This topic describes how to create and manage three types of federated credentials in Alibaba Cloud IDaaS: PCA, OpenID Connect (OIDC), and PKCS#7. It also explains how to configure parameters and obtain an access token from the authorization server's token endpoint.
Procedure
Log on to the IDaaS console. In the navigation pane on the left, choose EIAM. Select the target IDaaS instance and in the Actions column, click Manage.
Click .
On the General tab, create a federated credential by selecting a Credential Type from the Credential Management section. The options are PCA, OIDC, and PKCS#7.
NoteFor more information about the features and scenarios of each federated trust source, see Introduction to federated trust sources.
Select the PCA credential and click Add Application Federated Credential. Configure the following parameters and click Confirm.
Field
Description
Federated Credential Provider
Select a created PCA federated trust source. If you have not created one, see Create a PCA trust source.
Application Federated Credential Type
PCA
Application Federated Credential Name
The name of the federated credential cannot be changed once saved. Please enter it carefully. Supported characters: lowercase letters, digits, underscores (_), and hyphens (-).
Verification
The verification mode determines how the verification conditions for the federated credential are generated. The following modes are supported: Certificate Mode and Client Certificate Field Expression Verification Mode.
Certificate: This mode is a shortcut. Select this mode if you only want to verify the common name (CN) of the client certificate. You only need to enter the CN value of the client certificate. IDaaS automatically generates an expression and fills it into the verification condition field.
Expression Verification for Client Certificate Field : This is an advanced mode. You can customize an expression to verify multiple fields of the client certificate.
Client Certificate Common Name (CN)
If you select Certificate, you must configure this parameter.
Verification Expression
If you select Expression Verification for Client Certificate Field , you must configure this parameter. This parameter is used to verify the request parameters when a client calls the token endpoint of the M2M authorization server. This ensures that only requests that meet the verification conditions can obtain an access token issued by IDaaS. In a PCA federated credential scenario, this parameter primarily verifies the client certificate content. The trust condition can be up to 10,240 characters in length.
NoteDuring verification, IDaaS first verifies the trust conditions specified for the PCA federated trust source. After the trust conditions are met, IDaaS verifies the verification conditions specified for the PCA federated credential.
Description
The description of the purpose of the federated credential. The description can be up to 128 characters in length.
Attribute Mapping
Attribute mapping is an advanced feature of federated credentials. It is used to customize the `sub` field in the access token. When a custom subject identity is enabled on the resource server, the system replaces the original `sub` field content with the field value expression (unique client identity) configured in the attribute mapping. The format changes from `<clientId>` to `<clientId>:<client:activeSubjectUrn>`. The `<client:activeSubjectUrn>` value is the result calculated from the attribute mapping expression.
Select the OIDC credential and click Add Application Federated Credential. Configure the following parameters and click Confirm.
Field
Description
Federated Credential Provider
Select a created OIDC federated trust source. If you have not created one, see Create an OIDC trust source.
Application Federated Credential Type
OIDC
Application Federated Credential Name
The name of the federated credential cannot be changed once saved. Please enter it carefully. Supported characters: lowercase letters, digits, underscores (_), and hyphens (-).
Verification
The verification mode determines how the verification conditions for the federated credential are generated.
Kubernetes: You must specify the Namespace, Service Account, and Principal ID of the Kubernetes cluster.
The subject identity field is automatically generated by IDaaS in the format `system:serviceaccount:<namespace>:<serviceaccount>`.
Principal ID: You must enter the value of the `sub` field from the service account token obtained from the Kubernetes cluster.
Expression Verification for Claims Field: This is an advanced mode. You can customize an expression to verify multiple fields in the claims of the service account token.
Verification Expression
This parameter is used to verify the request parameters when a client calls the token endpoint of the M2M authorization server. This ensures that only requests that pass the verification can obtain an access token issued by IDaaS. In an OIDC federated credential scenario, the verification condition primarily verifies the claims in the service account token passed to the token endpoint. The trust condition can be up to 10,240 characters in length.
Description
The description of the purpose of the federated credential. The description can be up to 128 characters in length.
Attribute Mapping
Attribute mapping is an advanced feature of federated credentials. It is used to customize the `sub` field in the access token. When a custom subject identity is enabled on the resource server, the system replaces the original `sub` field content with the field value expression (unique client identity) configured in the attribute mapping. The format changes from `<clientId>` to `<clientId>:<client:activeSubjectUrn>`. The `<client:activeSubjectUrn>` value is the result calculated from the attribute mapping expression.
Select the PKCS#7 credential and click Add Application Federated Credential. Configure the following parameters and click Confirm.
Field
Description
Federated Credential Provider
Select a created PKCS#7 federated trust source. If you have not created one, see Create a PKCS#7 trust source.
Application Federated Credential Type
PKCS#7
Application Federated Credential Name
The name of the federated credential cannot be changed once saved. Please enter it carefully. Supported characters: lowercase letters, digits, underscores (_), and hyphens (-).
Verification
The verification mode determines how the verification conditions for the federated credential are generated.
Cloud Server: You only need to enter the instance ID of an Alibaba Cloud ECS or ECI instance, or an Amazon EC2 instance. IDaaS automatically generates the relevant expression.
Expression Verification for Signature Value Field: This is an advanced mode. You can customize an expression to verify fields in the PKCS#7 signature.
Instance ID
If you select Specify Cloud Server Instance Mode, you must enter the instance ID of the cloud server that you want to verify.
Verification Expression
This parameter is used to verify the request parameters when a client calls the token endpoint of the M2M authorization server. This ensures that only requests that meet the verification conditions can obtain an access token issued by IDaaS. In a PKCS#7 federated credential scenario, this parameter primarily verifies the signature fields. The trust condition can be up to 10,240 characters in length.
Description
The description of the purpose of the federated credential. The description can be up to 128 characters in length.
Attribute Mapping
Attribute mapping is an advanced feature of federated credentials. It is used to customize the `sub` field in the access token. When a custom subject identity is enabled on the resource server, the system replaces the original `sub` field content with the field value expression (unique client identity) configured in the attribute mapping. The format changes from `<clientId>` to `<clientId>:<client:activeSubjectUrn>`. The `<client:activeSubjectUrn>` value is the result calculated from the attribute mapping expression.