# Configure IAM Federation

As an organization, to begin using Identity Provider (IDP) to log in to the DCD, follow these steps:

{% stepper %}
{% step %}

### Request Domain Ownership

1\. Using the [<mark style="color:blue;">API</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/request-domain-ownership), the organization must request domain ownership. This domain ownership establishes a connection between the organization and its IDP. For more information, see [<mark style="color:blue;">Why a domain is required for IAM Federation?</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation-faq#why-a-domain-is-required-for-iam-federation).

2\. The organization must [<mark style="color:blue;">Create a TXT Domain Record</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation/how-tos/create-txt-domain-record) using the `token` value provided in the [<mark style="color:blue;">Request Domain Ownership API</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/request-domain-ownership).

{% hint style="info" %}
**Note:** IONOS Cloud performs the verification and approval process after you manually trigger it using the [<mark style="color:blue;">Verify Domain Ownership</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/verify-domain-ownership) API. Upon successful domain ownership validation, IONOS Cloud will proceed with the IAM Federation configuration for your organization. The duration of this process ranges from a few seconds to up to a week, depending on your domain provider.
{% endhint %}
{% endstep %}

{% step %}

### Onboard Identity Provider

{% hint style="info" %}
**Prerequisites:**

* The domain ownership must be successfully verified and approved by IONOS Cloud.
* IONOS Cloud accepts SAML 2.0 or OpenID Connect (OIDC) identity providers. Hence, your IDP must be either of these two types.
  {% endhint %}

1\. Onboard the organization IDP. To do so, [<mark style="color:blue;">Create Identity Provider</mark>](https://docs.ionos.com/sections-test/guides/set-up-ionos-cloud/management/identity-access-management/iam-federation/api-how-tos/create-identity-provider) using the API.

2\. Depending on the IDP type, you must provide the following details to IONOS Cloud:

{% hint style="info" %}
**Info:** You can find these details in the discovery endpoint. For more information, see [<mark style="color:blue;">Discovery endpoint</mark>](#discovery-endpoint).
{% endhint %}

{% tabs %}
{% tab title="OIDC" %}

* **client\_id:** Your OIDC client ID.
* **client\_secret:** The client secret key.
  {% endtab %}

{% tab title="SAML 2.0" %}

* **Secret (SAML 2.0):** `X.509` certificate.
  {% endtab %}
  {% endtabs %}
  {% endstep %}

{% step %}

### Configuration from IONOS Cloud

* Upon receipt of the discovery endpoint from the organization, IONOS Cloud performs the following actions:
  * Verifies the domain ownership.
  * Verifies the discovery endpoint.
  * Creates the IDP using the configuration in the discovery endpoint.
  * Links the IDP to the domain to be used by the user accounts in that domain.

{% hint style="info" %}
**Note:**

In the **Access settings** for OIDC, use the following information:

* **Valid redirect URIs:** `https://iam.ionos.com/realms/cloud/broker/identityProviderId/endpoint`, where the `IdentityProviderID` is the `id` obtained from listing the IDPs.
* **Web origins:** `https://iam.ionos.com`, which is used to map the web origins from the authentication redirect.
  {% endhint %}
  {% endstep %}
  {% endstepper %}

{% hint style="success" %}
**Result:** The organization IDP is successfully onboarded to IONOS Cloud.
{% endhint %}

## Discovery endpoint

{% tabs %}
{% tab title="OIDC Discovery Endpoint" %}
From the OIDC discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

* **issuer:** The URL of the OIDC issuer.
* **authorization\_endpoint:** The URL of the authorization endpoint.
* **token\_endpoint:** The URL of the token endpoint.
* **userinfo\_endpoint:** The URL of the user info endpoint.
* **jwks\_uri:** The URL of the JSON Web Key Set (JWKS).
* **client\_id:** The client ID of the OIDC client.
* **client\_secret:** The client secret of the OIDC client.

For more information on the OIDC discovery endpoint, refer to the [<mark style="color:blue;">OpenID Connect 1.0 Documentation</mark>](https://openid.net/specs/openid-connect-core-1_0-final.html).
{% endtab %}

{% tab title="SAML 2.0 Discovery Endpoint" %}
From the SAML 2.0 discovery endpoint, the following details are considered to configure the IAM Federation by IONOS Cloud:

* **entityId:** The entity ID of the SAML 2.0 IdP.
* **singleSignOnService:** The URL of the Single Sign-On (SSO) service.
* **x509cert:** The `X.509` certificate of the SAML 2.0 identity provider.
* **signatureAlgorithm:** The signature algorithm used by the SAML 2.0 identity provider.
* **sloBinding:** The binding used for single logout.
* **sloUrl:** The URL of the single logout service.

{% hint style="info" %}
**Note:** Use metadata XML files to share configuration details since there are no standardized URL-based discovery mechanisms like in the OIDC Discovery Endpoint.
{% endhint %}

For more information on the SAML 2.0 discovery endpoint, refer to the [<mark style="color:blue;">SAML 2.0 Documentation</mark>](https://datatracker.ietf.org/doc/html/rfc7522).
{% endtab %}

{% tab title="IONOS Cloud Discovery Endpoint" %}
At your organization IDP, allow IONOS Cloud to link with the following discovery endpoints:

* **OIDC Discovery Endpoint:** `https://iam.ionos.com/realms/cloud/.well-known/openid-configuration`
* **SAML 2.0 Discovery Endpoint:** `https://iam.ionos.com/realms/cloud/protocol/saml/descriptor`
  {% endtab %}
  {% endtabs %}