authorization scopes requiredWhen=Required when updatePasswordPolicyError=Could not update the password policies\: '{{error}}' max-clients.tooltip=It will not be allowed to register a new client if count of existing clients in realm is same or bigger than the configured limit. uuidLdapAttributeHelp=Name of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example, for Active directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'. mappingDetails=Mapper details top-level-flow-type.client-flow=Client flow eventTypes.GRANT_CONSENT_ERROR.description=Grant consent error claim=Claim hardcodedAttribute=When user is imported from provider, hardcode a value to a specific user attribute. permissionSaveError=Could not update the permission due to {{error}} optimizeLookupHelp=When signing SAML documents in REDIRECT binding for SP that is secured by Keycloak adapter, should the ID of the signing key be included in SAML protocol message in element? This optimizes validation of the signature as the validating party uses a single key instead of trying every known key for validation. deleteClientScope_one=Delete client scope {{name}} accessTokenError=Could not regenerate access token due to\: {{error}} joinGroups=Join Groups scopePermissions.clients.configure-description=Reduced management permissions for administrator. Cannot set scope, template, or protocol mappers. providedBy=Provided by doNotStoreUsers=Do not store users ms=milliseconds ipAddress=IP address keyID=KEY_ID spi=SPI emptyValidators=No validators. plus=Plus browserFlow=Browser Flow anyScope=Any scope enableDisable=Disabled clients cannot initiate a login or have obtained access tokens. noUsersFound=No users found serverInfo=Server info chooseAPolicyTypeInstructions=Choose one policy type from the list below and then you can configure a new policy for authorization. There are some types and description. emailThemeHelp=Select a theme for emails that are sent by the server. principalTypeHelp=Way to identify and track external users from the assertion. Default is using Subject NameID, alternatively you can set up identifying attribute. Wednesday=Wednesday consents=Consents authDetails=Authorization details mappingDeletedError=Could not delete mapping\: '{{error}}' minimumQuickLoginWaitSecondsHelp=How long to wait after a quick login failure. mappedGroupAttributesHelp=List of names of attributes divided by commas. This points to the list of attributes on LDAP group, which will be mapped as attributes of Group in Keycloak. Leave this empty if no additional group attributes are required to be mapped in Keycloak. deleteGrantsSuccess=Grants successfully revoked. mapperTypeGroupLdapMapper=group-ldap-mapper policyEnforcementModes.DISABLED=Disabled openIdConnectCompatibilityModes=Open ID Connect Compatibility Modes no=No code=Code nameHelp=Help text for the name of the new flow keys=Keys defaultSigAlg=Default Signature Algorithm signatureKeyName=SAML signature key name notBeforeTooltip=The admin URL should be set in the Settings tab first. resourcesToImport=Resources to import selectRole.label=Select Role isBinaryAttributeHelp=Should be true for binary LDAP attributes. whoWillAppearPopoverFooterText=Users who have this role as an effective role cannot be added on this tab. eventTypes.RESTART_AUTHENTICATION_ERROR.name=Restart authentication error generatedUserInfoIsDisabled=Generated user info is disabled when no user is selected nameHelpHelp=Name of the mapper prompts.consent=Consent flowNameHelp=Help text for the name of the new flow webAuthnPolicyRpEntityName=Relying party entity name lastEvaluation=Last Evaluation createClientConditionError=Error creating condition\: {{error}} serverPrincipalHelp=Full name of server principal for HTTP service including server and domain name. For example, HTTP/host.foo.org@FOO.ORG enableStartTlsHelp=Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling resourceScopeSuccess=The authorization scope successfully deleted userIdHelperText=Enter the unique ID of the user for this identity provider. forwardParametersHelp=Non OpenID Connect/OAuth standard query parameters to be forwarded to external IDP from the initial application request to Authorization Endpoint. Multiple parameters can be entered, separated by comma (,). on=On changeAuthenticatorConfirmTitle=Change to {{clientAuthenticatorType}}? eventTypes.OAUTH2_DEVICE_AUTH.name=Oauth2 device authentication admin-events-cleared=The admin events have been cleared or=or deleteDialogTitle=Delete attribute group? eventTypes.CLIENT_INITIATED_ACCOUNT_LINKING.description=Client initiated account linking annotationsText=Annotations ldapAttributeName=LDAP attribute name acceptsPromptNone=Accepts prompt\=none forward from client loginThemeHelp=Select theme for login, OTP, grant, registration and forgot password pages. AESKeySizeHelp=Size in bytes for the generated AES key. Size 16 is for AES-128, Size 24 for AES-192, and Size 32 for AES-256. WARN\: Bigger keys than 128 are not allowed on some JDK implementations. client-accesstype.tooltip=Access Type of the client, for which the condition will be applied. Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type. oneTimePassword=One-Time Password invalidateRotatedError=Could not remove rotated secret\: {{error}} excludeSessionStateFromAuthenticationResponseHelp=If this is on, the parameter 'session_state' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'session_state' parameter. useRefreshTokenForClientCredentialsGrantHelp=If this is on, a refresh_token will be created and added to the token response if the client_credentials grant is used. The OAuth 2.0 RFC6749 Section 4.4.3 states that a refresh_token should not be generated when client_credentials grant is used. If this is off then no refresh_token will be generated and the associated user session will be removed. userManagedAccess=User-managed access initialAccessToken=Initial access token rowEditBtnAriaLabel=Edit {{messageBundle}} evictionDay=Eviction day vendorHelp=LDAP vendor (provider) applyToResourceType=Apply to Resource Type addDefaultGroups=Add default groups selectRole.tooltip=Enter role in the textbox to the left, or click this button to browse and select the role you want. filterGroups=Filter groups validPostLogoutRedirectUri=Valid post logout redirect URIs authnContextClassRefs=AuthnContext ClassRefs deleteCredentialsSuccess=The credentials has been deleted successfully. eventTypes.PERMISSION_TOKEN_ERROR.name=Permission token error userProfileSuccess=User profile settings successfully updated. attributeDefaultValueHelp=If there is no value in Keycloak DB and attribute is mandatory in LDAP, this value will be propagated to LDAP. cibaPolicy=CIBA Policy Saturday=Saturday importSkipped_other={{count}} records skipped. membershipAttributeTypeHelp=DN means that LDAP group has it's members declared in form of their full DN. For example 'member\: uid\=john,ou\=users,dc\=example,dc\=com'. UID means that LDAP group has it's members declared in form of pure user uids. For example 'memberUid\: john'. unsavedChangesTitle=Unsaved changes emptyResourcesInstructions=If you want to create a resource, please click the button below. save-user-events=If enabled, user events are saved to the database, which makes events available to the admin and account management UIs. otpSupportedApplications.totpAppFreeOTPName=FreeOTP validPostLogoutRedirectURIs=Valid URI pattern a browser can redirect to after a successful logout. A value of '+' or an empty field will use the list of valid redirect uris. A value of '-' will not allow any post logout redirect uris. Simple wildcards are allowed such as 'http\://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. composite=Composite recommendedSsoTimeout=It is recommended for this value to be shorter than the SSO session idle timeout\: {{time}} sessionExplain=Sessions are sessions of users in this realm and the clients that they access within the session. noSearchResults=No search results eventTypes.AUTHREQID_TO_TOKEN.description=Authreqid to token recent=Recent executeActions=Execute actions policyProvider.aggregate=Reuse existing policies to build more complex ones and keep your permissions even more decoupled from the policies that are evaluated during the processing of authorization requests. advancedAttributeToRole=If the set of attributes exists and can be matched, grant the user the specified realm or client role. userEventsSettings=User events settings deny=Deny moveGroupSuccess=Group moved eventTypes.USER_INFO_REQUEST.description=User info request userDeletedError=The user could not be deleted {{error}} edit=Edit authorizationScopeDetails=Authorization scope details ldapGroupsDnHelp=LDAP DN where groups of this tree are saved. For example 'ou\=groups,dc\=example,dc\=org' readOnly=Read only client-updater-trusted-hosts.tooltip=List of Hosts, which are trusted. In case that client registration/update request comes from the host/domain specified in this configuration, condition evaluates to true. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted. resultDeny=Result-Deny kc.client.network.host=Client Host noResourceCreateHint=There are no resources you can't create resource-based permission directMembership=Direct membership addExecutionTitle=Add an execution associatedRolesText=Associated roles clientIdHelp=The client identifier registered with the identity provider. eventTypes.INVALID_SIGNATURE_ERROR.name=Invalid signature error clientSecretSuccess=Client secret regenerated oAuthDeviceCodeLifespan=OAuth 2.0 Device Code Lifespan ldapConnectionAndAuthorizationSettingsDescription=This section contains options related to the configuration of the connection to the LDAP server. It also contains options related to authentication of the LDAP connection to the LDAP server. clientSaveSuccess=Client successfully updated ecdsaGenerated=ecdsca-generated flow-type.basic-flow=Generic oAuthDevicePollingInterval=OAuth 2.0 Device Polling Interval deletedSuccessRealmSetting=The realm has been deleted webauthnPasswordlessPolicy=Webauthn Passwordless Policy editUserLabel=Edit User Label Button conditions=Conditions addUri=Add URI excludeIssuerFromAuthenticationResponse=Exclude Issuer From Authentication Response minus=Minus groupsHelp=Groups where the user has membership. To leave a group, select it and click Leave. includeGroupsAndRoles=Include groups and roles groupsPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up. searchForMessageBundle=Search for message bundle offlineSessionMaxHelp=Max time before an offline session is expired regardless of activity. resourceSaveError=Could not persist resource due to {{error}} clientsClientScopesHelp=The scopes associated with this resource. updateCredentialUserLabelError=Error changing user label\: {{error}} enableHelpMode=Enable help mode clientPoliciesTab=Client policies tab ldapGroupsDn=LDAP groups DN ldapFullNameAttributeHelp=Name of the LDAP attribute, which contains the fullName of the user. Usually it will be 'cn'. clientRegisterPolicyDeleteConfirm=Are you sure you want to permanently delete the client registration policy {{name}} jsonEditor=JSON editor chooseBindingType=Choose binding type mappingCreatedError=Could not create mapping\: '{{error}}' deleteClientPolicyProfileConfirmTitle=Delete profile? passwordPoliciesHelp.forceExpiredPasswordChange=The number of days the password is valid before a new password is required. envelopeFromHelp=An email address used for bounces (optional). passwordPoliciesHelp.upperCase=The number of uppercase letters required in the password string. policyDeletedError=Could not remove the resource {{error}} key=Key email=Email groupDeleted_other=Groups deleted acrToLoAMappingHelp=Define which ACR (Authentication Context Class Reference) value is mapped to which LoA (Level of Authentication). The ACR can be any value, whereas the LoA must be numeric. uploadFile=Upload JSON file loginActionTimeoutHelp=Max time a user has to complete login related actions like update password or configure totp. This is recommended to be relatively long, such as 5 minutes or more identityProviders=Identity providers importUsers=Import users authenticationFlow=Authentication flow leaveGroup_other=Leave groups? deleteClientPolicySuccess=Client policy deleted mapperTypeCertificateLdapMapper=certificate-ldap-mapper clientAuthentications.client_secret_basic=Client secret sent as basic auth started=Started filteredByClaimHelp=If true, ID tokens issued by the identity provider must have a specific claim. Otherwise, the user can not authenticate through this broker. mapperTypeCertificateLdapMapperHelp=Used to map single attribute which contains a certificate from LDAP user to attribute of UserModel in Keycloak DB permissionDecisionStrategyHelp=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. userManagedAccessHelp=If enabled, users are allowed to manage their resources and permissions using the Account Management UI. confirm=Confirm policyType.totp=Time based addAttribute=Add an attribute clientScopeSearch.protocol=Protocol initialAccessTokenDetails=Initial access token details noMessageBundles=No message bundles deleteProvider=Delete provider? inputTypeSize=Input size createAttributeSubTitle=Create a new attribute eventTypes.CODE_TO_TOKEN_ERROR.name=Code to token error emptyAuthorizationInstructions=If you want to create authorization scopes, please click the button below to create the authorization scope subjectHelp=A regular expression for validating Subject DN in the Client Certificate. Use "(.*?)(?\:$)" to match all kind of expressions. updatePolicySuccess=Successfully updated the policy eventTypes.CUSTOM_REQUIRED_ACTION.name=Custom required action updateExecutorError=Executor not updated clientIdHelpHelp=Client ID of client to which LDAP role mappings will be mapped. Applicable only if 'Use Realm Roles Mapping' is false. createdAt=Created at moveGroupEmpty=No sub groups rolesHelp=Select the roles you want to associate with the selected user. samlEntityDescriptor=SAML entity descriptor passwordPolicyHintsEnabled=Password policy hints enabled enableLdapv3PasswordHelp=Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password. syncMode=Sync mode details=Details privateRSAKeyHelp=Private RSA Key encoded in PEM format onDragStart=Dragging started for item {{item}} pushedAuthorizationRequestRequired=Pushed authorization request required requirements.REQUIRED=Required generate=Generate clientOfflineSessionMaxHelp=Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value. resetPasswordBtn=Reset password strictTransportSecurity=HTTP Strict Transport Security (HSTS) editInfo=Edit info offlineSessionMaxLimited=Offline Session Max Limited providerCreateSuccess=New client policy created successfully disableSigning=Disable "{{key}}" periodicChangedUsersSync=Periodic changed users sync searchScope=Search scope dateFrom=Date(from) importAdded_one=One record added. clientAccessType=It uses the client's access type (confidential, public, bearer-only) to determine whether the policy is applied. Condition is checked during most of OpenID Connect requests (Authorization requests, token requests, introspection endpoint request, etc.). Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type. firstName=First name emptySecondaryAction=Configure a new mapper defaultGroupAdded_one=New group added to the default groups unexpectedError=An unexpected error occurred\: '{{error}}' removeAllAssociatedRolesConfirmDialog=This action will remove the associated roles of {{name}}. Users who have permission to {{name}} will no longer have access to these roles. noRolesInstructions=You haven't assigned any roles to this user. Assign a role to get started. authorizationEncryptedResponseEncHelp=JWA Algorithm used for content encryption in encrypting the authorization response when the response mode is jwt. This option is needed if you want encrypted authorization response. If left empty, the authorization response is just signed, but not encrypted. permissionName=The name of this permission. postBrokerLoginFlowAliasHelp=Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to "None" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it. preview=Preview eventTypes.UNREGISTER_NODE_ERROR.name=Unregister node error clientRegisterPolicyDeleteConfirmTitle=Delete client registration policy? groupDetails=Group details sessionsType.allSessions=All session types kid=Kid sessionsType.serviceAccount=Service account allowKerberosAuthenticationHelp=Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server. oauthDeviceAuthorizationGrantHelp=This enables support for OAuth 2.0 Device Authorization Grant, which means that client is an application on device that has limited input capabilities or lack a suitable browser. clientSignatureHelp=Will the client sign their saml requests and responses? And should they be validated? importOverwritten_other={{count}} records overwritten. requirements.CONDITIONAL=Conditional leaveGroupConfirmDialog_one=Are you sure you want to remove {{username}} from the group {{groupname}}? kc.client.user_agent=Client/User Agent frontendUrl=Frontend URL permissionDeletedSuccess=Successfully deleted permission clientScopeRemoveSuccess=Scope mapping successfully removed addClientScopes=Add client scopes doNotStoreUsersHelp=When enabled, users from this broker are not persisted in internal database. deletePolicyConfirm=If you delete this policy, some permissions or aggregated policies will be affected. userCreateError=Could not create user\: {{error}} user-events-cleared=The user events have been cleared resetPasswordConfirm=Reset password? emailAsUsernameHelpText=Allow users to set email as username. AESKeySize=AES Key Size fullName={{givenName}} {{familyName}} deleteConfirm=Are you sure you want to permanently delete the provider '{{provider}}'? compositesRemovedAlertDescription=All the associated roles have been removed aliasHelp=The alias uniquely identifies an identity provider and it is also used to build the redirect uri. selectRealm=Select realm roleNameLdapAttribute=Role name LDAP attribute javaKeystore=java-keystore updatedUserProfileSuccess=User Profile configuration has been saved deleteProviderMapper=Delete mapper? clientsPermissionsHint=Fine grained permissions for administrators that want to manage this client or apply roles defined by this client. lookAroundHelp=How far around should the server look just in case the token generator and server are out of time sync or counter sync? usersLeft_one={{count}} user left the group sync-keycloak-groups-to-ldap=Sync Keycloak groups to LDAP saveError=User federation provider could not be saved\: {{error}} bruteForceDetection=Brute force detection loginTimeoutHelp=Max time a user has to complete a login. This is recommended to be relatively long, such as 30 minutes or more eventTypes.OAUTH2_DEVICE_CODE_TO_TOKEN.name=Oauth2 device code to token searchGroups=Search groups trusted-hosts.tooltip=List of Hosts, which are trusted and are allowed to invoke Client Registration Service and/or be used as values of Client URIs. You can use hostnames or IP addresses. If you use star at the beginning (for example '*.example.com' ) then whole domain example.com will be trusted. disableNonceHelp=Do not send the nonce parameter in the authentication request. The nonce parameter is sent and verified by default. deleteClientProfile=Delete this client profile none=None type=Type createNewUser=Create new user emptyClientProfiles=No profiles internationalization=Internationalization seconds=Seconds memberofLdapAttributeHelp=Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE. It specifies the name of the LDAP attribute on the LDAP user, which contains the groups, which the user is member of. Usually it will be the default 'memberOf'. clientRegisterPolicyDeleteSuccess=Client registration policy deleted successfully otpPolicyDigits=Number of digits keysFilter.ACTIVE=Active keys rsaGenerated=rsa-generated krbPrincipalAttributeHelp=Name of the LDAP attribute, which refers to Kerberos principal. This is used to lookup appropriate LDAP user after successful Kerberos/SPNEGO authentication in Keycloak. When this is empty, the LDAP user will be looked based on LDAP username corresponding to the first part of his Kerberos principal. For instance, for principal 'john@KEYCLOAK.ORG', it will assume that LDAP username is 'john'. client-roles-condition.tooltip=Client roles, which will be checked during this condition evaluation. Condition evaluates to true if client has at least one client role with the name as the client roles specified in the configuration. impersonateError=Could not impersonate the user\: {{error}} keyLabel=Key syncChangedUsers=Sync changed users eventTypes.IDENTITY_PROVIDER_RESPONSE_ERROR.name=Identity provider response error orderDialogIntro=The order that the providers are listed in the login page or the Account UI. You can drag the row handles to change the order. clientSessionIdle=Client Session Idle push=Push targetClaimHelp=Specifies the target claim which the policy will fetch. periodicFullSyncHelp=Whether periodic full synchronization of LDAP users to Keycloak should be enabled or not scopePermissions.users.user-impersonated-description=Policies that decide which users can be impersonated. These policies are applied to the user being impersonated. forceNameIdFormat=Force name ID format noMappersInstructions=There are currently no mappers for this identity provider. deleteConfirmFlow=Delete flow? addRole=Add role FAIL=Fail import userInfoSignedResponseAlgorithmHelp=JWA algorithm used for signed User Info Endpoint response. If set to 'unsigned', User Info Response won't be signed and will be returned in application/json format. lastName=Last name isAccessTokenJWT=Access Token is JWT deleteConfirmDialog_one=Are you sure you want to permanently delete {{count}} selected user eventTypes.AUTHREQID_TO_TOKEN.name=Authreqid to token createError=Could not create the identity provider\: {{error}} excludeIssuerFromAuthenticationResponseHelp=If this is on, the parameter 'iss' will not be included in OpenID Connect Authentication Response. It is useful if the client uses an older OIDC / OAuth2 adapter, which does not support the 'iss' parameter. eventTypes.AUTHREQID_TO_TOKEN_ERROR.name=Authreqid to token error deletePermissionConfirm=Are you sure you want to delete the permission {{permission}} TERMS_AND_CONDITIONS=Terms and Conditions (TERMS_AND_CONDITIONS) artifactResolutionServiceHelp=SAML Artifact resolution service for the client. This is the endpoint to which Keycloak will send a SOAP ArtifactResolve message. You can leave this blank if you do not have a URL for this binding. userRoleMappingUpdatedSuccess=User role mapping successfully updated clientUpdaterTrustedHosts=Trusted Hosts deleteSuccess=Attributes group deleted. attributesDropdown=Attributes dropdown ssoServiceUrlHelp=The Url that must be used to send authentication requests (SAML AuthnRequest). copy=Copy credentialData=Data clientRolesConditionTooltip=Client roles, which will be checked during this condition evaluation. Condition evaluates to true if client has at least one client role with the name as the client roles specified in the configuration. invalidateSecret=Invalidate emptyPermissionInstructions=If you want to create a permission, please click the button below to create a resource-based or scope-based permission. webAuthnPolicyAvoidSameAuthenticatorRegisterHelp=Avoid registering the authenticator that has already been registered. memberofLdapAttribute=Member-of LDAP attribute supportedLocales=Supported locales showPasswordDataValue=Value webAuthnPolicyAttestationConveyancePreference=Attestation conveyance preference copyOf=Copy of {{name}} eventTypes.REMOVE_TOTP.description=Remove totp evictionMinute=Eviction minute requiredClient=Please add at least one client. help=Help passSubject=Pass subject deleteFlowSuccess=Flow successfully deleted nodeReRegistrationTimeoutHelp=Interval to specify max time for registered clients cluster nodes to re-register. If cluster node will not send re-registration request to Keycloak within this time, it will be unregistered from Keycloak rename=Rename httpPostBindingLogoutHelp=Indicates whether to respond to requests using HTTP-POST binding. If false, HTTP-REDIRECT binding will be used. policyProvider.client=Define conditions for your permissions where a set of one or more clients is permitted to access an object. clientAuthentication=Client authentication validatePasswordPolicy=Validate password policy registrationEmailAsUsername=Email as username webAuthnPolicyFormHelp=Policy for WebAuthn authentication. This one will be used by 'WebAuthn Register' required action and 'WebAuthn Authenticator' authenticator. Typical usage is, when WebAuthn will be used for the two-factor authentication. createResource=Create resource data=Data createNewMapper=Create new mapper mapperTypeMsadUserAccountControlManager=msad-user-account-control-mapper deleteNodeFail=Could not delete node\: '{{error}}' syncModeOverrideHelp=Overrides the default sync mode of the IDP for this mapper. Values are\: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider and 'inherit' to use the sync mode defined in the identity provider for this mapper. eventTypes.TOKEN_EXCHANGE_ERROR.description=Token exchange error strictTransportSecurityHelp=The Strict-Transport-Security HTTP header tells browsers to always use HTTPS. Once a browser sees this header, it will only visit the site over HTTPS for the time specified (1 year) at max-age, including the subdomains. <1>Learn more authenticationExplain=Authentication is the area where you can configure and manage different credential types. passwordPoliciesHelp.hashIterations=The number of times a password is hashed before storage or verification. Default\: 27,500. dropNonexistingGroupsDuringSync=Drop non-existing groups during sync clientAssertionSigningAlgHelp=Signature algorithm to create JWT assertion as client authentication. In the case of JWT signed with private key or JWT signed with client secret, it is required. If no algorithm is specified, the following algorithm is adapted. RS256 is adapted in the case of JWT signed with private key. HS256 is adapted in the case of JWT signed with client secret. addProvider_other=Add {{provider}} providers cibaExpiresIn=Expires In dynamicScopeFormatHelp=This is the regular expression that the system will use to extract the scope name and variable. updateMessageBundleError=Error updating message bundle. resetPasswordConfirmText=Are you sure you want to reset the password for the user {{username}}? create=Create noAvailableIdentityProviders=No available identity providers. passSubjectHelp=During login phase, forward an optional login_hint query parameter to SAML AuthnRequest's Subject. notBeforeSetToNow=Not Before set for client resource=Resource emptyConditions=No conditions configured profiles=Profiles userSession.modelNote.tooltip=Name of stored user session note within the UserSessionModel.note map. filterByRoles=Filter by realm roles maxLifespan=Max lifespan host-sending-registration-request-must-match.label=Host Sending Client Registration Request Must Match eventTypes.VERIFY_PROFILE_ERROR.description=Verify profile error webOriginsHelp=Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does not include the '*' wildcard though. To permit all origins, explicitly add '*'. noSessionsForClient=There are currently no active sessions for this client. profilesConfigType=Configure via\: enableHelp=Help is enabled xRobotsTagHelp=Prevent pages from appearing in search engines <1>Learn more client-updater-source-roles.label=Updating entity role clientRegisterPolicyDeleteError=Could not delete client registration policy\: '{{error}}' resourceFile=Resource file admin-clearEvents=Deletes all admin events in the database. hardcodedRole=When user is imported from provider, hardcode a role mapping for it. searchType.default=Default search keysFilter.DISABLED=Disabled keys link=Link defaultGroupAddedError=Error adding group(s) to the default group {error} eventTypes.INVALID_SIGNATURE_ERROR.description=Invalid signature error idpUnlinkSuccess=The provider link has been removed providerType=Provider Type clientSessionIdleHelp=Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value. passwordPoliciesHelp.hashAlgorithm=Applies a hashing algorithm to passwords, so they are not stored in clear text. scopesSelect=Specifies that this permission must be applied to one or more scopes. selectMethodType.generate=Generate emailInvalid=You must enter a valid email. chooseAPolicyProvider=Choose a policy provider clientAuthenticationHelp=The client authentication method (cfr. https\://openid.net/specs/openid-connect-core-1_0.html\#ClientAuthentication). In case of JWT signed with private key, the realm private key is used. kerberosRealmHelp=Name of kerberos realm. For example, FOO.ORG roleCreateError=Could not create role\: {{error}} clientSecretHelp=The client secret registered with the identity provider. This field is able to obtain its value from vault, use ${vault.ID} format. offlineSessionMax=Offline Session Max generatedUserInfoHelp=See the example User Info, which will be provided by the User Info Endpoint dynamicScopeFormat=Dynamic scope format webAuthnPolicyExtraOriginsHelp=The list of extra origin for non-web application. updatePermissionSuccess=Successfully updated the permission idpLinkSuccess=Identity provider has been linked removeAnnotationText=Remove annotation verifyEmailHelpText=Require user to verify their email address after initial login or after address changes are submitted. referrerPolicy=Referrer Policy flow.clients=Client authentication flow eventTypes.IDENTITY_PROVIDER_FIRST_LOGIN_ERROR.description=Identity provider first login error groups=Groups emptyStateText=There aren't any realm roles in this realm. Create a realm role to get started. includeSubGroups=Include sub-group users permanentLockoutHelp=Lock the user permanently when the user exceeds the maximum login failures. logicType.positive=Positive associatedPolicy=Associated policy accountTheme=Account theme webAuthnPolicyAvoidSameAuthenticatorRegister=Avoid same authenticator registration emptyExecutors=No executors configured notBeforeNowClear=Not Before cleared for client selectARole=Select a role titleAuthentication=Authentication category=Category startBySearchingAUser=Start by searching for users times.days=Days