Skip to main content
Create a federation of credentials
Last update:

Create a federation of credentials

  1. If you do not have a certificate issued from your credentialing vendor, issue one.
  2. Create a federation.
  3. Add federated users.
  4. Configure federation on the credential provider side.

1. Issue a certificate

Issue a certificate from your credentialing vendor, see the Certificates instruction for details.

You can create a federation without a certificate and add it later, but the federation will not work without a certificate.

2. Create a federation of credentials

An Account Owner or User Administrator can create a federation in the Control Panel.

  1. In the control panel, on the top menu, click Account.

  2. Go to the Federations section.

  3. Click Add Federation.

  4. Enter the name of the federation.

  5. Optional: enter a description of the federation.

  6. In the IdP Issuer field, enter the ID of the credential provider:

    • for AD FS provider — http://<idp_url>/adfs/services/trust. You cannot specify an identifier with HTTPS protocol;
    • for Keycloak provider — https://<idp_url>/realms/master.

    Specify <idp_url> is your URL with the credential provider.

  7. Specify a link to the credential provider login page where users will be redirected to authenticate through SSO:

    • For AD FS provider — https://<idp_url>/adfs/ls;
    • For Keycloak provider — https://<idp_url>/realms/master/protocol/saml.

  8. Change the session lifetime for which the user will be authorized without having to re-authenticate, or leave the default value (24 hours). You can specify a value from 1 to 720 hours.
    Session lifetime can also be set on the Keycloak provider in the SSO Session Max or Assertion Lifespan. If the session lifespan is set in both Federation Settings and Keycloak, the lowest value will be applied.

  9. Optional: To have authentication requests signed, check the Sign authentication requests checkbox.

  10. Optional: to require users to authenticate via SSO every time they log in, check the Forced authentication in IdP checkbox. If the checkbox is unchecked, no authentication is required as long as cookies are active.

  11. Click Create Federation. You will be redirected to the Add Certificate page.

  12. Enter the name of the certificate.

  13. Insert the certificate that you issued on the ISP side. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  14. Click Add CertificateFinish adding the federation.

3. Add a federated user

  1. In the control panel, on the top menu, click Account.

  2. Go to the Users section.

  3. Click Add User.

  4. In the User Data block:

    4.1 In the Authentication field, select Federation (Federation Name).

    4.2 In the External ID field, enter the user ID on your vendor's side. The format of the ID depends on the provider — UPN, email or other. Once the user is created, you cannot change the External ID, you must create a new user.

    4.3 Enter an e-mail address in the Mail field.

  5. In the Account Access block:

    5.1 Select the user role. To add users with the role of Account Administrator or Project Administrator, the account balance must be at least 100 ₽.

    5.2 If you have selected the Project Administrator or Project Supervisor role, check the desired projects.

    5.3 Optional: To assign another role to a user, click Add Role and select the desired role.

    5.4 Optional: select a group for the user.

  6. Click Add User. The user will be added to the list on the Users page . To see only users of a specific federation in the list, select it in the Authentication types field.

  7. An authentication link will be emailed to the user.

4. Configure federation on the credential provider side

Make the settings on the side of your credential provider: