Certificates for SAML federations

Last update: May 30 2026

When working with federations, two types of certificates are used:

• identity provider certificate — a certificate that is issued on the identity provider side and added when configuring a federation in the control panel. Without a certificate, the federation will not work;
• certificates for signing requests — an optional certificate that is issued on the Selectel side if the federation has the Sign authentication requests checkbox marked.

Identity provider certificates

You issue a certificate from your identity provider and add it to the federation in Selectel. The certificate is used for authenticating data during user login in the control panel.

You can create a federation without a certificate and add one later, but a federation without a certificate will not work. You can add up to 10 certificates for a single federation.

If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next uploaded certificate will be used.

Issue a certificate from an identity provider

Keycloak

1. In the Keycloak control panel, go to the Realm settings section → Keys tab.
2. In the RS256 row, click Certificate.
3. Copy the certificate.

AD FS

1. On the AD FS server, open Server Manager.
2. In the Tools menu, select AD FS Management.
3. Open the Services → Certificates folder.
4. Right-click the Token-signing block → View Certificate.
5. Open the Details tab.
6. Click Copy to file → Next.
7. Select the Base-64 encoded X.509 (.CER) format.
8. Click Next.
9. Enter a name for the certificate file and select a folder on your device where the file will be saved.
10. Check the settings.
11. Click Next.
12. Click Finish.
13. Open the file and copy the certificate content.

Add a certificate

1. In the control panel, on the top menu, click IAM.
2. Go to the Federations section.
3. Open the federation page → Federations tab.
4. In the IdP certificates block, click Add certificate.
5. Enter a certificate name.
6. Paste the certificate. It must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
7. Click Add.

Remove a certificate

1. In the control panel, on the top menu, click IAM.
2. Go to the Federations section.
3. Open the federation page → Federations tab.
4. In the IdP certificates block, in the certificate row, click .

Certificates for signing requests

A certificate for signing requests is generated automatically on the Selectel side if the Sign authentication requests option is enabled for the federation.

You can download the certificate and upload it when configuring the federation on your identity provider side; for more details, see the Create a SAML federation for Keycloak and Create a SAML federation for AD FS guides.

Download a certificate for signing requests

1. In the control panel, on the top menu, click IAM.
2. Go to the Federations section.
3. Open the federation page → Federations tab.
4. In the Sign authentication requests field, click Download certificate. The certificate file in .crt format will be downloaded to your device.