Skip to main content

Documentation Index

Fetch the complete documentation index at: https://conductorone-docs-ad-account-provisioning-setup.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
This guide walks through the C1 federation wizard to create a provider and trust. Before starting, you need a service principal — if you don’t have one yet, follow Step 1 of the client credentials quick start. You don’t need to create a credential; federation replaces credentials with OIDC tokens.

Create a federation trust

1
On the service principal detail page, select the Federation tab.
2
Click Set up federation.
3
Choose a provider. Select an existing provider, or create a new one. C1 includes presets for common platforms:
ProviderIssuer URLNotes
GitHub Actionshttps://token.actions.githubusercontent.comFixed issuer URL
GitLab CI/CDhttps://gitlab.com (or self-managed URL)Editable issuer URL
HCP Terraformhttps://app.terraform.io (or custom hostname)Editable issuer URL
AWS IAM OutboundAccount-specific issuer URLEditable issuer URL
Custom OIDCAny HTTPS issuer URLFor other OIDC-capable platforms
4
Configure the trust. The wizard generates a CEL expression based on your inputs (organization, repository, branch, environment, and so on). You can switch to manual mode to write your own CEL expression.Optional. Add IP restrictions and scoped roles for additional security. See security controls for details.
5
Click Create to finish.
6
Copy the client ID — you’ll need it in your CI/CD configuration.

Test your token

Before deploying to production, test the federation trust to make sure your CEL expression matches the expected JWT claims.
1
Click the trust in the Federation tab to open its detail drawer, then click Test.
2
Paste a sample JWT from your CI/CD platform, or provide claims as JSON.
3
The test runner validates each step:
StepWhat it checks
JWT decodeToken is valid JWT format
Issuer matchToken issuer matches the provider
Signature validationToken signature is valid via JWKS
Audience validationToken audience matches your tenant
Token freshnessToken was issued within the last 10 minutes
CEL evaluationYour condition expression returns true
IP address checkSource IP is in the allowlist (if configured)
You can also use the Test CEL tool at Settings > Workload Federation to test expressions against sample claims without a real JWT. This is useful for iterating on your CEL expression before creating a trust.

Platform-specific guides

Once your trust is created, follow the integration guide for your CI/CD platform:
  • GitHub Actions — recommended for GitHub-based workflows
  • GitLab CI — uses GitLab’s built-in id_tokens
  • HCP Terraform — auto-detected from workspace identity tokens
  • AWS IAM — outbound identity federation from any AWS workload
  • Custom OIDC — any platform with OIDC support