Organization discovery¶
B2B applications need seamless login experiences. Asgardeo supports organization discovery to route users directly to their organizational login pages.
This guide explains available discovery types and shows how to integrate them into your applications.
Available discovery methods¶
Asgardeo supports the below organization discovery methods:
| Discovery Type | Use Case |
|---|---|
| Organization Name-Based | Route users using the organization name. |
| Organization ID-Based | Route users using the organization ID. Suitable for server-side integrations. |
| Email Domain-Based | Automatically identify organizations from email domains. Ideal for corporate email addresses. |
How organization discovery works¶
Organization discovery routes users directly to their organization's login page. This bypasses the "Sign in with Single Sign-On (SSO)" selection screen.
Use one of these two methods:
-
Direct routing with query parameters: Add the
fidp=OrganizationSSOparameter along with the organization discovery parameters to your authentication requests. This routes users directly to their organization login page. -
Conditional authentication script: Use a conditional authentication script to automatically select the SSO authenticator based on organization parameters.
Organization name-based discovery¶
Use the organization's name to route users to their login page.
Add the org parameter with the organization name to your authentication request.
https://api.asgardeo.io/t/<root_organization_name>/oauth2/authorize?
client_id=<client_id>
&redirect_uri=<redirect_url>
&scope=<scopes>
&response_type=code
&org=<organization_name>
&fidp=OrganizationSSO
https://api.asgardeo.io/t/<root_organization_name>/samlsso?
spEntityID=<app_entity_id>
&org=<organization_name>
&fidp=OrganizationSSO
Example: For an organization named "ABC Builders", add org=ABC+Builders to the request.
Organization identifier-based discovery¶
Use the organization's unique ID to route users to their login page.
Add the orgId parameter with the organization ID to your authentication request.
https://api.asgardeo.io/t/<root_organization_name>/oauth2/authorize?
client_id=<client_id>
&redirect_uri=<redirect_url>
&scope=<scopes>
&response_type=code
&orgId=<organization_id>
&fidp=OrganizationSSO
https://api.asgardeo.io/t/<root_organization_name>/samlsso?
spEntityID=<app_entity_id>
&orgId=<organization_id>
&fidp=OrganizationSSO
Alternative: Use conditional authentication¶
Instead of using the fidp=OrganizationSSO parameter, you can use a conditional authentication script to automatically route users.
Add this script to your application's authentication flow:
var onLoginRequest = function(context) {
executeStep(1, {
authenticationOptions: [{
idp: (context.request.params.orgId && !context.steps[1].idp) ? "SSO" : context.steps[1].idp
}]
}, {
onSuccess: function(context) {
Log.info("User successfully completed initial authentication with IDP: " + context.steps[1].idp);
}
});
};
How this works: The script checks for the orgId parameter and automatically selects the SSO authenticator.
For organization names: Change the script to check for the org parameter instead:
var onLoginRequest = function(context) {
executeStep(1, {
authenticationOptions: [{
idp: (context.request.params.org && !context.steps[1].idp) ? "SSO" : context.steps[1].idp
}]
}, {
onSuccess: function(context) {
Log.info("User successfully completed initial authentication with IDP: " + context.steps[1].idp);
}
});
};
Email domain-based discovery¶
Automatically identify organizations based on user email domains. This method routes users to their organization's login page without requiring them to specify the organization name or ID.
How it works: Asgardeo extracts the domain from the user's email address. Then it matches the domain to a configured organization.
How to configure email domain discovery: Email Domain-Based Discovery