Configure federation on the Keycloak side
Configure federation on the Keycloak side
As a result of the customization, a SAML application will be created.
- Customize the SAML application.
- If you checked the checkbox when creating a federation Sign authentication requestsin the SAML application. configure digital signature verification.
Customize SAML application
- In the Keycloak control panel, log in to the Administration Console.
- Go to the section Clients.
- Click Create client.
- In step General Settings in the field Client type select SAML.
- In the field Client ID insert the URL to which users will be redirected after authentication:
https://api.selectel.ru/v1/federations/saml/<federation_id>
. Specify<federation_id>
— The ID of the federation on the Selectel side can be viewed in the control panel: go to the section Access control →Federations → federation line → field ID. - In the field Name enter the name of the SAML application.
- Click Next.
- In step Login Settings in the field Root URL insert
https://api.selectel.ru/v1/federations/saml/<federation_id>
- In the field Home URL insert
https://my.selectel.ru/federated-login
- In the field Valid Redirect URIs insert
https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs
- Click Save.
- In the block SAML capabilities in the field Name ID Format select the format of the user ID — username or email.
- Turn on the toggle switches Force POST binding and Include AuthnStatement.
- In the block Signature and Encryption toggle switch Sign assertions.
- If you're not planning customize digital signature verification and make sure that the block Signing keys config toggle switch off Client signature required.
- In the field Signature algorithm select RSA_SHA256.
- In the field SAML Signature Key Name select NONE.
- In the block Logout settings toggle switch Front channel logout.
- Click Save.
Configure digital signature verification
You need to configure digital signature verification if you are using federation you checked the box Sign authentication requests.
- Download a Selectel certificate to sign requests.
- In the Keycloak control panel, go to Clients.
- Open the SAML application page → tab Keys.
- In the block Signing keys config toggle switches Encrypt Assertions and Client signature required.
- In the block Encryption keys config toggle switch Client Signature Required.
- In the field Select method select Import.
- In the field Archive Format select Certificate PEM. If the item Certificate PEM is missing, close the window, press Regenerate → Yes → Import key. The item will appear in the list.
- Click Browse and select the certificate you downloaded from the federation page in Selectel.
- Click Confirm.