Create a federation of credentials

Last update: October 29 2024

Create a federation of credentials

1. If you do not have a certificate issued from your credentialing vendor, let him out..
2. Create a federation.
3. Add federated users.
4. Configure federation on the credential provider side.

Issue a certificate⁠

Issue a certificate from your credentialing vendor, see instructions for details Certificates.

You can create a federation without a certificate and add it later, but the federation will not work without a certificate.

Create a federation of credentials⁠

An Account Owner or User Administrator can create a federation in the Control Panel.

1. В control panels go to Access control → Federations.

2. Click Add a federation.

3. Enter the name of the federation.

4. Optional: enter a description of the federation.

5. In the field IdP Issuer enter the ID of the credential provider:

   • AD FS: http://<idp_url>/adfs/services/trust. You cannot specify an identifier with HTTPS protocol;
   • Keycloak: https://<idp_url>/realms/master

   Specify <idp_url> — your URL from the credential provider.

6. Specify a link to the credential provider login page where users will be redirected to authenticate through SSO:

   • AD FS: https://<idp_url>/adfs/ls
   • Keycloak: https://<idp_url>/realms/master/protocol/saml

7. Change the session lifetime for which the user will be authorized without having to re-authenticate, or leave the default value (24 hours). You can specify a value from 1 to 720 hours.
   The session lifetime can also be set on the side of the Keycloak provider in the parameter SSO Session Max or Assertion Lifespan. If the session lifetime is set in both the federation settings and Keycloak, the lowest value will be applied.

8. Optional: for authentication requests to be signed, check the checkbox Sign authentication requests.

9. Optional: to require users to authenticate via SSO each time they log in, check the checkbox Forced authentication in IdP. If the checkbox is unchecked, authentication will not be required as long as cookies are active.

10. Click Create a federation. You will be redirected to the Add Certificate page.

11. Enter the name of the certificate.

12. Insert the certificate that you released on the ISP side. It should start with -----BEGIN CERTIFICATE----- and end -----END CERTIFICATE-----

13. Click Add a certificate → Complete the addition of the federation.

Add a federated user⁠

1. В control panels go to Access control → User management.
2. Click Add user.
3. On the tab Control panel user select the type of authentication Federation (Name of Federation).
4. In the field External ID enter the user ID on your vendor's side. The format of the ID depends on the provider — UPN, email or other. Once the user is created, you cannot change the External ID, you must create a new user.
5. In the field User mail enter your e-mail address.
6. Select user role. To add users with the Account Administrator or Project Administrator role on the balance sheet The account must have a minimum of 100 ₽.
7. If you have selected the Project administrator or Project viewer role, check the desired projects.
8. Optional: to assign another role to the user, press Add a role and select the one you want.
9. Optional: select group for the user.
10. Optional: check mark notification categories that will be sent to the user.
11. Click Add user. The user will be added to the list on the tab Control panel users. To see only users of a specific federation in the list, select it in the field with authentication types.
12. A link will be sent to the user's email for the authentications.

Configure federation on the credential provider side⁠

Make the settings on the side of your credential provider:

• Keycloak
• Active Directory Federation Services (AD FS)