From ac7a26b9df6d1c943af97c66e1b6c3cf743df15b Mon Sep 17 00:00:00 2001
From: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Date: Wed, 12 Jan 2022 09:28:35 +0100
Subject: [PATCH] docs: add primary domain scope section to identity brokering
 guide (#2972)

* docs: add primary domain scope section to identity brokering guide

* Update docs/docs/guides/authentication/identity-brokering.md

Co-authored-by: mffap <mpa@caos.ch>

Co-authored-by: mffap <mpa@caos.ch>
---
 .../authentication/identity-brokering.md      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/docs/guides/authentication/identity-brokering.md b/docs/docs/guides/authentication/identity-brokering.md
index 3bf704fa37..aecd5243e8 100644
--- a/docs/docs/guides/authentication/identity-brokering.md
+++ b/docs/docs/guides/authentication/identity-brokering.md
@@ -87,6 +87,33 @@ Google Example:
 
 ![Configure identity provider](/img/console_org_identity_provider.gif)
 
+### 4.Send the primary domain scope on the authorization request
+ZITADEL will show a set of identity providers by default. This configuration can be changed by users with the [manager role] (https://docs.zitadel.ch/docs/concepts/zitadel/objects/managers) `IAM_OWNER`.
+
+An organization's login settings will be shown 
+
+- as soon as the user has entered the loginname and ZITADEL can identitfy to which organization he belongs; or
+- by sending a primary domain scope.
+To get your own configuration you will have to send the [primary domain scope](https://docs.zitadel.ch/docs/apis/openidoauth/scopes#reserved-scopes) in your [authorization request](https://docs.zitadel.ch/docs/guides/authentication/login-users/#auth-request) .
+The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
+
+See the following link as an example. Users will be able to register and login to the organization that verified the @caos.ch domain only.
+```
+https://accounts.zitadel.ch/oauth/v2/authorize?client_id=69234247558357051%40zitadel&scope=openid%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Adomain%3Aprimary%3Acaos.ch&redirect_uri=https%3A%2F%2Fconsole.zitadel.ch%2Fauth%2Fcallback&state=testd&response_type=code&nonce=test&code_challenge=UY30LKMy4bZFwF7Oyk6BpJemzVblLRf0qmFT8rskUW0
+```
+
+:::info
+
+Make sure to replace the domain `caos.ch` with your own domain to trigger the correct branding.
+
+:::
+
+:::caution
+
+This example uses the ZITADEL Cloud Application for demonstration. You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](https://docs.zitadel.ch/docs/guides/authentication/login-users/#auth-request).
+
+:::
+
 Your user will now be able to choose Google for login instead of username/password or mfa.
 
 ## Knowledge Check