SSSD-IDP(5) File Formats and Conventions SSSD-IDP(5)

sssd-idp - SSSD IdP provider

This manual page describes the configuration of the IdP provider for sssd(8). For a detailed syntax reference, refer to the “FILE FORMAT” section of the sssd.conf(5) manual page.

The IdP provider is a back end used to connect to an OAuth 2.0 and REST based identity provider (IdP). Since products might have individual implementation of the REST API for looking up user and group attributes dedicated code might be required, see the “idp_type” option for details.

IdPs typically do not provide POSIX attributes like e.g. user Id (UID) or home directory. SSSD's IdP provider will autogenerate the needed attributes. The default algorithm to generate user IDs (UIDs) and group IDs (GIDs) aims to create reproducible IDs on different systems. As a drawback it might happen that the algorithm assigns the same ID to different objects and only the first one requested via SSSD will be available.

Refer to the section “DOMAIN SECTIONS” of the sssd.conf(5) manual page for details on the configuration of an SSSD domain.

idp_type (string)

Required option that specifies the IdP product. Currently Entra ID (entra_id) and Keycloak (keycloak) are supported.

Depending on the IdP product additional platform specific options might follow the name separated by a colon (:). E.g. for Keycloak the base URI for the user and group REST API must be given. For Entra ID this is not needed because there is a generic endpoint for all tenants.

Default: Not set (Required)

idp_client_id (string)

ID of the IdP client used by SSSD to authenticate users and as a client to lookup user and group attributes. This client must offer device authorization according to RFC-8628 and must have permissions to search and read user and group attributes.

Default: Not set (Required)

idp_client_secret (string)

Password of the IdP client. The password is required for the id_provider. If only used as auth_provider it depends on the server side configuration if it is required or not.

Default: Not set

idp_token_endpoint (string)

IdP endpoint for requesting access tokens.

Default: Not set (Required)

idp_device_auth_endpoint (string)

IdP endpoint for device authorization according to RFC-8628. This is required for user authentication.

Default: Not set

idp_userinfo_endpoint (string)

IdP userinfo endpoint to request user attributes after a successful authentication of the user. Required for authentication.

Default: Not set

idp_id_scope (string)

Scope required for looking up user and group attributes with the REST API. The scopes are used by the server to determine which attributes/claims are returned to the caller.

Default: Not set

idp_auth_scope (string)

Scope required during authentication. The scopes are used by the server to determine which attributes/claims are returned to the caller.

Currently the tokens returned during user authentication are not used for other purposes hence the only important claim is the subject identifier 'sub' which is used to check if the authenticated user is the one trying to log in. This might change in future.

Default: Not set

idp_request_timeout (integer)

Timeout in seconds for an individual request to the IdP.

Default: 10

idmap_range_min (integer)

Specifies the lower (inclusive) bound of the range of POSIX IDs to use for mapping IdP users and group to POSIX IDs. It is the first POSIX ID which can be used for the mapping.

The interval between “idmap_range_min” and “idmap_range_max” will be split into smaller rages of size “idmap_range_size” which will be used by an individual IdP domain.

Default: 200000

idmap_range_max (integer)

Specifies the upper (exclusive) bound of the range of POSIX IDs to use for mapping IdP users and groups to POSIX IDs. It is the first POSIX ID which will not be used for POSIX ID-mapping anymore.

Default: 2000200000

idmap_range_size (integer)

Specifies the number of POSIX IDs available for a single IdP domain.

Default: 200000

[domain/entra_id]
id_provider = idp
idp_type = entra_id
idp_client_id = 12345678-abcd-0101-efef-ba9876543210
idp_client_secret = YOUR-CLIENT-SCERET
idp_token_endpoint = https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/token
idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me
idp_device_auth_endpoint = https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/devicecode
idp_id_scope = https%3A%2F%2Fgraph.microsoft.com%2F.default
idp_auth_scope = openid profile email
[domain/keycloak]
idp_type = keycloak:https://master.keycloak.test:8443/auth/admin/realms/master/
id_provider = idp
idp_client_id = myclient
idp_client_secret = YOUR-CLIENT-SCERET
idp_token_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/token
idp_userinfo_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/userinfo
idp_device_auth_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/auth/device
idp_id_scope = profile
idp_auth_scope = openid profile email

sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-idp(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(1), sss_ssh_knownhosts(1), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)

The SSSD upstream - https://github.com/SSSD/sssd/

06/15/2025 SSSD