Privileged Domains¶
Privileged domains let you route users to a specific identity provider and auto-assign them to groups based on their email domain.
Privileged domains are not protected (web) domains
A privileged domain here is an email domain (acme.com) used to route
identity and auto-assign groups. It is unrelated to a
protected domain, which is a DNS/web
domain proven with a DNS-TXT challenge so WeftID can gate HTTP apps behind it
with forward auth. The same string can be registered as both; they are
independent concepts.
Adding a domain¶
- Navigate to Settings > Privileged Domains
- Click Add Domain
- Enter the email domain (e.g.,
acme.com) - Click Add
Binding an IdP¶
Each domain can be bound to one identity provider. When a user with a matching email domain signs in, they are automatically directed to that IdP instead of seeing the IdP selection page.
To bind an IdP, select it from the domain's configuration panel.
Linking groups¶
Link one or more groups to a domain. When a user is created with an email address matching that domain, they are automatically added to the linked groups.
This applies to both manually created users and JIT-provisioned users.
Example¶
- Add the domain
engineering.acme.com - Link it to the "Engineering" group
- When
alice@engineering.acme.comis created, she is automatically added to the Engineering group
Removing a domain¶
Unlink all groups and unbind the IdP before deleting a domain.