The Identifier First Adapter works best in conjunction with authentication policies and setting expected attribute values to enforce authentication requirements.
The Identifier First Adapter is designed to identify user populations. It supports email addresses natively: it extracts the email address suffix and exposes it downstream through the domain attribute. Additionally, the adapter can leverage datastore queries to fulfill the domain attribute or other extended attributes to support identifiers of other kinds.
The Identifier First Adapter is most effective when used in conjunction with authentication policies. The policy paths are created by having rules matching expected values of the domain attribute or other extended attribute. Each expected value forms its own policy path, to which a series of authentication sources can be appended to enforce the desired authentication requirements.
For more information and configuration steps, see the subsequent sample use case.