← Help home

Federation at the Tapestry boundary

Last reviewed: 2026-04-27 · Owner: Product & Engineering

Goal

Know which federation settings are owned by Tapestry configuration versus your IdP/realm operators, so callbacks and trust align with SPEC-011.

Prerequisites

  • Partner detail loaded for a synthetic pair such as tenant_alpha + textmetrics.
  • Access to your IdP team for client secrets, redirect URIs, and certificate rotation.

Steps

  1. Open Partner detail (/console/partner-detail) and review governance.federation summaries (posture is operator-controlled; ADR-028).
  2. Map OIDC/OAuth callback URLs from Tapestry docs to your IdP client configuration—do not invent endpoints.
  3. Coordinate state/nonce and claim expectations with your IdP admins; Tapestry enforces the inbound broker boundary fail-closed.

Verify

  • Test sign-on flows in sandbox match the documented redirect and issuer values.
  • Claim gaps are visible in verification jobs or logs without exposing client secrets in help tickets.

If it fails

Use federation verification runbooks under 08_Docs_Playbooks; avoid pasting live client secrets into chat. Escalate with correlation ids only.

Further reading

  • SPEC-011 Inbound Federation and Identity Broker Boundary.
  • ADR-028 bootstrap strategy (Keycloak on Elestio with adapter readiness).
  • Operator playbooks in the repository (not duplicated here).