The Identifier First Adapter is designed to identify user populations. It supports email addresses natively; it extracts the email address suffix and exposes it downstream through the domain attribute. Additionally, the adapter can leverage datastore queries to fulfill the domain attribute (or other extended attributes) to support identifiers of other kinds.

The Identifier First Adapter is most effective when used in conjunction with authentication policies. Essentially, policy paths are created by having rules matching expected values of the domain attribute (or other extended attributes). Each expected value forms its own policy path, to which a series of authentication sources can be appended to enforce the desired authentication requirements.

For more information and configuration steps, refer to the subsequent sample use case.