Federation Redirection Workflows
There are two possible redirection workflows for federated identities.
1. Default behavior: Redirect TID users to the appropriate Identity Provider based on their email domain
- The application calls the Trimble Identity /authorize endpoint e.g.,
https://stage.id.trimblecloud.com/oauth/authorize?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope=openid%20{application_name} - The browser redirects to the standard TID sign-in page.
- The user enters their email address.
- Trimble Identity recognizes the email domain as a claimed domain and redirects to the customer’s Identity Provider.
- The user competes their sign-in in their federated Identity Provider. A Trimble Identity token is returned to the client application.

2. Redirect to a specific federated Identity Provider using the identity_provider url parameter
- The application calls the Trimble Identity /authorize endpoint while specifying the identity_provider url parameter, e.g.
https://stage.id.trimblecloud.com/oauth/authorize?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope=openid%20{applicaiton_name}&identity_provider={federation_id} - The browser redirects immediately to the federated Identity Provider sign-in page.
- The user competes their sign-in in their federated Identity Provider. A Trimble Identity token is returned to the client application.
