Skip to main content
Configure federation on the Keycloak side
Last update:

Configure federation on the Keycloak side

As a result of the customization, a SAML application will be created.

  1. Configure the SAML application.
  2. If you checked the Sign authentication requests checkbox when creating the federation, in the SAML application, configure digital signature verification.

1. Customize SAML application

  1. In the Keycloak control panel, log in to the Administration Console.
  2. Go to the Clients section.
  3. Click Create client.
  4. On the General Settings step, in the Client type field, select SAML.
  5. In the Client ID field, insert the URL to which users will be redirected after authentication: https://api.selectel.ru/v1/federations/saml/<federation_id>. Specify <federation_id> — federation ID on the Selectel side, can be viewed in the control panel: go to Access ControlFederationsfederation row → ID field.
  6. In the Name field, enter the name of the SAML application.
  7. Click Next.
  8. In the LoginSettings step, in the Root URL field, insert https://api.selectel.ru/v1/federations/saml/<federation_id>
  9. In the Home URL field, insert https://my.selectel.ru/federated-login
  10. In the Valid Redirect URIs field, insert https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs
  11. Click Save.
  12. In the SAML capabilities block, in the Name ID Format field, select the username or email format for the user ID.
  13. Enable the Force POST binding and Include AuthnStatement toggle switches.
  14. In the Signature and Encryption block, enable the Sign assertions toggle switch.
  15. If you do not plan to configure digital signature verification, make sure that the Client signature required toggle switch is turned off in the Signing keys config block.
  16. In the Signature algorithm field, select RSA_SHA256.
  17. In the SAML Signature Key Name field, select NONE.
  18. In the Logout settings block, enable the Front channel logout toggle switch.
  19. Click Save.

2. Configure digital signature verification

You must configure digital signature verification if you checked the Sign authentication requests checkbox when creating a federation.

  1. Download a Selectel certificate to sign requests.
  2. In the Keycloak dashboard, go to the Clients section.
  3. Open the SAML application page → Keys tab.
  4. In the Signing keys config block, enable the Encrypt Assertions and Client signature required toggle switches.
  5. In the Encryption keys config block, enable the Client Signature Required to ggle switch.
  6. In the Select method field, select Import.
  7. In the Archive Format field, select Certificate PEM. If the Certificate PEM item is missing, close the window, click RegenerateYesImport key. The item will appear in the list.
  8. Click Browse and select the certificate you downloaded from the federation page in Selectel.
  9. Click Confirm.