Certificates
Two types of certificates are used when working with federations:
- certificate of credential suppliers — A certificate that is issued on the credential provider side and added when configuring the federation in the control panel. Without the certificate, the federation will not work;
- certificates for signing requests — An optional certificate that is issued on the Selectel side if the federation checkbox is selected Sign authentication requests.
Certificates of credential providers
You issue a certificate from the credentialing vendor and add it to the federation in Selectel. The certificate is used for data authentication when authenticating a user in the control panel.
You can create a federation without a certificate and add it later, but a federation without a certificate will not work. You can add up to 10 certificates for one federation.
If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next downloaded certificate will be applied.
Issue a certificate from a credential provider
Keycloak
AD FS
- In the Keycloak control panel, go to Realm settings → tab Keys.
- On the line RS256 click Certificate.
- Copy the certificate.
- On the AD FS server, open Server Manager.
- On the menu. Tools select AD FS Management.
- Open the folder Services → Certificates.
- Right-click on the block Token-signing →View Certificate.
- Open the tab Details.
- Click Copy to file → Next.
- Select a format Base-64 encoded X.509 (.CER).
- Click Next.
- Enter a name for the certificate file and select the folder on your device where you want to save the file.
- Check the settings.
- Click Next.
- Click Finish.
- Open the file and copy the contents of the certificate.
Add a certificate
- In control panel go to Access control → Federations.
- Open the federation page.
- In the block IdP Certificates click Add a certificate.
- Enter the name of the certificate.
- Insert the certificate. It must begin with
-----BEGIN CERTIFICATE-----
and end-----END CERTIFICATE-----
- Click Add.
Delete certificate
- In control panel go to Access control → Federations.
- Open the federation page.
- In the block IdP Certificates in the certificate line, click .
Certificates for signing requests
The certificate for signing requests is generated automatically on the Selectel side if the federation option is enabled. Sign authentication requests.
You can download certificate and upload it when setting up federation on the side of your credential provider, more details in the instructions Configure federation on the Keycloak side and Configure federation on the Active Directory Federation Services side.
Download a certificate for signing requests
- In control panel go to Access control → Federations.
- Open the federation page.
- In the field Sign authentication requests click Download the certificate. Certificate file in the format
.crt
will be downloaded to your device.