Generic OIDC 2.0 federation guide
Set up OpenID Connect (OIDC) federation with STACKIT IdP. The STACKIT IdP acts as the Relying Party (RP), and your organization’s system acts as the Identity Provider (IdP).
Step 0: Create an application on your IdP
Section titled “Step 0: Create an application on your IdP”To configure this federation with your Generic OIDC Provider, complete the following steps.
- Create Application: You must create the application on your external identity provider to get the credentials needed to configure the federation. When creating the client, use the following address as the redirect URL:
https://accounts.stackit.cloud/ui/login/login/externalidp/callback
- Token claims: In “Token configuration” configure the token with the following claims:
- Token type: ID
- Claims checked:
- family_name
- given_name
- preferred_username
Step 1: Open a support ticket
Section titled “Step 1: Open a support ticket”Open a support ticket with the following information:
General information
- Federation type: OpenID Connect (OIDC)
- Reason for integration: Brief explanation (for example, “Enable SSO for enterprise users”)
- Email domains: All email domains your employees use for login (for example,
@example.organd@foobar.com)
OIDC-specific information
| Required field | Description | Example input |
|---|---|---|
| Issuer | Issuer identifier URL for your OIDC provider | https://idp.example.com/ |
| Client ID | ID assigned to our application by your IdP in Step 0 | 8012345a-b67c-890d-ef12-3456789012 |
| Client secret | Secret key associated with the Client ID | Provide securely; secrets expire after 2 years |
| Scopes | Required permissions (at least openid required) | openid profile email |
| Display name (optional) | Internal name for this federation (use snake_case) | acme_corp_oidc |
Claims mapping
You can specify how claims (attributes) from your OIDC provider map to our user fields:
| STACKIT IdP field | Your OIDC claim name | Notes |
|---|---|---|
| Unique user ID | for example: sub, oid | Claim used as unique identifier |
| Email address | for example: email | Claim containing user’s primary email |
| Preferred name | for example: name, preferred_username | Claim containing user’s display name |
| First name | for example: given_name | Optional but recommended |
| Last name | for example: family_name | Optional but recommended |
Step 2: Verification
Section titled “Step 2: Verification”Confirm the federation works and report the results or any problems you face.
Changing from SAML to OIDC
Section titled “Changing from SAML to OIDC”If you have an existing SAML federation and switch to OIDC, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.