SSSD-IDP(5) NAME sssd-idp - IdP SSSD IdP sssd(8). , << >> sssd.conf(5). (IdP) - , ' (IdP) OAuth 2.0 REST. REST , , . "idp_type". (IdP) POSIX, (UID) . IdP SSSD . (UID) (GID) . , ', , SSSD. << >> (man) sssd.conf(5), SSSD. idp_type () ' , IdP. Entra ID (entra_id) Keycloak (keycloak). Depending on the IdP product additional platform specific options might follow the name separated by a colon (:). E.g. for Keycloak the base URI for the user and group REST API must be given. For Entra ID the base URI for the Microsoft Graph API can be given to use sovereign or government cloud endpoints instead of the default (https://graph.microsoft.com/v1.0). E.g. "entra_id:https://graph.microsoft.us/v1.0" for the US government cloud (GCC High). : (') idp_client_id () IdP, SSSD . RFC-8628 . : (') idp_client_secret () IdP. id_provider. , , auth_provider, . : idp_token_endpoint () IdP . : (') idp_device_auth_endpoint () IdP RFC-8628. . : idp_userinfo_endpoint () IdP userinfo . ' . : idp_id_scope () , REST. , / , . Note: In previous versions of SSSD, this option was expected to already be URL-encoded. : idp_auth_scope () , . , / , . , , , <>, , , . . : idp_request_timeout ( ) IdP. : 10 idp_auto_refresh (boolean) Refresh tokens automatically, after they have reached about half their lifetime. Note: Scheduled token refreshes are not preserved across restarts of SSSD. : false idmap_range_min ( ) () POSIX, ID POSIX IdP. POSIX, '. The interval between "idmap_range_min" and "idmap_range_max" will be split into smaller ranges of size "idmap_range_size" which will be used by an individual IdP domain. : 200000 idmap_range_max ( ) () POSIX, ID POSIX IdP. POSIX, ' ID POSIX. : 2000200000 idmap_range_size ( ) POSIX, IdP. : 200000 [domain/entra_id] id_provider = idp idp_type = entra_id idp_client_id = 12345678-abcd-0101-efef-ba9876543210 idp_client_secret = YOUR-CLIENT-SCERET idp_token_endpoint = https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/token idp_userinfo_endpoint = https://graph.microsoft.com/v1.0/me idp_device_auth_endpoint = https://login.microsoftonline.com/TENNANT-ID/oauth2/v2.0/devicecode idp_id_scope = https://graph.microsoft.com/.default idp_auth_scope = openid profile email [domain/keycloak] idp_type = keycloak:https://master.keycloak.test:8443/auth/admin/realms/master/ id_provider = idp idp_client_id = myclient idp_client_secret = YOUR-CLIENT-SCERET idp_token_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/token idp_userinfo_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/userinfo idp_device_auth_endpoint = https://master.keycloak.test:8443/auth/realms/master/protocol/openid-connect/auth/device idp_id_scope = profile idp_auth_scope = openid profile email sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-idp(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(1), sss_ssh_knownhosts(1), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ SSSD 04/27/2026 SSSD-IDP(5)