This document describes how to configure federated credential providers in the IDaaS Console. It includes parameter descriptions and scenarios for three types of credential providers: PCA, OIDC, and PKCS#7, helping users implement secure federated identity authentication management.
Procedure
Log on to the IDaaS Management Console. In the navigation pane on the left, select EIAM. Select the corresponding IDaaS instance and click Manage in the Actions column.
Click .
On the Add Federated Credential Provider page Select provider type, select the credential provider type based on your requirements, such as PCA, OIDC, or PKCS#7.
NoteFor more information, see Introduction to federated credential providers.
After you select the type, click Next and configure the following parameters. After you complete the configuration, click Confirm.
PCA: Private CA (Private Certificate Authority) is a certificate authority operated internally by an organization or enterprise, used to issue and manage digital certificates that are valid only within internal networks or specific trust domains. PCA federated credential providers are primarily suitable for personal development computers or entities equipped with Trusted Platform Module (TPM).
Field
Description
Federated Credential Provider
The name can contain lowercase letters, digits, underscores (_), and hyphens (-). The name can be up to 64 characters in length.
Provider Type
PCA
Network Access Endpoint
IDaaS uses network endpoint capabilities to access the revocation list of the root certificate to ensure the validity of the root certificate. The shared endpoint is a shared public network egress. If you have purchased a dedicated endpoint capability, you can use the dedicated endpoint capability.
Fill in Verification Certificate
The root certificate content must be in PEM format, starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----". You can upload up to two root certificates for future certificate rotation.
Trust Condition
Trust conditions are used to verify the input parameters when a client calls the M2M authorization server Token endpoint, ensuring that only requests that meet the requirements can obtain Access Tokens issued by IDaaS. In PCA scenarios, this condition verifies the client certificate content. The maximum length is 10,240 characters.
Description
The description field is used to explain the purpose of the federated credential provider. The description can be up to 128 characters in length.
OIDC: OpenID Connect (OIDC) is an identity authentication protocol based on OAuth 2.0, widely applicable to scenarios requiring federated identity authentication with identity providers. It is particularly suitable for services deployed in Kubernetes pods, GitHub Actions, CI/CD pipelines, Azure virtual machines, and Google Cloud Compute Engine environments.
Field
Description
Federated Credential Provider
The name can contain lowercase letters, digits, underscores (_), and hyphens (-). The name can be up to 64 characters in length.
Provider Type
OIDC
Network Access Endpoint
IDaaS uses network endpoint capabilities to access the Issuer address or JWKs address and dynamically parse the address to obtain the signature verification public key. The shared endpoint is a shared public network egress. If you have purchased a dedicated endpoint capability, you can use the dedicated endpoint capability.
Trust Source
Trust source refers to the method used by the current OIDC federated credential provider to obtain the signature verification public key when parsing the OIDC Token submitted by the user. There are three methods for obtaining the signature verification public key: Static Fill, Issuer Address Resolution, and Signature Verification Public Key Address Resolution.
When you select Issuer Address Parsing: You only need to enter the Issuer address.
When you select Public Key Address Parsing: You need to enter the address for obtaining the signature verification public key.
When you select Static Configuration: You need to manually enter the public key information in the signature verification public key field.
Issuer
Enter the Issuer of the OIDC Token that the client submits when calling the IDaaS authorization server Token endpoint. The Issuer must use the HTTPS protocol and can be up to 1,024 characters in length.
ImportantAfter the Issuer is entered, it cannot be updated. Please check carefully.
ResourceServer Identifier
Enter the Audience of the OIDC Token that the client submits when calling the IDaaS authorization server Token endpoint. You can specify up to 5 audiences, each with a maximum length of 256 characters. The default audience is the current IDaaS instance domain address, indicating that the audience of the OIDC Token issued by the client is the IDaaS instance. You can delete or modify this value if needed.
NoteIf the Audience claim in the OIDC Token submitted to the Token endpoint is not the IDaaS instance domain, please modify this value. Otherwise, the Token endpoint call will fail.
Verification Key
This value must be filled when the trust source is Static Fill.
Trust Condition
Trust conditions are used to verify the input parameters (such as OIDC Token content) when a client calls the M2M authorization server Token endpoint, ensuring that only requests that meet the conditions can obtain Access Tokens issued by IDaaS. Issuer and Audience are required basic fields. The maximum length is 10,240 characters.
Description
The description field is used to explain the purpose of the federated credential provider. The description can be up to 128 characters in length.
PKCS#7: PKCS#7, as a fundamental standard in Public Key Infrastructure (PKI), is widely used in scenarios requiring data integrity and confidentiality. It is particularly suitable for services deployed in cloud provider environments such as Alibaba Cloud ECS, Alibaba Cloud ECI, and AWS EC2.
Field
Description
Federated Credential Provider
The name can contain lowercase letters, digits, underscores (_), and hyphens (-). The name can be up to 64 characters in length.
Provider Type
PKCS#7
Trust Source
Select Alibaba Cloud type when the client service is deployed on Alibaba Cloud ECS, or select Amazon Cloud type when deployed on Amazon EC2.
Signature Validity Period
The signature validity period field is used to enter the validity period of the PKCS#7 signature that the client submits when calling the IDaaS authorization server Token endpoint. The default validity period for Alibaba Cloud is 3,600 seconds. The validity period for Amazon Cloud is 30 days.
Signature Timestamp Expression
This field shows how IDaaS parses the signature time of the submitted PKCS#7 signature. This field cannot be modified.
Alibaba Cloud: pkcs7.payload.jsonData.audience.signingTime
Amazon Cloud: pkcs7.signingTime
Enter the root certificate
Upload the root certificate used for PKCS#7 signature.
Alibaba Cloud: Currently, Alibaba Cloud globally uses the same certificate. IDaaS has already filled in the Alibaba Cloud root certificate by default.
Amazon Cloud: You must use an RSA-2048 type root certificate. Other types (such as PKCS#7) will not pass verification. Amazon Cloud root certificates differ by region. Please select the root certificate for the region where your client service is deployed. If your service is deployed in multiple regions, you can upload multiple root certificates. For more information, see AWS public certificates for instance identity signature.
Account ID
Enter the cloud account ID that owns the cloud server where the client service is deployed. The maximum length is 128 characters.
Instance ID Signature
The default value is the IDaaS instance ID.
Description
The description field is used to explain the purpose of the federated credential provider. The description can be up to 128 characters in length.
After you create a federated credential provider, you can manage it by enabling or disabling its Status, viewing Details, or performing Modify operations.