Skip to main content

Overview

Limited Availability

OIDC Provider functionality is currently offered under Limited Availability (LA) status. Access is restricted to a controlled set of customers and use cases. Features may be incomplete, subject to change, and could contain defects. Operational safeguards and capacity limits apply. By using this API, you acknowledge that:

  • It is intended for early access and feedback purposes only.
  • Availability may be limited by region, segment, or capacity constraints.
  • Functionality, performance, and stability are not guaranteed at this stage.
  • Documentation and support resources may be evolving.
  • Feedback provided during this phase will inform improvements prior to General Availability (GA).

Do not deploy these services in production environments without understanding these limitations. Full commercial support and SLAs will be available at GA.

The Equinix Security Token Service (STS) provides a secure identity federation mechanism that enables seamless authentication and authorization across Equinix platforms and services.

This allows you to exchange OpenID Connect (OIDC) ID tokens from trusted identity providers for Equinix access tokens that can be used to access Equinix APIs and services. This eliminates the need to manage separate credentials for Equinix services when you already have an existing identity provider.

Equinix enforces strict verification of OIDC tokens, validating issuer, audience claims, and signature validation using the provider's JWKS. Access tokens are issued with appropriate scopes based on the identity provider's trust configuration and the principal's group memberships.

Key Features:

  • Identity Provider and Trust Relationship Management: Create, update, suspend, resume, and delete trusted OIDC providers to control which identity providers and client IDs are trusted for authentication.
  • Group-based Authorization: Map identity provider group claims to Equinix authorization policies.
  • Access Control: Support for both Role-based Access Control and Attribute-based Access Control to manage permissions and access to Equinix services.
  • Token Exchange: Implement OAuth 2.0 token exchange (RFC 8693) to convert OIDC ID tokens to Equinix access tokens.

Workload Identity Federation

Using an OIDC provider on Equinix provides support for CI/CD automation with identity-based authentication from platforms like GitHub Actions or Terraform Cloud.

To use your own identity provider, do the following:

  1. From the root project register the OIDC provider that you use. This operation creates a trust relationship between the root project and the OIDC provider such that identity tokens from the OIDC provider can be accessed for token exchange.
  2. Grant access to principals from your OIDC provider using roles or access policies (or both).
  3. Obtain an identity token from your OIDC provider.
  4. Perform a token exchange to obtain an Equinix API bearer token.

Access Control Scopes

When performing a token exchange, the access token grants permissions according to the specified scope, which is some combination of:

  • Roles and role assignments - Grants permissions for all of the principal's assigned roles within an Organization.

  • A single named Access Policy - Grants the permissions of that specific access policy.

  • All Access Policies granted to the principal in a Project - Grants permissions for all Access Policies granted to the principal in a particular project, either by direct grants to the principal itself or by indirect grants via a federated principal's group memberships.

  • All Access Policies granted to the principal in an Organization - Grants permissions for all Access Policies granted to the principal across all the projects in the org tree of a given organization, including that organization's governing project.

The effective permissions granted by the token are the union of the permissions from each scope; an action is allowed if any one of the scopes allows it.

Scopes are checked for validity. The following combinations are valid scopes:

scope valueResulting scope type(s)
roleassignments:<org-id>Assigned roles in the organization
ern:<access-policy-ern>Single access policy
projectpolicies:<project-id>One or more access policies in a project
orgpolicies:<org-id>One or more access policies in an organization
orgpolicies:<org-id> roleassignments:<org-id>One or more access policies in an organization + Assigned roles in the organization

Token Exchange

To exchange OIDC provider tokens for Equinix API bearer tokens, use the /v1/token endpoint. For more information, see OIDC API Authentication.

Was this page helpful?