Configure federation on the Keycloak side
Configure federation on the Keycloak side
As a result of the customization, a SAML application will be created.
- Configure SAML application.
- If you checked the Sign authentication requests checkbox when creating the federation, in the SAML application, configure digital signature verification.
1. Customize SAML application
- In the Keycloak control panel, log in to the Administration Console.
- Go to the Clients section.
- Click Create client.
- In the General Settings step, in the Client type field, select SAML.
- In the Client ID field, insert the URL to which users will be redirected after authentication:
https://api.selectel.ru/v1/federations/saml/<federation_id>
. Specify<federation_id>
— federation ID on Selectel side, can be viewed in control panel: menu in upper right corner → Profile & Settings → Federations → federation row → ID field. - In the Name field, enter the name of the SAML application.
- Press Next.
- At the Login Settings step, in the Root URL field, insert
https://api.selectel.ru/v1/federations/saml/<federation_id>
- In the Home URL field, insert
https://my.selectel.ru/federated-login
. - In the Valid Redirect URIs field, insert
https://api.selectel.ru/v1/auth/federations/<federation_id>/saml/acs
- Press Save.
- In the SAML capabilities block, in the Name ID Format field, select the user ID format — username or email.
- Enable the Force POST binding and Include AuthnStatement toggle switches.
- In the Signature and Encryption block, turn on the Sign assertions toggle switch.
- If you do not plan to configure digital signature verification, make sure the Client signature required toggle switch is turned off in the Signing keys config block.
- In the Signature algorithm field, select RSA_SHA256.
- In the SAML Signature Key Name field, select NONE.
- In the Logout settings block, enable the Front channel logout toggle switch.
- Press Save.
2. Configure digital signature verification
You must configure digital signature verification if you checked the Sign authentication requests checkbox when creating a federation.
- Download Selectel certificate for request signing.
- In the Keycloak control panel, go to Clients.
- Open the SAML application page → Keys tab.
- In the Signing keys config block, enable the Encrypt Assertions and Client signature required toggle switches.
- In the Encryption keys config block, enable the Client Signature Required toggle switch.
- In the Select method field, select Import.
- In the Archive Format field, select Certificate PEM. If Certificate PEM is missing, close the window, click Regenerate → Yes → Import key. The item will appear in the list.
- Click Browse and select the certificate you downloaded from the federation page in Selectel.
- Press Confirm.