Skip to content
Visit Kinde’s marketing website Kinde Docs
  • Auth and access
  • Enterprise connections

Home realm or IdP discovery

Home realm discovery (HRD) provides a seamless sign-in experience for your enterprise auth users. When HRD is configured and a user sign in, Kinde checks which IdP or connection group a user belongs to, before authenticating them. It is also known as Identity Provider or IdP discovery.

When HRD is set up in Kinde, users are authenticated based on the Home Realm Domain (email domain) that is entered.

HRD is usually applied where your identity provider (IdP) is a third party, such as Microsoft Entra ID, Google, Cloudflare, etc, and you are using an enterprise or SAML auth setup.

By default, Kinde provides a universal login page where users of any enterprise connection can sign in. They are then silently routed and verified via the relevant IdP.

How does Home Realm Discovery work at Kinde?

Link to this section

When you set up a Microsoft Entra ID or custom SAML connection, you’ll configure the home realm (or domains) to be recognized during authentication. All home realm domains must be unique across all connections in the environment.

If HRD is not in place, the end-user must select the relevant log in button to be taken through to the right authentication URL.

When you apply HRD in Kinde, the end-user is recognized and authenticated based on their email domain, without having to select or click anything.

For example, you could configure two different connections as follows:

  • Email addresses ending with enterpriseA.com use SAML connection A
  • Email addresses ending with enterpriseB.com use Entra ID connection B

In the back end, the end-user is linked to the correct identity provider via the connection, and they are silently authenticated.

So when Jude Watson arrives at the sign in window and enters judewatson@enterpriseA.com, they are routed to the IdP for SAML connection A, and authenticated.

How to show or hide the sign-in buttons?

Link to this section

Even if you have set up HRD, you can choose to show an SSO sign-in button so the user has to click to proceed. Learn more here.

Does HRD affect organization selection and default org settings?

Link to this section

Yes. When home realm discovery is active, enterprise users are routed directly to their identity provider based on their email domain — before any organization selection takes place. This has a few important implications:

  • The organization selector is bypassed — HRD takes precedence over any org selection screen. The user is authenticated into the organization associated with their enterprise connection without being prompted to choose.
  • The last-used organization setting is bypassed — The “remember last org” behavior does not apply to users authenticating via HRD. Their session is always tied to the organization configured for their enterprise connection.
  • Setting a default organization for enterprise users via org_code is not supported under HRD — Because HRD routes users before org selection occurs, passing org_code to override the destination organization is not supported for enterprise connections using home realm discovery. The user will always land in the organization linked to the matching enterprise connection.

Related articles

Useful links

  • Join the community

    Get support from the Kinde team and expert users in the Kinde community

    Join via Slack or Discord

  • Contact support

    Chat to support through the Kinde help widget, or send a question via email

    Send an email