Configure IAM Federation
As an organization, to begin using Identity Provider (IDP) to log in to the DCD, follow these steps:
Request Domain Ownership
1. Using the API, the organization must request domain ownership. This domain ownership establishes a connection between the organization and its IDP. For more information, see Why a domain is required for IAM Federation?.
2. The organization must Create a TXT Domain Record using the token value provided in the Request Domain Ownership API.
Note: IONOS Cloud performs the verification and approval process after you manually trigger it using the Verify Domain Ownership API. Upon successful domain ownership validation, IONOS Cloud will proceed with the IAM Federation configuration for your organization. The duration of this process ranges from a few seconds to up to a week, depending on your domain provider.
Onboard Identity Provider
Prerequisites:
The domain ownership must be successfully verified and approved by IONOS Cloud.
IONOS Cloud accepts SAML 2.0 or OpenID Connect (OIDC) identity providers. Hence, your IDP must be either of these two types.
1. Onboard the organization IDP. To do so, Create Identity Provider using the API.
2. Depending on the IDP type, you must provide the following details to IONOS Cloud:
Info: You can find these details in the discovery endpoint. For more information, see Discovery endpoint.
client_id: Your OIDC client ID.
client_secret: The client secret key.
Secret (SAML 2.0):
X.509certificate.
Configuration from IONOS Cloud
Upon receipt of the discovery endpoint from the organization, IONOS Cloud performs the following actions:
Verifies the domain ownership.
Verifies the discovery endpoint.
Creates the IDP using the configuration in the discovery endpoint.
Links the IDP to the domain to be used by the user accounts in that domain.
Note:
In the Access settings for OIDC, use the following information:
Valid redirect URIs:
https://iam.ionos.com/realms/cloud/broker/identityProviderId/endpoint, where theIdentityProviderIDis theidobtained from listing the IDPs.Web origins:
https://iam.ionos.com, which is used to map the web origins from the authentication redirect.
Result: The organization IDP is successfully onboarded to IONOS Cloud.
Discovery endpoint
From the OIDC discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:
issuer: The URL of the OIDC issuer.
authorization_endpoint: The URL of the authorization endpoint.
token_endpoint: The URL of the token endpoint.
userinfo_endpoint: The URL of the user info endpoint.
jwks_uri: The URL of the JSON Web Key Set (JWKS).
client_id: The client ID of the OIDC client.
client_secret: The client secret of the OIDC client.
For more information on the OIDC discovery endpoint, refer to the OpenID Connect 1.0 Documentation.
From the SAML 2.0 discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:
entityId: The entity ID of the SAML 2.0 IdP.
singleSignOnService: The URL of the Single Sign-On (SSO) service.
x509cert: The
X.509certificate of the SAML 2.0 identity provider.signatureAlgorithm: The signature algorithm used by the SAML 2.0 identity provider.
sloBinding: The binding used for single logout.
sloUrl: The URL of the single logout service.
Note: Use metadata XML files to share configuration details since there are no standardized URL-based discovery mechanisms like in the OIDC Discovery Endpoint.
For more information on the SAML 2.0 discovery endpoint, refer to the SAML 2.0 Documentation.
At your organization IDP, allow IONOS Cloud to link with the following discovery endpoints:
OIDC Discovery Endpoint:
https://iam.ionos.com/realms/cloud/.well-known/openid-configurationSAML 2.0 Discovery Endpoint:
https://iam.ionos.com/realms/cloud/protocol/saml/descriptor
Last updated
Was this helpful?