Skip to content

Privileged Domains

Privileged domains let you route users to a specific identity provider and auto-assign them to groups based on their email domain.

Privileged domains are not protected (web) domains

A privileged domain here is an email domain (acme.com) used to route identity and auto-assign groups. It is unrelated to a protected domain, which is a DNS/web domain proven with a DNS-TXT challenge so WeftID can gate HTTP apps behind it with forward auth. The same string can be registered as both; they are independent concepts.

Adding a domain

  1. Navigate to Settings > Privileged Domains
  2. Click Add Domain
  3. Enter the email domain (e.g., acme.com)
  4. Click Add

Binding an IdP

Each domain can be bound to one identity provider. When a user with a matching email domain signs in, they are automatically directed to that IdP instead of seeing the IdP selection page.

To bind an IdP, select it from the domain's configuration panel.

Linking groups

Link one or more groups to a domain. When a user is created with an email address matching that domain, they are automatically added to the linked groups.

This applies to both manually created users and JIT-provisioned users.

Example

  1. Add the domain engineering.acme.com
  2. Link it to the "Engineering" group
  3. When alice@engineering.acme.com is created, she is automatically added to the Engineering group

Removing a domain

Unlink all groups and unbind the IdP before deleting a domain.