'\" t
.\"     Title: sssd-idp
.\"    Author: The SSSD upstream - https://github.com/SSSD/sssd/
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 06/15/2025
.\"    Manual: File Formats and Conventions
.\"    Source: SSSD
.\"  Language: English
.\"
.TH "SSSD\-IDP" "5" "06/15/2025" "SSSD" "File Formats and Conventions"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sssd-idp \- SSSD IdP provider
.SH "DESCRIPTION"
.PP
This manual page describes the configuration of the IdP provider for
\fBsssd\fR(8)\&. For a detailed syntax reference, refer to the
\(lqFILE FORMAT\(rq
section of the
\fBsssd.conf\fR(5)
manual page\&.
.PP
The IdP provider is a back end used to connect to an OAuth 2\&.0 and REST based identity provider (IdP)\&. Since products might have individual implementation of the REST API for looking up user and group attributes dedicated code might be required, see the
\(lqidp_type\(rq
option for details\&.
.PP
IdPs typically do not provide POSIX attributes like e\&.g\&. user Id (UID) or home directory\&. SSSD\*(Aqs IdP provider will autogenerate the needed attributes\&. The default algorithm to generate user IDs (UIDs) and group IDs (GIDs) aims to create reproducible IDs on different systems\&. As a drawback it might happen that the algorithm assigns the same ID to different objects and only the first one requested via SSSD will be available\&.
.SH "CONFIGURATION OPTIONS"
.PP
Refer to the section
\(lqDOMAIN SECTIONS\(rq
of the
\fBsssd.conf\fR(5)
manual page for details on the configuration of an SSSD domain\&.
.PP
idp_type (string)
.RS 4
Required option that specifies the IdP product\&. Currently Entra ID (entra_id) and Keycloak (keycloak) are supported\&.
.sp
Depending on the IdP product additional platform specific options might follow the name separated by a colon (:)\&. E\&.g\&. for Keycloak the base URI for the user and group REST API must be given\&. For Entra ID this is not needed because there is a generic endpoint for all tenants\&.
.sp
Default: Not set (Required)
.RE
.PP
idp_client_id (string)
.RS 4
ID of the IdP client used by SSSD to authenticate users and as a client to lookup user and group attributes\&. This client must offer device authorization according to RFC\-8628 and must have permissions to search and read user and group attributes\&.
.sp
Default: Not set (Required)
.RE
.PP
idp_client_secret (string)
.RS 4
Password of the IdP client\&. The password is required for the id_provider\&. If only used as auth_provider it depends on the server side configuration if it is required or not\&.
.sp
Default: Not set
.RE
.PP
idp_token_endpoint (string)
.RS 4
IdP endpoint for requesting access tokens\&.
.sp
Default: Not set (Required)
.RE
.PP
idp_device_auth_endpoint (string)
.RS 4
IdP endpoint for device authorization according to RFC\-8628\&. This is required for user authentication\&.
.sp
Default: Not set
.RE
.PP
idp_userinfo_endpoint (string)
.RS 4
IdP userinfo endpoint to request user attributes after a successful authentication of the user\&. Required for authentication\&.
.sp
Default: Not set
.RE
.PP
idp_id_scope (string)
.RS 4
Scope required for looking up user and group attributes with the REST API\&. The scopes are used by the server to determine which attributes/claims are returned to the caller\&.
.sp
Default: Not set
.RE
.PP
idp_auth_scope (string)
.RS 4
Scope required during authentication\&. The scopes are used by the server to determine which attributes/claims are returned to the caller\&.
.sp
Currently the tokens returned during user authentication are not used for other purposes hence the only important claim is the subject identifier \*(Aqsub\*(Aq which is used to check if the authenticated user is the one trying to log in\&. This might change in future\&.
.sp
Default: Not set
.RE
.PP
idp_request_timeout (integer)
.RS 4
Timeout in seconds for an individual request to the IdP\&.
.sp
Default: 10
.RE
.PP
idmap_range_min (integer)
.RS 4
Specifies the lower (inclusive) bound of the range of POSIX IDs to use for mapping IdP users and group to POSIX IDs\&. It is the first POSIX ID which can be used for the mapping\&.
.sp
The interval between
\(lqidmap_range_min\(rq
and
\(lqidmap_range_max\(rq
will be split into smaller rages of size
\(lqidmap_range_size\(rq
which will be used by an individual IdP domain\&.
.sp
Default: 200000
.RE
.PP
idmap_range_max (integer)
.RS 4
Specifies the upper (exclusive) bound of the range of POSIX IDs to use for mapping IdP users and groups to POSIX IDs\&. It is the first POSIX ID which will not be used for POSIX ID\-mapping anymore\&.
.sp
Default: 2000200000
.RE
.PP
idmap_range_size (integer)
.RS 4
Specifies the number of POSIX IDs available for a single IdP domain\&.
.sp
Default: 200000
.RE
.SH "EXAMPLE"
.PP
.if n \{\
.RS 4
.\}
.nf
[domain/entra_id]
id_provider = idp
idp_type = entra_id
idp_client_id = 12345678\-abcd\-0101\-efef\-ba9876543210
idp_client_secret = YOUR\-CLIENT\-SCERET
idp_token_endpoint = https://login\&.microsoftonline\&.com/TENNANT\-ID/oauth2/v2\&.0/token
idp_userinfo_endpoint = https://graph\&.microsoft\&.com/v1\&.0/me
idp_device_auth_endpoint = https://login\&.microsoftonline\&.com/TENNANT\-ID/oauth2/v2\&.0/devicecode
idp_id_scope = https%3A%2F%2Fgraph\&.microsoft\&.com%2F\&.default
idp_auth_scope = openid profile email
.fi
.if n \{\
.RE
.\}
.sp

.sp
.if n \{\
.RS 4
.\}
.nf
[domain/keycloak]
idp_type = keycloak:https://master\&.keycloak\&.test:8443/auth/admin/realms/master/
id_provider = idp
idp_client_id = myclient
idp_client_secret = YOUR\-CLIENT\-SCERET
idp_token_endpoint = https://master\&.keycloak\&.test:8443/auth/realms/master/protocol/openid\-connect/token
idp_userinfo_endpoint = https://master\&.keycloak\&.test:8443/auth/realms/master/protocol/openid\-connect/userinfo
idp_device_auth_endpoint = https://master\&.keycloak\&.test:8443/auth/realms/master/protocol/openid\-connect/auth/device
idp_id_scope = profile
idp_auth_scope = openid profile email
.fi
.if n \{\
.RE
.\}
.sp
.SH "SEE ALSO"
.PP
\fBsssd\fR(8),
\fBsssd.conf\fR(5),
\fBsssd-ldap\fR(5),
\fBsssd-ldap-attributes\fR(5),
\fBsssd-krb5\fR(5),
\fBsssd-simple\fR(5),
\fBsssd-ipa\fR(5),
\fBsssd-ad\fR(5),
\fBsssd-idp\fR(5),
\fBsssd-sudo\fR(5),
\fBsssd-session-recording\fR(5),
\fBsss_cache\fR(8),
\fBsss_debuglevel\fR(8),
\fBsss_obfuscate\fR(8),
\fBsss_seed\fR(8),
\fBsssd_krb5_locator_plugin\fR(8),
\fBsss_ssh_authorizedkeys\fR(1), \fBsss_ssh_knownhosts\fR(1),
\fBsssd-ifp\fR(5),
\fBpam_sss\fR(8)\&.
\fBsss_rpcidmapd\fR(5)
.SH "AUTHORS"
.PP
\fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR