Add a federated credential provider in IDaaS EIAM to let machine-to-machine (M2M) client services obtain access tokens using their existing identity — certificates, OIDC tokens, or cloud instance signatures — instead of long-lived static credentials.
Choose a provider type
IDaaS supports three federated credential provider types. Select the one that matches your client environment.
| Provider type | Best for | Typical environments |
|---|---|---|
| PCA (private certificate authority) | Clients that authenticate with X.509 certificates issued by an internal CA | Personal development machines, devices with a Trusted Platform Module (TPM) |
| OIDC (OpenID Connect) | Clients that already obtain OIDC tokens from an external identity provider (IdP) | Kubernetes pods, GitHub Actions, CI/CD pipelines, Azure virtual machines, Google Cloud Compute Engine |
| PKCS#7 | Clients running on cloud instances that generate signed instance identity documents | Alibaba Cloud ECS, Alibaba Cloud ECI, AWS EC2 |
Prerequisites
Before you begin, ensure that you have:
An IDaaS instance with the EIAM service enabled
The required permissions to manage the IDaaS instance
(OIDC only) The issuer URL of your external IdP, reachable over HTTPS. Verify that
{issuer}/.well-known/openid-configurationreturns a valid JSON document containing at leastissuerandjwks_urifields before you proceed — the issuer cannot be changed after the provider is created(PKCS#7, Amazon Cloud) The RSA-2048 root certificate for the AWS region where your client service is deployed. Download it from AWS public certificates for instance identity signature
Add a federated credential provider
Log on to the IDaaS Management Console. In the left navigation pane, select IDaaS Management ConsoleEIAM, choose your IDaaS instance, and click Manage
Go to Sign-In > Authentication Configuration > Federated Credential Provider Management, and click Add Federated Credential Provider.
Under Select provider type, select PCA, OIDC, or PKCS#7.
For background on how each provider type works, see Federated credential providers overview.
Click Next, configure the parameters for your provider type (see the sections below), and click Confirm.
PCA parameters
A private certificate authority (PCA) provider validates client identity using X.509 certificates issued by your internal CA. The trust condition verifies the certificate content when a client calls the token endpoint.
| Field | Description |
|---|---|
| Federated credential provider | A unique name for this provider. Use lowercase letters, digits, underscores (_), and hyphens (-). Maximum 64 characters. |
| Provider type | PCA |
| Network access endpoint | The endpoint IDaaS uses to fetch the certificate revocation list (CRL) and validate the root certificate. Use the shared endpoint (default, shared public network egress) unless you have purchased a dedicated endpoint. |
| Fill in verification certificate | The root certificate in PEM format. The content must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. Upload up to two root certificates to support certificate rotation. |
| Trust condition | The condition IDaaS evaluates against the client certificate submitted to the token endpoint. Only requests that satisfy the condition receive an access token. Maximum 10,240 characters. |
| Description | (Optional) A note explaining the purpose of this provider. Maximum 128 characters. |
OIDC parameters
An OIDC provider validates client identity using OIDC tokens issued by an external identity provider. IDaaS verifies the token signature and evaluates the trust condition before issuing an access token.
Before you configure the issuer
The issuer cannot be changed after the provider is created. Before entering the issuer URL:
Confirm the URL begins with
https://.Append
/.well-known/openid-configurationto the URL and open it in a browser or withcurl. Verify the response containsissuerandjwks_urifields.Copy the exact
issuervalue from the discovery document — use that value in the Issuer field, not the discovery endpoint URL itself.
OIDC configuration fields
| Field | Description |
|---|---|
| Federated credential provider | A unique name for this provider. Use lowercase letters, digits, underscores (_), and hyphens (-). Maximum 64 characters. |
| Provider type | OIDC |
| Network access endpoint | The endpoint IDaaS uses to fetch the JWKS (JSON Web Key Set) and verify token signatures. Use the shared endpoint (default) unless you have purchased a dedicated endpoint. |
| Trust source | How IDaaS obtains the public key to verify OIDC tokens. Three options are available — see Trust source options below. |
| Issuer | The issuer of the OIDC tokens your client submits. Must use HTTPS. Maximum 1,024 characters. Cannot be changed after creation. |
| ResourceServer Identifier | The expected audience (aud) claim in the OIDC token. You can specify up to 5 values, each up to 256 characters. Defaults to the current IDaaS instance domain. If your client sets a different audience, update this field — otherwise token endpoint calls will fail. |
| Verification key | The static public key used to verify token signatures. Required only when Trust source is set to Static configuration. |
| Trust condition | The condition IDaaS evaluates against the OIDC token claims when a client calls the token endpoint. Issuer and audience are always validated as baseline checks. Maximum 10,240 characters. |
| Description | (Optional) A note explaining the purpose of this provider. Maximum 128 characters. |
Trust source options
| Option | What IDaaS does | When to use |
|---|---|---|
| Issuer address parsing (recommended) | Fetches {issuer}/.well-known/openid-configuration, then retrieves the JWKS from the jwks_uri in that document | Your IdP exposes a standard OIDC discovery endpoint |
| Public key address parsing | Fetches the JWKS directly from the URL you provide | Your IdP exposes a JWKS endpoint but not a discovery document |
| Static configuration | Uses the public key you paste into the Verification key field | Your IdP does not expose a network-accessible key endpoint |
PKCS#7 parameters
A PKCS#7 provider validates client identity using signed instance identity documents generated by the cloud platform where your client service runs. Select the trust source that matches your cloud environment.
| Field | Description |
|---|---|
| Federated credential provider | A unique name for this provider. Use lowercase letters, digits, underscores (_), and hyphens (-). Maximum 64 characters. |
| Provider type | PKCS#7 |
| Trust source | Select Alibaba Cloud if your client runs on ECS or ECI. Select Amazon Cloud if your client runs on EC2. |
| Signature validity period | The maximum age of the PKCS#7 signature accepted at the token endpoint. Default: 3,600 seconds for Alibaba Cloud; 30 days for Amazon Cloud. |
| Signature timestamp expression | The path IDaaS uses to extract the signing time from the submitted signature. Read-only — cannot be modified. Alibaba Cloud: pkcs7.payload.jsonData.audience.signingTime. Amazon Cloud: pkcs7.signingTime. |
| Root certificate | The root certificate used to verify the PKCS#7 signature. For Alibaba Cloud, IDaaS pre-fills the global Alibaba Cloud root certificate. For Amazon Cloud, you must use an RSA-2048 type root certificate — other types will not pass verification. Upload the RSA-2048 root certificate for the region where your client is deployed. If your service spans multiple regions, upload a certificate for each. |
| Account ID | The cloud account ID that owns the instance where your client service runs. Maximum 128 characters. |
| Instance ID signature | Defaults to the IDaaS instance ID. |
| Description | (Optional) A note explaining the purpose of this provider. Maximum 128 characters. |
Manage existing providers
After creating a federated credential provider, manage it from the Federated Credential Provider Management page:
Enable or disable: Toggle the Status switch to activate or deactivate the provider without deleting it.
View details: Click Details to review the provider's current configuration.
Update: Click Modify to change editable fields. Note that the Issuer field in OIDC providers cannot be changed after creation.
What's next
Create federated credentials — associate an application with a federated credential provider
Use federated credential expressions — write trust conditions and map token claims to access policies
Federated credential providers overview — learn how federated authentication works in IDaaS