Identifier-based routing
Identifier-based routing provides an easy way to get your users to the correct sign-in journey of their organization. Users only have to enter their identifier to access their organization immediately. It requires base organization configuration for clients and identifier uniqueness across the selected base organization’s root-descendant hierarchy.
Identifier uniqueness
Identifier-based routing builds on identifier uniqueness across an organization hierarchy. Identifier uniqueness is the basis for routing users to their exact organization within a specific organizational tree without manual input or passing the route information from e.g. a login hint.
Combined with base organization configuration for clients, identifier uniqueness will ensure that users are automatically routed to their exact organization once they’ve provided their identifier.
Identifier-based routing works similar to domain-based routing. However, in this case, usernames could also be used alongside email addresses if the identifier type is supported in the identity store.
Setting up identifier uniqueness
Identifier uniqueness is set while creating a new organization. At 'Identifier uniqueness', you need to select that identifiers are unique to the current organization and its descendants when creating an organization:
The state of identifier uniqueness can’t be modified once an organization is saved and created.
Identifier uniqueness enabled
If an identifier is NOT unique to the organizational hierarchy (option on the left in the above image), then the same identifier can be used in multiple organizations within that organizational structure. In that case, automatic routing won’t apply upon login, even if the organization is set as a base organization.
Organization types
The organization where identifier uniqueness is set will become the 'root' organization that represents the top level of the hierarchy. You can create further organizations that will become the root organization's 'descendants'.
Impacts
Identifier uniqueness changes how organizations of the hierarchy work in some aspects and imposes certain limitations:
| Root organization | Descendant organizations |
|---|---|
| Only this type can be set as a base organization. | Can't be set as a base organization. |
| Defines identifier uniqueness for the descendant organizations. | Inherits the root organization's identifier uniqueness. Descendant organizations have to support identifier uniqueness. |
| Can't take existing organizations as descendants. Descendant organizations have to be newly created. | Allowed to have further descendants, but also can't take existing organizations as descendants. |
| Switches that allow self-service registration and self-service child organization creation are active. | Switches that allow self-service registration and self-service child organization creation are NOT available. |
| Sef-service registration is only available for this type. | Self-service registration is not available on this level. |
| Login provider settings in 'Organization policies' are only available for the root organization. | Login providers cannot be customized. Descendant organizations inherit the login provider of the root org. |
| Branding can only be applied to this type. | Inherits the branding of the root organization. Customization for this type is not available. |
User registration
Accounts signed up to an identifier uniqueness hierarchy are placed into the root organization. Self-service registration is not available for descendant organizations of an identifier uniqueness hierarchy.
New users can be added via invitation, or they can be created. You will be warned if someone with the same identifier already exists in the hierarchy.
You can also apply a 'Before registration' hook to register new accounts into descendant organizations.
Creating a descendant
When a new descendant organization is created, identifier uniqueness options will be disabled once a root organization is selected as the parent:
Adding a descendant organization
Cross-organization grants
Organizations of an identifier uniqueness hierarchy behave the same as the rest when it comes to cross-organization permissions: org admins get access to every descendant of the organization they're assigned to.
Org admins need to be a member of the root organization in order to access the organization management portal. The root organization is the base organization of the organization portal that restricts access to the portal.
The org administration portal displays every account available in the identifier uniqueness hierarchy, regardless of which organization is selected for viewing, since identifiers are unique across the organizations.
Org admins can also find any account in the hierarchy with a single search.
Setting up identifier-based routing
The last step of setting up identifier-based routing is to configure the root identifier uniqueness organization as a base for a client of your choice.
Similar to non-identifier uniqueness organizations, only users of the organizational tree can log in with the client, but users will be routed to their correct sign-in experience immediately.
Updated 2 months ago