IDP discovery in ACP

Get familiar with the IDP discovery feature that comes shipped with Authorization Control Plane (ACP) and allows you to enhance the user experience and improve the login process for your users.

IDP discovery in a nutshell

IDP discovery is one of the ACP’s features aimed at improving the user experience for the login process. It allows to configure a set of email domains for an IDP. Based on that list, the user is suggested and optionally redirected to an appropiate authentication endpoint.

[mermaid-begin]
graph LR A(User enters their email) B(ACP discovers email domain for CIP) C(ACP redirects the user to Cloud Identity Plane) A-- "johndoe@cloudentity.com" -->B B-->C

A lack of email domain assigned to a specific IDP means that the IDP is available for every user trying to log in to the application. It means that this IDP appears every time for suggested IDPs.

It is possible to configure a given email domain only for one identity provider. If a user tries to add a domain that is already defined for a different IDP, a conflict message is displayed with information for which IDP the given domain is already defined.

Static IDPs

For static (sandbox) IDPs it is impossible to enable instant redirect. Additionally, for the IDP discovery to work, the username must contain an email domain.

Enable IDP discovery

To enable IDP discovery for your IDPs:

  1. Go to Admin Portal > Identities.

  2. Select either Standard Sign in (that allows the users to sign in with any active IDP connections) or Identity Provider (IDP) Discovery.

  3. To enable IDP discovery for a given IDP, go to its settings and select

Configure domains

Once IDP discovery is enabled, you can configure a set of domains for a given IDP connection.

Provide a set of email domains in your IDP settings Admin Panel > Identities > Your IDP > Configuration

IDP discovery config

Example

You can see that the IDP from the screenshot has two email domains added: example.com and cloudentity.com.

Instant redirect is enabled. Once the user tries to log in using either of the domains, they are instantly redirected to the log in page of this page.

Further reading

  • Get familiar with more features that improve the login process user experience by visiting the Smart ACP login portal