Skip to main content
Certificates of federations
Last update:

Certificates of federations

Two types of certificates are used when working with federations:

  • credential provider certificate — A certificate that is issued on the credential provider side and added when configuring the federation in the control panel. Without the certificate, the federation will not work;
  • certificates for signing requests — an optional certificate that is issued on the Selectel side, if the federation checkbox is checked. Sign authentication requests.

Certificates from credential providers

You issue a certificate from a credential provider and add it to a federation in Selectel. The certificate is used for data authentication when authenticating a user in the control panel.

You can create a federation without a certificate and add it later, but a federation without a certificate will not work. You can add up to 10 certificates for one federation.

If a federation has multiple certificates, they will be applied sequentially: if a certificate has expired or is invalid, the next downloaded certificate will be applied.

Issue a certificate from a credential provider

  1. In the Keycloak control panel, go to Realm settingsKeys tab.
  2. In the RS256 row, click Certificate.
  3. Copy the certificate.

Add a certificate

  1. In the control panel, on the top menu, click Account.
  2. Go to the Federations section.
  3. Open the federation page.
  4. In the IdP Certificates block, click Add Certificate.
  5. Enter the name of the certificate.
  6. Insert the certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  7. Click Add.

Delete certificate

  1. In the control panel, on the top menu, click Account.
  2. Go to the Federations section.
  3. Open the federation page.
  4. In the IdP Certificates block, in the certificate row, click .

Certificates for signing requests

The certificate for signing requests is generated automatically on the Selectel side if the Sign Authentication Requests option is enabled on the federation.

You can download the certificate and upload it when you configure federation on your credential provider side, see the instructions Configure federation on the Keycloak side and Configure federation on the Active Directory Federation Services side for details.

Download a certificate for signing requests

  1. In the control panel, on the top menu, click Account.
  2. Go to the Federations section.
  3. Open the federation page.
  4. In the Sign authentication requests field, click Download certificate. The certificate file in .crt format will be downloaded to your device.