Switch which source is used based on email address

You can use an expression policy to route users to different sources based on the email address they enter.

This is useful when different email domains should authenticate against different upstream identity providers.

Create the policy

Create an expression policy that:

maps email domains to source slugs
reads the identifier collected earlier in the flow
redirects the user to the matching source when a mapping exists

Where to bind it

Bind the expression to the stage binding immediately after the Identification stage, or after whichever stage first collects the identifier you want to inspect.

For more background on binding policies to stages, see Policy bindings and evaluation.

Example expression

# Map email domains to source slugs.
source_email_map = {
    "foo.bar.com": "entra-foo",
    "bar.baz.com": "entra-bar",
}

user_email = request.context["pending_user_identifier"]

_username, _, domain = user_email.partition("@")
source = source_email_map.get(domain)
if not source:
    return True

plan = request.context.get("flow_plan")
if not plan:
    return False

# For OIDC
# plan.redirect(f"/source/oauth/login/{source}/")
# For SAML
plan.redirect(f"/source/saml/{source}")
return False

How it works

The policy reads pending_user_identifier, which is the identifier gathered earlier in the flow.
If the email domain is not in the mapping, the policy returns True and flow execution continues normally.
If the domain maps to a source, the policy redirects the flow and returns False so the current path does not continue.

Adjust the redirect path for the source type you use. The example above includes both OIDC and SAML patterns.

Create the policy​

Where to bind it​

Example expression​

How it works​

Create the policy

Where to bind it

Example expression

How it works