Certificates of federations

Last update: May 27 2025

Certificates of federations

Two types of certificates are used when working with federations:

• credential provider certificate — A certificate that is issued on the credential provider side and added when configuring the federation in the control panel. Without the certificate, the federation will not work;
• certificates for signing requests — an optional certificate that is issued on the Selectel side, if the federation checkbox is checked. Sign authentication requests.

Certificates from credential providers⁠

You issue a certificate from a credential provider and add it to a federation in Selectel. The certificate is used for data authentication when authenticating a user in the control panel.

You can create a federation without a certificate and add it later, but a federation without a certificate will not work. You can add up to 10 certificates for one federation.

If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next downloaded certificate will be applied.

Issue a certificate from a credential provider⁠

Keycloak

1. In the Keycloak control panel, go to Realm settings → Keys tab.
2. In the RS256 row, click Certificate.
3. Copy the certificate.

AD FS

1. On the AD FS server, open Server Manager.
2. From the Tools menu, select AD FS Management.
3. Open the Services → Certificates folder.
4. Right-click on the Token-signing block → View Certificate.
5. Open the Details tab.
6. Click Copy to file → Next.
7. Select Base-64 encoded X.509 (.CER) format.
8. Click Next.
9. Enter a name for the certificate file and select the folder on your device where you want to save the file.
10. Check the settings.
11. Click Next.
12. Click Finish.
13. Open the file and copy the contents of the certificate.

Add a certificate⁠

1. In the control panel, on the top menu, click Account.
2. Go to the Federations section.
3. Open the federation page.
4. In the IdP Certificates block, click Add Certificate.
5. Enter the name of the certificate.
6. Insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
7. Click Add.

Delete certificate⁠

1. In the control panel, on the top menu, click Account.
2. Go to the Federations section.
3. Open the federation page.
4. In the IdP Certificates block, in the certificate row, click .

Certificates for signing requests⁠

The certificate for signing requests is generated automatically on the Selectel side if the Sign Authentication Requests option is enabled on the federation.

You can download the certificate and upload it when you configure federation on your credential provider side, see the instructions Configure federation on the Keycloak side and Configure federation on the Active Directory Federation Services side for details.

Download a certificate for signing requests⁠

1. In the control panel, on the top menu, click Account.
2. Go to the Federations section.
3. Open the federation page.
4. In the Sign authentication requests field, click Download certificate. The certificate file in .crt format will be downloaded to your device.