Configure IAM Federation

As an organization, to begin using Identity Provider (IDP) to log in to the DCD, follow these steps:

Request Domain Ownership

Using the API, the organization must request domain ownership. This domain ownership establishes a connection between the organization and its IDP.

Note: IONOS Cloud performs the verification and approval process on receiving the domain ownership request. On successful domain ownership validation, IONOS Cloud proceeds with IAM Federation configuration for your organization. This process takes up to a week, approximately.

Onboard Identity Provider

Prerequisites:

The domain ownership must be successfully verified and approved by IONOS Cloud.
IONOS Cloud accepts SAML 2.0 or OpenID Connect (OIDC) identity providers. Hence, your IDP must be either of these two types.

1. Onboard the organization IDP. To do so, Create Identity Provider using the API.

2. Depending on the IDP type, you must provide the following details to IONOS Cloud:

Info: You can find these details in the discovery endpoint. For more information, see Discovery endpoint.

client_id: Your OIDC client ID.
client_secret: The client secret key.

Secret (SAML 2.0): X.509 certificate.

Configuration from IONOS Cloud

Upon receipt of the discovery endpoint from the organization, IONOS Cloud performs the following actions:
- Verifies the domain ownership.
- Verifies the discovery endpoint.
- Creates the IDP using the configuration in the discovery endpoint.
- Links the IDP to the domain to be used by the user accounts in that domain.

Result: The organization IDP is successfully onboarded to IONOS Cloud.

Discovery endpoint

From the OIDC discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

issuer: The URL of the OIDC issuer.
authorization_endpoint: The URL of the authorization endpoint.
token_endpoint: The URL of the token endpoint.
userinfo_endpoint: The URL of the user info endpoint.
jwks_uri: The URL of the JSON Web Key Set (JWKS).
client_id: The client ID of the OIDC client.
client_secret: The client secret of the OIDC client.

For more information on the OIDC discovery endpoint, refer to the OpenID Connect 1.0 Documentation.

From the SAML 2.0 discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

entityId: The entity ID of the SAML 2.0 IdP.
singleSignOnService: The URL of the Single Sign-On (SSO) service.
x509cert: The X.509 certificate of the SAML 2.0 identity provider.
signatureAlgorithm: The signature algorithm used by the SAML 2.0 identity provider.
sloBinding: The binding used for single logout.
sloUrl: The URL of the single logout service.

Note: Use metadata XML files to share configuration details since there are no standardized URL-based discovery mechanisms like in the OIDC Discovery Endpoint.

For more information on the SAML 2.0 discovery endpoint, refer to the SAML 2.0 Documentation.

At your organization IDP, allow IONOS Cloud to link with the following discovery endpoints:

OIDC Discovery Endpoint: https://iam.ionos.com/realms/cloud/.well-known/openid-configuration
SAML 2.0 Discovery Endpoint: https://iam.ionos.com/realms/cloud/protocol/saml/descriptor

PreviousSet User Privileges NextManage User Account in IAM Federation

Last updated 1 day ago

Was this helpful?