SSO authentication

Last update: May 30 2026

First authentication

If the user was added manually, after being invited to the account, they will receive an email with a link for SSO authorization and the federation ID.

If automatic user creation was enabled when creating the federation on the Selectel side, the link for first authentication is provided by the Account Owner or a user with the iam_admin role.

Login via link from email

1. In the email, click Log in via SSO.
2. Enter the federation ID.
3. Optional: to avoid entering the federation ID every time you log in, select the Save federation checkbox.
4. Click Log in via SSO. You will be redirected to the authorization page at the identity provider.
5. Authorize with the identity provider. After authorization, you will be redirected to the login page in the Control panel.
6. If your full name is not specified, enter it.
7. Click Log in via SSO.

Login via direct link

1. Follow the link provided by the Account Owner or a user with the iam_admin role.
2. If your full name is not specified, enter it.
3. Click Log in via SSO.
4. If your email is not specified, enter it.
5. If your full name is not specified, enter it.
6. Click Log in via SSO.

Authentication at each login

1. In the Control panel on the login page, click Log in via SSO.
2. Enter the federation ID or select a saved federation. You can find the federation ID in the invitation email or request it from the Account Owner or a user with the iam.admin role.
3. Optional: to avoid entering the new federation ID every time you log in, select the Save federation checkbox.
4. Click Log in via SSO. You will be redirected to the authorization page at the identity provider.
5. Authorize with the identity provider.

Authentication errors

Via SAML protocol

If the SAML protocol federation was configured incorrectly, errors may occur during federative user authentication. Error groups:

• SAML001 — SAML099 – federation configuration errors on the Selectel side;
• SAML100 — SAML199 – validation errors on the identity provider side (SAML Response);
• SAML200 — SAML299 – other errors.

Error	Cause	Solution
SAML001 – SAML099 — configuration errors on the Selectel side
SAML001: saml_idp_is_not_configured	SAML-compatible provider was not added on the Selectel side	Check the federation settings on the Selectel side
SAML002: saml_idp_certs_not_configured	The federation in Selectel is missing a certificate	For the federation, add a certificate issued by the identity provider
SAML100 – SAML199 — SAML Response validation errors
SAML100: saml_response_invalid_request_id	Incorrect SAML request identifier. Possible causes: repeated authentication attempt within a single request (SAML Response); the authentication time limit has expired — after navigating to the authentication page, the user entered credentials 10 or more minutes later	Navigate to the authentication page from the Selectel Control panel again and authorize
SAML101: saml_response_invalid_destination	The Destination parameter in the SAML Response is set incorrectly	Set the correct URL for the SAML Assertion Consumer Service on the identity provider side: in Keycloak — Valid Redirect URIs field, more details in the Create a SAML federation for Keycloak guide; in AD FS — Relying party SAML 2.0 SSO service URL field, more details in the Create a SAML federation for AD FS 2.0 guide
SAML102: saml_response_invalid_in_response_to	The SAML Response was created for an authentication request with a different identifier	Navigate to the authentication page from the Selectel Control panel again and authorize
SAML103: saml_response_invalid_issuer	An incorrect value was specified for the IdP Issuer field when creating the federation on the Selectel side	In the federation settings in Selectel, set the correct value in the IdP Issuer field
SAML104: saml_response_invalid_signature	The signature of the received SAML Response is set incorrectly. Possible causes: the identity provider returned an incorrect SAML Response. You can check the correctness of the SAML Response using third-party utilities (for example, Onelogin); an incorrect certificate is added for the federation in Selectel	for an incorrect SAML Response: check the federation settings on the identity provider side; for an incorrect certificate: add the correct certificate
SAML105: saml_response_subject_not_found	The Subject section is missing from the received SAML Response	Configure the federation on the identity provider side so that the Subject section is included in the SAML Response
SAML106: saml_response_name_id_not_found	The NameID parameter is missing from the received SAML Response	Configure the federation on the identity provider side so that the NameID parameter is included in the SAML Response: in AD FS — configure Claims Mapping; Keycloak – no configuration required. Please re-authenticate later
SAML107: saml_response_user_not_found	User does not exist in Selectel	Add a user with the login method set to Federation. If the user is already added, ensure that the value of the ExternalID field for the created user matches the user identifier on the identity provider side
SAML108: saml_response_invalid_assertion_xml	Incorrect SAML Response format. You can check the SAML Response using third-party utilities (for example, Onelogin)	re-authentication; check the federation settings on the identity provider side
SAML109: saml_response_invalid_assertion	Incorrect SAML Response	Check the federation settings on the identity provider side. You can check the SAML Response using third-party utilities (for example, Onelogin)
SAML200 – SAML299 — other errors
SAML200: saml_internal_error	Requires clarification	Create a ticket
SAML201: saml_malformed_request	Incorrect request parameters from the identity provider to Selectel after authorization on the provider side	Check the federation settings on the identity provider side

Via OIDC protocol

If the OIDC protocol federation was configured incorrectly, errors may occur during federative user authentication. Error groups:

• OIDC001 — OIDC099 – federation configuration errors on the Selectel side;
• OIDC100 — OIDC199 – OIDC protocol validation errors on the identity provider side;
• OIDC200 — OIDC299 – other errors.

Error	Cause	Solution
OIDC001 – OIDC099 — federation configuration errors on the Selectel side
OIDC001: oidc_idp_not_configured	OIDC-compatible provider was not added on the Selectel side	Check the federation settings on the Selectel side
OIDC002: oidc_jwks_uri_not_configured	JWKS URI for verifying token signatures is not added to the federation in Selectel	Specify the JWKS URI in the federation settings. You can obtain the JWKS URI from the identity provider's Discovery Document, which is available at https://<idp_url>/.well-known/openid-configuration. Specify <idp_url> — your identity provider URL
OIDC100 – OIDC199 — OIDC protocol validation errors on the identity provider side
OIDC100: oidc_authorization_error	The identity provider returned an error during authorization. Possible causes: user rejected the authorization request; client is not authorized for this type of authorization; requested Permitted scope is not supported; internal error on the identity provider side	Check client settings at the identity provider and ensure that; selected Grant Type is Authorization Code; the correct Permitted scope is specified (at least openid); the user has access to the application
OIDC101: oidc_state_mismatch	The state parameter does not match the value sent in the authentication request. Possible causes: repeated authentication attempt within a single request; the authentication time limit has expired	Navigate to the authentication page from the Selectel Control panel again and authorize
OIDC102: oidc_token_request_failed	Error while exchanging authorization code for tokens. Possible causes: incorrect values for the Client ID or Client Secret fields; authorization code expired or was used repeatedly	Check the values of the Client ID and Client Secret fields in the federation settings on the Selectel side and ensure they match those registered at the identity provider
OIDC103: oidc_invalid_signature	The signature of the ID Token is set incorrectly. Possible causes: the identity provider returned an incorrect ID Token value; an incorrect JWKS URI is specified for the federation in Selectel; public key with the specified ID not found in JWKS	For an incorrect JWKS URI: specify the correct JWKS URI in the federation settings. For key rotation: ensure that old keys are available in JWKS during the transition period
OIDC104: oidc_invalid_token_format	Incorrect ID Token format. The identity provider returned a response that does not comply with the JWT format	Check the federation settings on the identity provider side
OIDC105: oidc_token_expired	ID Token has expired	Navigate to the authentication page from the Selectel Control panel again and authorize
OIDC106: oidc_invalid_audience	Audience (aud claim) in the ID Token does not contain the Client ID value	check client settings at the identity provider; ensure that the token was issued for the Client ID specified in the federation settings in Selectel
OIDC107: oidc_subject_not_found	Subject identifier (sub claim) is missing or empty in the ID Token	Configure the identity provider to include the subject identifier in the ID Token
OIDC108: oidc_nonce_mismatch	Nonce value in the ID Token does not match the one sent in the authorization request	navigate to the authentication page from the Selectel Control panel again and authorize; check browser cookie settings
OIDC109: oidc_user_not_found	User does not exist in Selectel	Add a user. If the user is already added, ensure that the value of the ExternalID field for the user matches the sub claim from the ID Token
OIDC200 – OIDC299 — other errors
OIDC200: oidc_internal_error	Unknown error	Create a ticket
OIDC201: oidc_malformed_response	Incorrect format of response from identity provider to Selectel after authentication on the provider side	check the federation settings on the identity provider side; ensure that the response complies with the OIDC specification