Skip to main content
Configure federation on the Keycloak side
Last update:

Configure federation on the Keycloak side

As a result of the customization, a SAML application will be created.

  1. Customize the SAML application.
  2. If you checked the checkbox when creating a federation Sign authentication requestsin the SAML application. configure digital signature verification.

1. Customize SAML application

  1. In the Keycloak control panel, log in to the Administration Console.
  2. Go to the section Clients.
  3. Click Create client.
  4. In step General Settings in the field Client type select SAML.
  5. In the field Client ID insert the URL to which users will be redirected after authentication: https://api.selectel.ru/v1/federations/saml/<federation_id>. Specify <federation_id> — The ID of the federation on the Selectel side can be viewed in the control panels: go to Access controlFederations → federation line → field ID.
  6. In the field Name enter the name of the SAML application.
  7. Click Next.
  8. In step Login Settings in the field Root URL insert https://api.selectel.ru/v1/federations/saml/<federation_id>
  9. In the field Home URL insert https://my.selectel.ru/federated-login
  10. In the field Valid Redirect URIs insert https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs
  11. Click Save.
  12. In the block SAML capabilities in the field Name ID Format select the format of the user ID — username or email.
  13. Turn on the toggle switches Force POST binding and Include AuthnStatement.
  14. In the block Signature and Encryption toggle switch Sign assertions.
  15. If you're not planning customize digital signature verification and make sure that the block Signing keys config toggle switch off Client signature required.
  16. In the field Signature algorithm select RSA_SHA256.
  17. In the field SAML Signature Key Name select NONE.
  18. In the block Logout settings toggle switch Front channel logout.
  19. Click Save.

2. Configure digital signature verification

You need to configure digital signature verification if you are using federation you checked the box Sign authentication requests.

  1. Download a Selectel certificate to sign requests.
  2. In the Keycloak control panel, go to Clients.
  3. Open the SAML application page → tab Keys.
  4. In the block Signing keys config toggle switches Encrypt Assertions and Client signature required.
  5. In the block Encryption keys config toggle switch Client Signature Required.
  6. In the field Select method select Import.
  7. In the field Archive Format select Certificate PEM. If the item Certificate PEM is missing, close the window, press RegenerateYesImport key. The item will appear in the list.
  8. Click Browse and select the certificate you downloaded from the federation page in Selectel.
  9. Click Confirm.