Skip to main content

Create an OIDC federation for AD FS

Last update:
  1. Configure federation on the AD FS side.
  2. Create federation on the Selectel side.
  3. Add the Selectel federation identifier to the AD FS federation.
  4. If you enabled automatic user creation when creating the federation on the Selectel side, configure user group mapping.

1. Configure federation on the AD FS side

  1. On the AD FS server, open Server Manager.

  2. Right-click the Application Group section and select Add Application Group.

  3. At the Welcome stage:

    3.1. In the Name field, enter the federation name.

    3.2. In the Templates block, select the Server application accessing a web **** template.

    3.3. Click Next.

  4. At the Server application stage:

    4.1. Copy and save the value of the Client Identifier **** field.

    4.2. In the Redirect URI field, enter https://api.selectel.ru/v1/auth/federations/oidc/.

    4.3. Click Next.

  5. At the Configure Application Credentials stage:

    5.1. Select the Generate shared secret checkbox. A secret will be generated.

    5.2. Click Copy to clipboard and save the secret value. You will not be able to view it later.

    5.3. Click Next.

  6. At the Apply Access Control Policy stage:

    6.1. Select an access policy.

    6.2. Click Next.

  7. At the Configure Application Permissions stage:

    7.1. In the Permitted scopes block, select the email, openid, profile **** checkboxes.

    7.2. Click Next.

  8. At the Summary stage, click Next.

  9. At the Complete stage, click Save.

2. Create a federation on the Selectel side

  1. In the control panel top menu, click IAM.

  2. Go to the Federations section.

  3. Click Add federation and select OpenID Connect (OIDC).

  4. In the Federation settings block:

    4.1. Enter the federation name.

    4.2. Optional: enter the federation description.

    4.3. Change the session lifetime or leave the default value (24 hours). The session defines the time during which a user remains authorized without the need for re-authentication. You can specify a value from 1 to 720 hours.

  5. In the IdP settings block:

    5.1. In the IdP Issuer field, enter the identity provider identifier — props.IdIssuer. Specify <idp_url> — your IDP URL.

    5.2. In the Client ID field, enter the identifier that you сохранили из поля Client Identifier when configuring the federation on the identity provider side at stage 1 in step 4.1.

    5.3. In the Client Secret field, enter the secret, который вы получили при настройке федерации on этапе 1 in шаге 5.2.

    5.4. In the Auth URL field, enter the link to the identity provider login page where users will be redirected for authentication via SSO — props.AuthUrl. Specify <idp_url> — your IDP URL.

    5.5. In the Token URL field, enter the token endpoint — props.TokenUrl. Specify <idp_url> — your IDP URL.

    5.6. In the JWSK URI field, enter the endpoint containing certificates — props.JwskUri. Specify <idp_url> — your IDP URL.

    5.7. To create users automatically upon their first login to the control panel via SSO, select the Auto-create users checkbox.

    If the checkbox is selected, you must configure user group mapping. Users will be created with the permissions you specify during mapping configuration. If auto-creation is enabled without configuring mapping, users will be created without permissions and will not have access to the control panel.

    If you do not select the Auto-create users checkbox, you will need to add users manually.

  6. Click Create Federation.

3. Add the Selectel federation identifier to the AD FS federation

  1. On the AD FS server, open Server Manager.
  2. In the Application Group section, open the federation you configured on the AD FS side in step 1.
  3. In the Redirect URI field, enter https://api.selectel.ru/v1/auth/federations/oidc/<federation_id>/callback. Specify <federation_id> — the federation ID on the Selectel side, which can be found in the Control panel: in the top menu, click IAMFederations → federation row → ID **** field.
  4. Click Save.

4. Configure user group mapping

You must configure group mapping if you enabled automatic user creation when creating the federation on the Selectel side in step 2. Use the Configure Group Mapping subsection of the User Group Mapping guide.