What Is It?
IAM Federation enables organizations to authenticate IONOS Cloud users with credentials from an external Identity Provider (IDP) instead of managing separate IONOS-specific passwords. Each user links their existing IONOS Cloud account to the IdP, then signs in through their corporate IDP to access IONOS services (Data Center Designer, Reseller Portal, Control Panel) using SAML 2.0 or OpenID Connect (OIDC). Federation is authentication-only: it does not create or provision IONOS Cloud accounts. The domain portion of a user's email address links the IONOS organization to the external IDP, and domain ownership must be verified via a TXT DNS record before federation activates.
Quick Facts
| Aspect | Details |
|---|---|
| Type | Identity federation service (Single Sign-On) |
| Protocols | SAML 2.0, OpenID Connect (OIDC) |
| Domain Requirement | Verified domain ownership via TXT DNS record |
| User Eligibility | Existing IONOS Cloud accounts only |
| SSO Scope | Interactive login to DCD, Reseller Portal, Control Panel (API/SDK access still uses Token Manager tokens, not SSO) |
Configuration Steps
| Step | Action | Details |
|---|---|---|
| 1. Request domain ownership | POST /federation/domains |
Returns one-time token (shown only once) |
| 2. Create TXT record | DNS configuration | Create a TXT record with the Name field left empty and the Content field set to the raw one-time token value returned in Step 1 (no prefix or key=value formatting) |
| 3. Verify domain | PUT /federation/domains/{domainId}/verify |
IONOS validates TXT record (seconds to 1 week) |
| 4. Onboard IDP | POST /federation/identityproviders |
Configure SAML or OIDC with discovery metadata |
| 5. Users link accounts | DCD UI | IAM Federation > Managed Linked Accounts > Link |
| 6. SSO login | DCD login page | "Sign in with a linked account" option |
Prerequisites:
- Contract administrator, owner, or user with
accessAndManageIamResourcesprivilege - Domain matching user email addresses
- SAML 2.0 or OIDC compliant IDP with discovery endpoint
What You Can Do
Single Sign-On Across IONOS Services
Users authenticate once with their corporate IDP and access all IONOS Cloud services without multiple logins. After linking their account, they select "Sign in with a linked account" on the DCD login page and are redirected to their IDP for authentication.
Domain-Based Authentication Routing
The domain portion of a user's email determines which IDP handles authentication. Users must already have an IONOS Cloud account and link it to the matching IdP. Federation handles authentication only; it does not grant cross-organization resource access or create accounts on demand.
Centralized Authentication Management
The external IdP manages authentication (credentials, MFA, conditional access, and session policy). Federation is authentication-only and does not provision, deprovision, or role-manage IONOS Cloud accounts (no just-in-time provisioning); IONOS accounts and privileges are still managed in IONOS IAM. Disabling a user in the IdP prevents that user from signing in.
Note: User linking happens per individual. Each user must manually link their existing IONOS account to the federated IDP through the DCD UI.
Enforce Corporate Security Policies
Leverage your IDP's existing multi-factor authentication, password policies, conditional access rules, and session management. All authentication security is delegated to the external IDP, reducing phishing and credential-theft risk.
Programmatic IDP Onboarding
Automate the entire federation setup (request domain, verify TXT record, create IDP) via REST APIs. The link objects returned by the /federation/links endpoint include creation and modification metadata for audit trails.
Link and Unlink Accounts
Users link their IONOS account to the IDP through the DCD interface. They can unlink at any time, reverting to native IONOS Cloud credentials for authentication.
Best For
| Scenario | Why It Fits |
|---|---|
| Enterprise SSO | Eliminates password fatigue and leverages existing corporate IDP infrastructure |
| Multi-organization projects | Partners authenticate with their own IDP while accessing shared IONOS resources |
| Compliance and audit | Centralizes identity management, reduces credential sprawl, provides audit-ready link metadata |
| Centralized sign-in | Delegates authentication to the corporate IdP so users reuse existing credentials; IONOS accounts are still managed in IONOS IAM |
| Security-focused environments | Enforces stronger authentication (SAML/OIDC) and delegates MFA to trusted IDP |
Consider Alternatives If
| If You Need... | Consider | Why |
|---|---|---|
| Simple local user management without SSO | User & Groups (native IAM) | Better for small teams without a corporate IDP |
| API/SDK programmatic access for automation | Token Manager | Generates API tokens for CI/CD pipelines without exposing passwords |
| Password complexity enforcement on local accounts | Password Policy Manager | Enforces password rules for native IONOS accounts |
Key Considerations
Billing & Costs
- Main billing: No additional charge for IAM Federation
- Included in: Standard IONOS Cloud contract
- Additional costs: None specific to federation (underlying IDP costs are external)
Limitations
- Only SAML 2.0 and OpenID Connect (OIDC) IDPs are supported
- Only existing IONOS Cloud users can link accounts (new users must create an IONOS account first)
- User's email domain must match a verified domain associated with the IDP
- Domain verification requires DNS TXT record (verification can take seconds to up to a week)
- Only contract administrators, owners, or users with
accessAndManageIamResourcesprivilege can manage domains and IDPs - Only IDPs that match the user's email domain appear in the DCD linking UI
Management Options
- REST API for domain ownership, IDP onboarding, and link retrieval
- Data Center Designer (DCD) UI for user account linking
- No SDK provided (wrap REST API calls in custom client)