Add a federated credential to a Machine-to-Machine (M2M) application so external workloads — such as client certificates, Kubernetes service accounts, or cloud server instances — can exchange their native identity proof for an IDaaS access token without storing long-lived static secrets.
IDaaS supports three credential types:
| Credential type | Use when |
|---|---|
| PCA (Private Certificate Authority) | Your workload authenticates with a client certificate issued by a private CA |
| OIDC (OpenID Connect) | Your workload runs as a Kubernetes service account and presents a service account token |
| PKCS#7 | Your workload runs on an Alibaba Cloud ECS/ECI instance or an Amazon EC2 instance |
Before you begin
Before you start, ensure that you have:
An M2M application in your IDaaS EIAM instance. If you don't have one, create it first.
A federated credential provider of the matching type (PCA, OIDC, or PKCS#7). See Manage federated trust sources for instructions.
(Optional) Background on how each credential type works: Introduction to federated credential providers
Constraints
Review these constraints before you start — some cannot be undone after saving:
Credential names are permanent. A federated credential name cannot be changed after it is saved. Supported characters: lowercase letters, digits, underscores (
_), and hyphens (-).The Description field accepts up to 128 characters.
The Verification expression field accepts up to 10,240 characters.
Create a federated credential
Log in to the IDaaS console. In the left navigation pane, click IDaaS consoleEIAM, select your IDaaS instance, and in the Actions column, click Manage
Go to Application Management > M2M Application > Add Application.
On the General tab, scroll to the Credential Management section. Select a Credential Type and click Add Application Federated Credential.
Configure the parameters for your credential type and click Confirm.
PCA credential parameters
IDaaS verifies trust conditions on the PCA federated credential provider first, then verifies the verification conditions on the PCA federated credential. Both must pass before an access token is issued.
| Parameter | Description |
|---|---|
| Federated credential provider | Select a PCA federated credential provider. If none exists, create one. |
| Application federated credential type | PCA (fixed) |
| Application federated credential name | A unique name for this credential. Cannot be changed after saving. |
| Verification | Choose how verification conditions are generated. See the table below. |
| Client certificate common name (CN) | Required when Certificate mode is selected. Enter the CN value of the client certificate. |
| Verification expression | Required when Expression verification for client certificate field mode is selected. The expression verifies client certificate fields when the workload calls the token endpoint. Up to 10,240 characters. |
| Description | Optional description of the credential's purpose. Up to 128 characters. |
| Attribute mapping | Advanced. Customizes the sub field in the issued access token. See Attribute mapping. |
Verification modes for PCA:
| Mode | When to use |
|---|---|
| Certificate | You only need to verify the client certificate's common name (CN). Enter the CN value; IDaaS generates the expression automatically. |
| Expression verification for client certificate field | You need to verify multiple certificate fields (for example, CN and OU together). Write a custom expression. For expression syntax, see Use federated credential expressions. |
OIDC credential parameters
| Parameter | Description |
|---|---|
| Federated credential provider | Select an OIDC federated credential provider. If none exists, create one. |
| Application federated credential type | OIDC (fixed) |
| Application federated credential name | A unique name for this credential. Cannot be changed after saving. |
| Verification | Choose how verification conditions are generated. See the table below. |
| Verification expression | Required when Expression verification for claims field mode is selected. The expression verifies claims in the service account token passed to the token endpoint. Up to 10,240 characters. |
| Description | Optional description of the credential's purpose. Up to 128 characters. |
| Attribute mapping | Advanced. Customizes the sub field in the issued access token. See Attribute mapping. |
Verification modes for OIDC:
| Mode | When to use |
|---|---|
| Kubernetes | Your workload is a Kubernetes service account. Specify the Namespace, Service Account, and Principal ID. IDaaS generates the subject identity in the format system:serviceaccount:<namespace>:<serviceaccount>. For example, a service account named myapp in the production namespace produces system:serviceaccount:production:myapp. |
| Principal ID | You have the sub field value from the service account token and want to match it directly. Enter the value. |
| Expression verification for claims field | You need to verify multiple claims fields in the service account token. Write a custom expression. For expression syntax, see Use federated credential expressions. |
PKCS#7 credential parameters
| Parameter | Description |
|---|---|
| Federated credential provider | Select a PKCS#7 federated credential provider. If none exists, create one. |
| Application federated credential type | PKCS#7 (fixed) |
| Application federated credential name | A unique name for this credential. Cannot be changed after saving. |
| Verification | Choose how verification conditions are generated. See the table below. |
| Instance ID | Required when Cloud server mode is selected. Enter the instance ID of the cloud server to verify. |
| Verification expression | Required when Expression verification for signature value field mode is selected. The expression verifies PKCS#7 signature fields when the workload calls the token endpoint. Up to 10,240 characters. |
| Description | Optional description of the credential's purpose. Up to 128 characters. |
| Attribute mapping | Advanced. Customizes the sub field in the issued access token. See Attribute mapping. |
Verification modes for PKCS#7:
| Mode | When to use |
|---|---|
| Cloud server | Your workload runs on a specific Alibaba Cloud ECS or ECI instance, or an Amazon EC2 instance. Enter the instance ID; IDaaS generates the verification expression automatically. |
| Expression verification for signature value field | You need to verify specific fields in the PKCS#7 signature. Write a custom expression. For expression syntax, see Use federated credential expressions. |
Attribute mapping
Attribute mapping is an optional advanced feature available for all three credential types. It customizes the sub field in the access token that IDaaS issues to the workload.
By default, the sub field contains only the client ID:
<clientId>When a custom subject identity is enabled on the resource server and attribute mapping is configured, the sub field is extended to include the workload's unique identity:
<clientId>:<client:activeSubjectUrn>The <client:activeSubjectUrn> value is computed from the attribute mapping expression you define.
What's next
Test token acquisition: M2M client token call examples
Learn expression syntax: Use federated credential expressions
Manage federated credential providers: Manage federated trust sources