Skip to main content
Configure federation on the Keycloak side
Last update:

Configure federation on the Keycloak side

As a result of the customization, a SAML application will be created.

  1. Configure SAML application.
  2. If you checked the Sign authentication requests checkbox when creating the federation, in the SAML application, configure digital signature verification.

1. Customize SAML application

  1. In the Keycloak control panel, log in to the Administration Console.
  2. Go to the Clients section.
  3. Click Create client.
  4. In the General Settings step, in the Client type field, select SAML.
  5. In the Client ID field, insert the URL to which users will be redirected after authentication:<federation_id>. Specify <federation_id> — federation ID on Selectel side, can be viewed in control panel: menu in upper right corner → Profile & SettingsFederations → federation row → ID field.
  6. In the Name field, enter the name of the SAML application.
  7. Press Next.
  8. At the Login Settings step, in the Root URL field, insert<federation_id>
  9. In the Home URL field, insert
  10. In the Valid Redirect URIs field, insert<federation_id>/saml/acs
  11. Press Save.
  12. In the SAML capabilities block, in the Name ID Format field, select the user ID format — username or email.
  13. Enable the Force POST binding and Include AuthnStatement toggle switches.
  14. In the Signature and Encryption block, turn on the Sign assertions toggle switch.
  15. If you do not plan to configure digital signature verification, make sure the Client signature required toggle switch is turned off in the Signing keys config block.
  16. In the Signature algorithm field, select RSA_SHA256.
  17. In the SAML Signature Key Name field, select NONE.
  18. In the Logout settings block, enable the Front channel logout toggle switch.
  19. Press Save.

2. Configure digital signature verification

You must configure digital signature verification if you checked the Sign authentication requests checkbox when creating a federation.

  1. Download Selectel certificate for request signing.
  2. In the Keycloak control panel, go to Clients.
  3. Open the SAML application page → Keys tab.
  4. In the Signing keys config block, enable the Encrypt Assertions and Client signature required toggle switches.
  5. In the Encryption keys config block, enable the Client Signature Required toggle switch.
  6. In the Select method field, select Import.
  7. In the Archive Format field, select Certificate PEM. If Certificate PEM is missing, close the window, click RegenerateYesImport key. The item will appear in the list.
  8. Click Browse and select the certificate you downloaded from the federation page in Selectel.
  9. Press Confirm.