Create a federation of credentials

Last update: February 22 2024

Create a federation of credentials

1. If you do not have a certificate issued from your credential provider, issue one.
2. Create a federation.
3. Add federation users.
4. Configure federation on the credential provider side.

1. Issue a certificate⁠

Issue a certificate from your credential provider, see the Certificates instructions for details.

You can create a federation without a certificate and add it later, but the federation will not work without a certificate.

2. Create a federation of credentials⁠

An Account Owner or User Administrator can create a federation in the Control Panel.

1. From Control Panel, open the menu (account number) in the upper right corner and select Profile & Settings.

2. Go to Federations.

3. Click Add Federation.

4. Enter the name of the federation.

5. Optional: enter a description of the federation.

6. In the IdP Issuer field, enter the ID of the credential provider:

   • AD FS: http://<idp_url>/adfs/services/trust. You cannot specify an identifier with HTTPS protocol;
   • Keycloak: https://<idp_url>/realms/master

   Specify <idp_url> is your URL with the credential provider.

7. Specify a link to the credential provider login page where users will be redirected to authenticate through SSO:

   • AD FS: https://<idp_url>/adfs/ls.
   • Keycloak: https://<idp_url>/realms/master/protocol/saml

8. Optional: To have authentication requests signed, select the Sign authentication requests checkbox.

9. Optional: to require users to authenticate via SSO every time they log in, check the Forced Authentication in IdP checkbox. If the checkbox is unchecked, authentication will not be required as long as cookies are active.

10. Click Create Federation. You will be redirected to the Add Certificate page.

11. Enter the name of the certificate.

12. Insert the certificate that you issued on the provider side. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

13. Click Add Certificate → Complete Add Federation.

3. Add a federated user⁠

1. From Control Panel, open the menu (account number) in the upper right corner and select Profile & Settings.
2. Go to User Management.
3. Click Add User.
4. On the Control Panel User tab, select the Federation (Federation Name) authentication type.
5. In the External ID field, enter the user ID on your vendor's side. The format of the identifier depends on the provider — UPN, email or other. Once a user is created, you cannot change the External ID, you must create a new user.
6. In the User Mail field, enter your email address.
7. Select user role. To add a user with the role of Account Administrator or Project Administrator, the balance of the account must have a minimum of 100 ₽.
8. If you have selected the Project Administrator or Project Viewer role, check the desired projects.
9. Optional: to assign another role to a user, click Add Role and select the desired role. Consider the allowed role combinations.
10. Optional: check notifications categories to be sent to the user.
11. Click Add User. The user will be added to the list on the Control Panel Users tab. To see only users of a particular federation in the list, select it in the Authentication types field.
12. A link for authentication will be emailed to the user.

4. Configure federation on the credential provider side⁠

Make the settings on the side of your credential provider:

• Keycloak
• Active Directory Federation Services (AD FS)