Skip to main content
Certificates
Last update:

Certificates

Two types of certificates are used when working with federations:

  • certificate of credential suppliers — A certificate that is issued on the credential provider side and added when configuring the federation in the control panel. Without the certificate, the federation will not work;
  • certificates for signing requests — An optional certificate that is issued on the Selectel side if the federation checkbox is selected Sign authentication requests.

Certificates of credential providers

You issue a certificate from the credentialing vendor and add it to the federation in Selectel. The certificate is used for data authentication when authenticating a user in the control panel.

You can create a federation without a certificate and add it later, but a federation without a certificate will not work. You can add up to 10 certificates for one federation.

If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next downloaded certificate will be applied.

Issue a certificate from a credential provider

  1. In the Keycloak control panel, go to Realm settings → tab Keys.
  2. On the line RS256 click Certificate.
  3. Copy the certificate.

Add a certificate

  1. In control panel go to Access controlFederations.
  2. Open the federation page.
  3. In the block IdP Certificates click Add a certificate.
  4. Enter the name of the certificate.
  5. Insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----
  6. Click Add.

Delete certificate

  1. In control panel go to Access controlFederations.
  2. Open the federation page.
  3. In the block IdP Certificates in the certificate line, click .

Certificates for signing requests

The certificate for signing requests is generated automatically on the Selectel side if the federation option is enabled. Sign authentication requests.

You can download certificate and upload it when setting up federation on the side of your credential provider, more details in the instructions Configure federation on the Keycloak side and Configure federation on the Active Directory Federation Services side.

Download a certificate for signing requests

  1. In control panel go to Access controlFederations.
  2. Open the federation page.
  3. In the field Sign authentication requests click Download the certificate. Certificate file in the format .crt will be downloaded to your device.