# Configure IAM Federation

As an organization, to begin using Identity Provider (IDP) to log in to the DCD, follow these steps:

{% stepper %}
{% step %}

### Request Domain Ownership

1\. Using the [<mark style="color:blue;">API</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/request-domain-ownership.md), the organization must request domain ownership. This domain ownership establishes a connection between the organization and its IDP. For more information, see [<mark style="color:blue;">Why a domain is required for IAM Federation?</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/iam-federation-faq.md#why-a-domain-is-required-for-iam-federation).

2\. The organization must [<mark style="color:blue;">Create a TXT Domain Record</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/how-tos/create-txt-domain-record.md) using the `token` value provided in the [<mark style="color:blue;">Request Domain Ownership API</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/request-domain-ownership.md).

{% hint style="info" %}
**Note:** IONOS Cloud performs the verification and approval process after you manually trigger it using the [<mark style="color:blue;">Verify Domain Ownership</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/verify-domain-ownership.md) API. Upon successful domain ownership validation, IONOS Cloud will proceed with the IAM Federation configuration for your organization. The duration of this process ranges from a few seconds to up to a week, depending on your domain provider.
{% endhint %}
{% endstep %}

{% step %}

### Onboard Identity Provider

{% hint style="info" %}
**Prerequisites:**

* The domain ownership must be successfully verified and approved by IONOS Cloud.
* IONOS Cloud accepts SAML 2.0 or OpenID Connect (OIDC) identity providers. Hence, your IDP must be either of these two types.
  {% endhint %}

1\. Onboard the organization IDP. To do so, [<mark style="color:blue;">Create Identity Provider</mark>](/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/create-identity-provider.md) using the API.

2\. Depending on the IDP type, you must provide the following details to IONOS Cloud:

{% hint style="info" %}
**Info:** You can find these details in the discovery endpoint. For more information, see [<mark style="color:blue;">Discovery endpoint</mark>](#discovery-endpoint).
{% endhint %}

{% tabs %}
{% tab title="OIDC" %}

* **client\_id:** Your OIDC client ID.
* **client\_secret:** The client secret key.
  {% endtab %}

{% tab title="SAML 2.0" %}

* **Secret (SAML 2.0):** `X.509` certificate.
  {% endtab %}
  {% endtabs %}
  {% endstep %}

{% step %}

### Configuration from IONOS Cloud

* Upon receipt of the discovery endpoint from the organization, IONOS Cloud performs the following actions:
  * Verifies the domain ownership.
  * Verifies the discovery endpoint.
  * Creates the IDP using the configuration in the discovery endpoint.
  * Links the IDP to the domain to be used by the user accounts in that domain.

{% hint style="info" %}
**Note:**

In the **Access settings** for OIDC, use the following information:

* **Valid redirect URIs:** `https://iam.ionos.com/realms/cloud/broker/identityProviderId/endpoint`, where the `IdentityProviderID` is the `id` obtained from listing the IDPs.
* **Web origins:** `https://iam.ionos.com`, which is used to map the web origins from the authentication redirect.
  {% endhint %}
  {% endstep %}
  {% endstepper %}

{% hint style="success" %}
**Result:** The organization IDP is successfully onboarded to IONOS Cloud.
{% endhint %}

## Discovery endpoint

{% tabs %}
{% tab title="OIDC Discovery Endpoint" %}
From the OIDC discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

* **issuer:** The URL of the OIDC issuer.
* **authorization\_endpoint:** The URL of the authorization endpoint.
* **token\_endpoint:** The URL of the token endpoint.
* **userinfo\_endpoint:** The URL of the user info endpoint.
* **jwks\_uri:** The URL of the JSON Web Key Set (JWKS).
* **client\_id:** The client ID of the OIDC client.
* **client\_secret:** The client secret of the OIDC client.

For more information on the OIDC discovery endpoint, refer to the [<mark style="color:blue;">OpenID Connect 1.0 Documentation</mark>](https://openid.net/specs/openid-connect-core-1_0-final.html).
{% endtab %}

{% tab title="SAML 2.0 Discovery Endpoint" %}
From the SAML 2.0 discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

* **entityId:** The entity ID of the SAML 2.0 IdP.
* **singleSignOnService:** The URL of the Single Sign-On (SSO) service.
* **x509cert:** The `X.509` certificate of the SAML 2.0 identity provider.
* **signatureAlgorithm:** The signature algorithm used by the SAML 2.0 identity provider.
* **sloBinding:** The binding used for single logout.
* **sloUrl:** The URL of the single logout service.

{% hint style="info" %}
**Note:** Use metadata XML files to share configuration details since there are no standardized URL-based discovery mechanisms like in the OIDC Discovery Endpoint.
{% endhint %}

For more information on the SAML 2.0 discovery endpoint, refer to the [<mark style="color:blue;">SAML 2.0 Documentation</mark>](https://datatracker.ietf.org/doc/html/rfc7522).
{% endtab %}

{% tab title="IONOS Cloud Discovery Endpoint" %}
At your organization IDP, allow IONOS Cloud to link with the following discovery endpoints:

* **OIDC Discovery Endpoint:** `https://iam.ionos.com/realms/cloud/.well-known/openid-configuration`
* **SAML 2.0 Discovery Endpoint:** `https://iam.ionos.com/realms/cloud/protocol/saml/descriptor`
  {% endtab %}
  {% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ionos.com/cloud/set-up-ionos-cloud/management/identity-access-management/iam-federation/how-tos/configure-iam-federation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.