diff --git a/src/README.md b/src/README.md
index a12acd8..52627e6 100644
--- a/src/README.md
+++ b/src/README.md
@@ -4,7 +4,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
-| <a name="requirement_stackit"></a> [stackit](#requirement\_stackit) | 0.96.0 |
+| <a name="requirement_stackit"></a> [stackit](#requirement\_stackit) | 0.98.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | 0.14.0 |
 | <a name="requirement_vault"></a> [vault](#requirement\_vault) | 5.9.0 |
 
@@ -35,6 +35,7 @@ No resources.
 | <a name="input_company_name"></a> [company\_name](#input\_company\_name) | Name of the company. | `string` | n/a | yes |
 | <a name="input_connectivity"></a> [connectivity](#input\_connectivity) | Connectivity configuration including DNS zones, network area, and firewall. Set firewall/network\_area to null to skip deployment. | <pre>object({<br/>    dns_zones = optional(map(object({<br/>      dns_name      = string<br/>      name          = optional(string, null)<br/>      contact_email = optional(string, null)<br/>      type          = optional(string, "primary")<br/>      acl           = optional(string, null)<br/>      description   = optional(string, null)<br/>      default_ttl   = optional(number, 3600)<br/>    })), {})<br/>    network_area = optional(object({<br/>      ranges                = list(string)<br/>      transfer_network      = string<br/>      min_prefix_length     = optional(number, 24)<br/>      max_prefix_length     = optional(number, 28)<br/>      default_prefix_length = optional(number, 28)<br/>    }), null)<br/>    firewall = optional(object({<br/>      zone                     = string<br/>      flavor                   = string<br/>      name                     = string<br/>      volume_performance_class = optional(string, "storage_premium_perf4")<br/>      volume_size              = optional(number, 16)<br/>      lan_network_range        = string<br/>      wan_network_range        = string<br/>      lan_ip                   = optional(string, null)<br/>      wan_ip                   = optional(string, null)<br/>    }), null)<br/>  })</pre> | `null` | no |
 | <a name="input_devops"></a> [devops](#input\_devops) | DevOps module configuration. Set to null to skip deployment. | <pre>object({<br/>    git_flavor             = optional(string, null)<br/>    allowed_network_ranges = optional(list(string), ["0.0.0.0/0"])<br/>  })</pre> | `null` | no |
+| <a name="input_federated_identity_providers"></a> [federated\_identity\_providers](#input\_federated\_identity\_providers) | List of federated identity providers to configure for the management service account. | <pre>list(object({<br/>    name   = string<br/>    issuer = string<br/>    assertions = list(object({<br/>      item     = string<br/>      operator = string<br/>      value    = string<br/>    }))<br/>  }))</pre> | `[]` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Additional labels to apply to all resources. | `map(string)` | `{}` | no |
 | <a name="input_landing_zones"></a> [landing\_zones](#input\_landing\_zones) | Map of landing zones to create. Set corporate = true for network area connectivity, false for public. | <pre>map(object({<br/>    project_name = string<br/>    project_code = string<br/>    owner_email  = string<br/>    # Set to true for corporate landing zones (connected to network area), false for public<br/>    corporate = optional(bool, true)<br/>    env       = optional(string, "dev")<br/>    role_assignments = optional(list(object({<br/>      role    = string<br/>      subject = string<br/>    })), [])<br/>    network_prefix_length = optional(number, null)<br/>    custom_roles = optional(list(object({<br/>      name        = string<br/>      description = string<br/>      permissions = list(string)<br/>    })), [])<br/>  }))</pre> | `{}` | no |
 | <a name="input_observability"></a> [observability](#input\_observability) | Observability instance configuration for the management module. Set to null to skip observability deployment. | <pre>object({<br/>    plan_name                              = optional(string, "Observability-Starter-EU01")<br/>    acl                                    = optional(list(string), [])<br/>    logs_retention_days                    = optional(number, 30)<br/>    traces_retention_days                  = optional(number, 30)<br/>    metrics_retention_days                 = optional(number, 90)<br/>    metrics_retention_days_5m_downsampling = optional(number, 90)<br/>    metrics_retention_days_1h_downsampling = optional(number, 90)<br/>  })</pre> | `null` | no |
diff --git a/src/modules/connectivity/4-internal-network.tf b/src/modules/connectivity/4-internal-network.tf
index 18718a7..cceebd6 100644
--- a/src/modules/connectivity/4-internal-network.tf
+++ b/src/modules/connectivity/4-internal-network.tf
@@ -6,7 +6,7 @@ resource "stackit_network" "lan" {
   count = var.firewall != null ? 1 : 0
 
   project_id  = stackit_resourcemanager_project.this.project_id
-  name        = "lan_network"
+  name        = "lan"
   ipv4_prefix = var.firewall.lan_network_range
   routed      = true
 }
diff --git a/src/modules/connectivity/README.md b/src/modules/connectivity/README.md
index f7fa98b..0b8bcc6 100644
--- a/src/modules/connectivity/README.md
+++ b/src/modules/connectivity/README.md
@@ -62,7 +62,7 @@ No modules.
 |------|-------------|
 | <a name="output_dns_zone_dns_names"></a> [dns\_zone\_dns\_names](#output\_dns\_zone\_dns\_names) | Map of DNS zone keys to their DNS names |
 | <a name="output_dns_zone_ids"></a> [dns\_zone\_ids](#output\_dns\_zone\_ids) | Map of DNS zone keys to their zone IDs |
-| <a name="output_firewall_next_hop_ip"></a> [firewall\_next\_hop\_ip](#output\_firewall\_next\_hop\_ip) | The IP address to be used as next hop for the default route in the landing zones (firewall WAN IP). |
+| <a name="output_firewall_next_hop_ip"></a> [firewall\_next\_hop\_ip](#output\_firewall\_next\_hop\_ip) | The IP address to be used as next hop for the default route in the landing zones (firewall LAN IP). |
 | <a name="output_firewall_public_ip"></a> [firewall\_public\_ip](#output\_firewall\_public\_ip) | The public IP address of the firewall WAN interface. |
 | <a name="output_network_area_id"></a> [network\_area\_id](#output\_network\_area\_id) | The ID of the created network area. |
 | <a name="output_project_container_id"></a> [project\_container\_id](#output\_project\_container\_id) | The container ID of the created STACKIT project. |
diff --git a/src/modules/connectivity/outputs.tf b/src/modules/connectivity/outputs.tf
index 025db01..2d1c1ad 100644
--- a/src/modules/connectivity/outputs.tf
+++ b/src/modules/connectivity/outputs.tf
@@ -9,7 +9,7 @@ output "dns_zone_ids" {
 }
 
 output "firewall_next_hop_ip" {
-  description = "The IP address to be used as next hop for the default route in the landing zones (firewall WAN IP)."
+  description = "The IP address to be used as next hop for the default route in the landing zones (firewall LAN IP)."
   value       = var.firewall != null ? stackit_network_interface.lan[0].ipv4 : null
 }
 
diff --git a/src/modules/management/README.md b/src/modules/management/README.md
index f26de67..b5c9b49 100644
--- a/src/modules/management/README.md
+++ b/src/modules/management/README.md
@@ -36,6 +36,7 @@ No modules.
 | [stackit_secretsmanager_instance.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/secretsmanager_instance) | resource |
 | [stackit_secretsmanager_user.default](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/secretsmanager_user) | resource |
 | [stackit_service_account.automation](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/service_account) | resource |
+| [stackit_service_account_federated_identity_provider.this](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/service_account_federated_identity_provider) | resource |
 | [stackit_service_account_key.automation](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/resources/service_account_key) | resource |
 | [time_rotating.key_rotate](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
 | [vault_kv_secret_v2.object_storage_credentials](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kv_secret_v2) | resource |
@@ -46,6 +47,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_federated_identity_providers"></a> [federated\_identity\_providers](#input\_federated\_identity\_providers) | List of federated identity providers to configure for the management service account. | <pre>list(object({<br/>    name   = string<br/>    issuer = string<br/>    assertions = list(object({<br/>      item     = string<br/>      operator = string<br/>      value    = string<br/>    }))<br/>  }))</pre> | `[]` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Additional labels to apply to all folders. | `map(string)` | `{}` | no |
 | <a name="input_naming_pattern"></a> [naming\_pattern](#input\_naming\_pattern) | Naming prefix for all resources in this module, e.g. "myco-pltfm-hub-prod". | `string` | n/a | yes |
 | <a name="input_observability"></a> [observability](#input\_observability) | Observability instance configuration. Set to null to skip observability deployment. | <pre>object({<br/>    plan_name                              = optional(string, "Observability-Starter-EU01")<br/>    acl                                    = optional(list(string), [])<br/>    logs_retention_days                    = optional(number, 30)<br/>    traces_retention_days                  = optional(number, 30)<br/>    metrics_retention_days                 = optional(number, 90)<br/>    metrics_retention_days_5m_downsampling = optional(number, 90)<br/>    metrics_retention_days_1h_downsampling = optional(number, 90)<br/>  })</pre> | `null` | no |