Product reference pages are available in English only.
Management

IAM Federation

What Is It?

IAM Federation enables organizations to authenticate IONOS Cloud users with credentials from an external Identity Provider (IDP) instead of managing separate IONOS-specific passwords. Each user links their existing IONOS Cloud account to the IdP, then signs in through their corporate IDP to access IONOS services (Data Center Designer, Reseller Portal, Control Panel) using SAML 2.0 or OpenID Connect (OIDC). Federation is authentication-only: it does not create or provision IONOS Cloud accounts. The domain portion of a user's email address links the IONOS organization to the external IDP, and domain ownership must be verified via a TXT DNS record before federation activates.

Quick Facts

Aspect Details
Type Identity federation service (Single Sign-On)
Protocols SAML 2.0, OpenID Connect (OIDC)
Domain Requirement Verified domain ownership via TXT DNS record
User Eligibility Existing IONOS Cloud accounts only
SSO Scope Interactive login to DCD, Reseller Portal, Control Panel (API/SDK access still uses Token Manager tokens, not SSO)

Configuration Steps

Step Action Details
1. Request domain ownership POST /federation/domains Returns one-time token (shown only once)
2. Create TXT record DNS configuration Create a TXT record with the Name field left empty and the Content field set to the raw one-time token value returned in Step 1 (no prefix or key=value formatting)
3. Verify domain PUT /federation/domains/{domainId}/verify IONOS validates TXT record (seconds to 1 week)
4. Onboard IDP POST /federation/identityproviders Configure SAML or OIDC with discovery metadata
5. Users link accounts DCD UI IAM Federation > Managed Linked Accounts > Link
6. SSO login DCD login page "Sign in with a linked account" option

Prerequisites:

  • Contract administrator, owner, or user with accessAndManageIamResources privilege
  • Domain matching user email addresses
  • SAML 2.0 or OIDC compliant IDP with discovery endpoint

What You Can Do

Single Sign-On Across IONOS Services

Users authenticate once with their corporate IDP and access all IONOS Cloud services without multiple logins. After linking their account, they select "Sign in with a linked account" on the DCD login page and are redirected to their IDP for authentication.

Domain-Based Authentication Routing

The domain portion of a user's email determines which IDP handles authentication. Users must already have an IONOS Cloud account and link it to the matching IdP. Federation handles authentication only; it does not grant cross-organization resource access or create accounts on demand.

Centralized Authentication Management

The external IdP manages authentication (credentials, MFA, conditional access, and session policy). Federation is authentication-only and does not provision, deprovision, or role-manage IONOS Cloud accounts (no just-in-time provisioning); IONOS accounts and privileges are still managed in IONOS IAM. Disabling a user in the IdP prevents that user from signing in.

Note: User linking happens per individual. Each user must manually link their existing IONOS account to the federated IDP through the DCD UI.

Enforce Corporate Security Policies

Leverage your IDP's existing multi-factor authentication, password policies, conditional access rules, and session management. All authentication security is delegated to the external IDP, reducing phishing and credential-theft risk.

Programmatic IDP Onboarding

Automate the entire federation setup (request domain, verify TXT record, create IDP) via REST APIs. The link objects returned by the /federation/links endpoint include creation and modification metadata for audit trails.

Users link their IONOS account to the IDP through the DCD interface. They can unlink at any time, reverting to native IONOS Cloud credentials for authentication.

Best For

Scenario Why It Fits
Enterprise SSO Eliminates password fatigue and leverages existing corporate IDP infrastructure
Multi-organization projects Partners authenticate with their own IDP while accessing shared IONOS resources
Compliance and audit Centralizes identity management, reduces credential sprawl, provides audit-ready link metadata
Centralized sign-in Delegates authentication to the corporate IdP so users reuse existing credentials; IONOS accounts are still managed in IONOS IAM
Security-focused environments Enforces stronger authentication (SAML/OIDC) and delegates MFA to trusted IDP

Consider Alternatives If

If You Need... Consider Why
Simple local user management without SSO User & Groups (native IAM) Better for small teams without a corporate IDP
API/SDK programmatic access for automation Token Manager Generates API tokens for CI/CD pipelines without exposing passwords
Password complexity enforcement on local accounts Password Policy Manager Enforces password rules for native IONOS accounts

Key Considerations

Billing & Costs

  • Main billing: No additional charge for IAM Federation
  • Included in: Standard IONOS Cloud contract
  • Additional costs: None specific to federation (underlying IDP costs are external)

Limitations

  • Only SAML 2.0 and OpenID Connect (OIDC) IDPs are supported
  • Only existing IONOS Cloud users can link accounts (new users must create an IONOS account first)
  • User's email domain must match a verified domain associated with the IDP
  • Domain verification requires DNS TXT record (verification can take seconds to up to a week)
  • Only contract administrators, owners, or users with accessAndManageIamResources privilege can manage domains and IDPs
  • Only IDPs that match the user's email domain appear in the DCD linking UI

Management Options

  • REST API for domain ownership, IDP onboarding, and link retrieval
  • Data Center Designer (DCD) UI for user account linking
  • No SDK provided (wrap REST API calls in custom client)