TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-12 02:54:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: add primary domain scope section to identity brokering guide (#2972)

Browse Source 
* docs: add primary domain scope section to identity brokering guide

* Update docs/docs/guides/authentication/identity-brokering.md

Co-authored-by: mffap <mpa@caos.ch>

Co-authored-by: mffap <mpa@caos.ch>
This commit is contained in:
Fabi 2022-01-12 09:28:35 +01:00 committed by GitHub
parent 68827dfdcd
commit ac7a26b9df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
docs/docs/guides/authentication/identity-brokering.md
View File

@ -87,6 +87,33 @@ Google Example:
![Configure identity provider](/img/console_org_identity_provider.gif)
### 4.Send the primary domain scope on the authorization request
ZITADEL will show a set of identity providers by default. This configuration can be changed by users with the [manager role] (https://docs.zitadel.ch/docs/concepts/zitadel/objects/managers) `IAM_OWNER`.
An organization's login settings will be shown
- as soon as the user has entered the loginname and ZITADEL can identitfy to which organization he belongs; or
- by sending a primary domain scope.
To get your own configuration you will have to send the [primary domain scope](https://docs.zitadel.ch/docs/apis/openidoauth/scopes#reserved-scopes) in your [authorization request](https://docs.zitadel.ch/docs/guides/authentication/login-users/#auth-request) .
The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
See the following link as an example. Users will be able to register and login to the organization that verified the @caos.ch domain only.
```
https://accounts.zitadel.ch/oauth/v2/authorize?client_id=69234247558357051%40zitadel&scope=openid%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Adomain%3Aprimary%3Acaos.ch&redirect_uri=https%3A%2F%2Fconsole.zitadel.ch%2Fauth%2Fcallback&state=testd&response_type=code&nonce=test&code_challenge=UY30LKMy4bZFwF7Oyk6BpJemzVblLRf0qmFT8rskUW0
```
:::info
Make sure to replace the domain `caos.ch` with your own domain to trigger the correct branding.
:::
:::caution
This example uses the ZITADEL Cloud Application for demonstration. You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](https://docs.zitadel.ch/docs/guides/authentication/login-users/#auth-request).
:::
Your user will now be able to choose Google for login instead of username/password or mfa.
## Knowledge Check