Skip to content
Products
Platform
Developer Tools
Portal

Generic OIDC 2.0 federation guide

Set up OpenID Connect (OIDC) federation with STACKIT IdP. The STACKIT IdP acts as the Relying Party (RP), and your organization’s system acts as the Identity Provider (IdP).

Step 0: Create an application on your IdP

Section titled “Step 0: Create an application on your IdP”

To configure this federation with your Generic OIDC Provider, complete the following steps.

  1. Create Application: You must create the application on your external identity provider to get the credentials needed to configure the federation. When creating the client, use the following address as the redirect URL: 
    https://accounts.stackit.cloud/ui/login/login/externalidp/callback
  2. Token claims: In “Token configuration” configure the token with the following claims:
    • Token type: ID
    • Claims checked:
      • email
      • family_name
      • given_name
      • preferred_username

Step 1: Open a support ticket

Section titled “Step 1: Open a support ticket”

Open a support ticket with the following information:

General information

  • Federation type: OpenID Connect (OIDC)
  • Reason for integration: Brief explanation (for example, “Enable SSO for enterprise users”)
  • Email domains: All email domains your employees use for login (for example, @example.org and @foobar.com)

OIDC-specific information

Required fieldDescriptionExample input
IssuerIssuer identifier URL for your OIDC providerhttps://idp.example.com/
Client IDID assigned to our application by your IdP in Step 08012345a-b67c-890d-ef12-3456789012
Client secretSecret key associated with the Client IDProvide securely
ScopesRequired permissions (at least openid required)openid profile email
Display name (optional)Internal name for this federation (use snake_case)acme_corp_oidc

Claims mapping

You can specify how claims (attributes) from your OIDC provider map to our user fields:

STACKIT IdP fieldYour OIDC claim nameNotes
Unique user IDfor example: sub, oidClaim used as unique identifier
Email addressfor example: emailClaim containing user’s primary email
Preferred namefor example: name, preferred_usernameClaim containing user’s display name
First namefor example: given_nameOptional but recommended
Last namefor example: family_nameOptional but recommended

Step 2: Verification

Section titled “Step 2: Verification”

Confirm the federation works and report the results or any problems you face.

Changing from SAML to OIDC

Section titled “Changing from SAML to OIDC”

If you have an existing SAML federation and switch to OIDC, the transition is seamless. As long as email addresses remain the same, users won’t lose access or data. User accounts are tied to email addresses, not federation methods.