SSO authentication

Last update: May 21 2026

First authentication

If the user was added manually, after being invited to the account they will receive an email with a link to authorize by SSO and federation ID.

If autocreation of users was enabled during federation creation, the link for the first authentication is provided by the Account Owner or a user with the role of iam_admin.

Login via the link from the email

1. In the email, click Sign in by SSO.
2. Enter the federation ID.
3. Optional: to avoid entering the federation ID each time you log in, check the Save federation checkbox.
4. Click Login by SSO. You will be redirected to the credential provider's authorization page.
5. Authorize on the credential provider side. After authorization, you will be returned to the Control Panel login page.
6. If you do not have a full name, enter it.
7. Click Sign in by SSO.

Login via direct link

1. Click the link provided to you by the Account Owner or user with the role of iam_admin.
2. If you do not have a full name, enter it.
3. Click Sign in by SSO.
4. If you do not have an email, please enter it.
5. If you do not have a full name, enter it.
6. Click Sign in by SSO.

Authentication at every login

1. In the dashboard on the login page, click Sign in with SSO.
2. Enter the federation ID or select a saved federation. The federation ID can be seen in the invitation email or can be requested from the Account Owner or user with the role of iam.admin.
3. Optional: to avoid entering a new federation ID each time you log in, check the Save federation checkbox.
4. Click Login by SSO. You will be redirected to the credential provider's authorization page.
5. Authorize with the credentialing vendor.

Authentication errors

If federation has not been configured correctly, errors may occur when authenticating a user. Error Groups:

• SAML001 - SAML099 - federation configuration errors on the Selectel side;
• SAML100 - SAML199 - validation errors on the credential provider side (SAML Response);
• SAML200 - SAML299 - other errors.

Error	Reason	Decision
SAML001 - SAML099 - configuration errors on Selectel side
SAML001: saml_idp_is_not_configured	SAML-compliant IdP has not been configured on the Selectel side	Check the federation setting on the Selectel side
SAML002: saml_idp_certs_not_configured	The federation in Selectel does not have a certificate	For federation, add a certificate issued from a credential provider
SAML100 - SAML199 - SAML Response validation errors
SAML100: saml_response_invalid_request_id	Incorrect SAML request identifier. Possible causes: repeated authentication attempt within a single request (SAML Response); the time allotted for user authentication has expired - after going to the authentication page, it took 10 minutes or more for the user to enter credentials	Go to the authentication page from the Selectel control panel and authorize again
SAML101: saml_response_invalid_destination	The Destination parameter in SAML Response is set incorrectly	Expose the correct URL for SAML Assertion Consumer Service on the credential provider side: in Keycloak - the Valid Redirect URIs parameter, more details in the Configure Federation on the Keycloak side instructions; in AD FS - parameter Relying party SAML 2.0 SSO service URL, more details in the instructions Configure federation on the Active Directory Federation Services side.
SAML102: saml_response_invalid_in_response_to	SAML Response was created for an authentication request with a different identifier	Go to the authentication page from the Selectel control panel and authorize again
SAML103: saml_response_invalid_issuer	When creating a federation in Selectel, an incorrect value of the IdP Issuer field is specified	In the federation settings in Selectel, set the correct value in the IdP Issuer field
SAML104: saml_response_invalid_signature	The signature of the received SAML Response is set incorrectly. Possible causes: the credential provider returned an incorrect SAML Response. You can check if the SAML Response is correct using third-party utilities (e.g., Onelogin); an invalid certificate has been added to Selectel for the federation	If SAML Response is incorrect: check the federation setting on the credential provider side; in case of an invalid certificate: add a valid certificate
SAML105: saml_response_subject_not_found	The Subject section is missing from the received SAML Response	Configure federation on the credential provider side so that the Subject section is enabled in SAML Response
SAML106: saml_response_name_id_not_found	NameID is not present in the received SAML Response	Configure federation on the credential provider side so that the SAML Response includes the NameID parameter: in AD FS to configure Claims Mapping; Keycloak - No settings are required. Authenticate again later.
SAML107: saml_response_user_not_found	User does not exist in Selectel	Add a user login method Federation. If the user is added, make sure that the value of the ExternalID field of the created user matches the user ID on the credential provider side.
SAML108: saml_response_invalid_assertion_xml	The SAML Response format is incorrect. You can check SAML Response using third-party utilities (e.g. Onelogin)	Re-authentication; Check the federation configuration on the credential provider side
SAML109: saml_response_invalid_assertion	Incorrect SAML Response	Verify the federation configuration on the credential provider side. You can check SAML Response using third-party utilities (for example, Onelogin)
SAML200 - SAML299 - other errors
SAML200: saml_internal_error	Requires clarification	Create a ticket support
SAML201: saml_malformed_request	Incorrect request parameters from credential provider to Selectel after authentication on the provider side	Verify the federation configuration on the credential provider side