Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the ConductorOne Support team if you’d like to try it out or share feedback.
This guide walks through the ConductorOne federation wizard to create a provider and trust. Before starting, you need a service principal — if you don’t have one yet, follow Step 1 of the client credentials quick start. You don’t need to create a credential; federation replaces credentials with OIDC tokens.

Create a federation trust

1
On the service principal detail page, select the Federation tab.
2
Click Set up federation.
3
Choose a provider. Select an existing provider, or create a new one. ConductorOne includes presets for common platforms:
ProviderIssuer URLNotes
GitHub Actionshttps://token.actions.githubusercontent.comFixed issuer URL
GitLab CI/CDhttps://gitlab.com (or self-managed URL)Editable issuer URL
HCP Terraformhttps://app.terraform.io (or custom hostname)Editable issuer URL
AWS IAM OutboundAccount-specific issuer URLEditable issuer URL
Custom OIDCAny HTTPS issuer URLFor other OIDC-capable platforms
4
Configure the trust. The wizard generates a CEL expression based on your inputs (organization, repository, branch, environment, and so on). You can switch to manual mode to write your own CEL expression.Optional. Add IP restrictions and scoped roles for additional security. See security controls for details.
5
Click Create to finish.
6
Copy the client ID — you’ll need it in your CI/CD configuration.

Test your token

Before deploying to production, test the federation trust to make sure your CEL expression matches the expected JWT claims.
1
Click the trust in the Federation tab to open its detail drawer, then click Test.
2
Paste a sample JWT from your CI/CD platform, or provide claims as JSON.
3
The test runner validates each step:
StepWhat it checks
JWT decodeToken is valid JWT format
Issuer matchToken issuer matches the provider
Signature validationToken signature is valid via JWKS
Audience validationToken audience matches your tenant
Token freshnessToken was issued within the last 10 minutes
CEL evaluationYour condition expression returns true
IP address checkSource IP is in the allowlist (if configured)
You can also use the Test CEL tool at Settings > Workload Federation to test expressions against sample claims without a real JWT. This is useful for iterating on your CEL expression before creating a trust.

Platform-specific guides

Once your trust is created, follow the integration guide for your CI/CD platform: