SAML 2.0 federation guide

Set up SAML federation with STACKIT IdP by following these steps. The STACKIT IdP acts as the Relying Party (RP), and your organization’s system acts as the Identity Provider (IdP).

Step 1: Open a support ticket

Open a support ticket with the following information:

General information

• Federation type: SAML 2.0
• Reason for integration: Brief explanation (for example, “Enable SSO for enterprise users”)
• Email domains: All email domains your employees use for login (for example, @example.org and @foobar.com)

SAML-specific information

• IdP metadata URL: Publicly accessible URL to your IdP’s metadata file. Our system uses this URL to automatically retrieve configuration details (endpoints, certificates, etc.)

Step 2: Configure attribute mappings

Ensure the following user attributes are present in your IdP metadata:

• id: Unique identifier for the user
• preferredName: User’s preferred display name
• email: User’s email address

If your metadata doesn’t contain these attributes, specify how they’re named in your system. For example: “The id attribute in your system corresponds to our uid attribute.”

Step 3: Configure your IdP

After you provide the required information, our support team configures the federation. We then provide you with a unique SAML metadata URL for the STACKIT IdP:

https://accounts.stackit.cloud/idps/FEDERATION_ID_HERE/saml/metadata

Add this URL to your organization’s IdP to establish the trust relationship.

Step 4: Verification

Confirm the federation works and report the results or any problems you face.

Changing from OIDC to SAML

If you have an existing OIDC federation and switch to SAML, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.