Domain capture is a feature that blocks users in your domain from creating a Read AI account unless they are invited to join your workspace. This helps ensure that everyone in your organization who is using Read AI belongs to your workspace, and as a result, follows the same default settings, permissions, and policies that you've configured for your workspace.
Domain capture is only available to Enterprise+ customers, and can be enabled from your workspace settings.
How domain capture works
There are two different ways that domain capture can be implemented with Read AI; this article describes the more basic method, however if you are also using SAML with Read AI, you should read Enforcing SAML for users in your domain. With both methods, you will need to first verify your ownership of the domain(s) you want to capture.
The basic version of domain capture prevents users from creating new accounts unless they've been invited to join your workspace. Once invited, they'll receive an email with a link to create their account, and when they do, they will automatically get added to your workspace.
Without an invitation, anyone whose email domain matches one of your verified domains will receive an error when they try to create an account:
Pre-existing accounts in your domain(s) can continue using Read AI without any impact, unless you enable the Block Non-Workspace Domain Accounts setting (more details below).
Domain capture with SAML
If you have SAML enabled, there's an additional setting you can turn on for a version of domain capture that works with SAML. The setting is called "Enforce SAML on Verified Domains", and you can learn more about it here: Enforcing SAML for users in your domain
In addition to letting you manage who should and shouldn't be allowed to create a Read AI account, it will automatically block pre-existing users in your domain from logging in to Read AI if they aren't authorized via SAML.
How to enable domain capture
Prerequisites
In order to turn on domain capture, you'll need:
- a Read AI workspace with the Enterprise+ subscription
- verified ownership of the domain(s) you want to capture
- someone who is an admin in your workspace
Step-by-step instructions
Have an admin go to Workspace Settings and expand the Advanced (Enterprise+ Plan Required) section.
1. Make sure you have already added and verified all domains that you want to capture users from (based on their email address).
2. Turn on the Domain Capture setting:
(Note: If you also use SAML with Read AI and enable the "Enforce SAML on Verified Domains" setting, that will take precedence over the basic "Enable Domain Capture" setting.)
Auto-join
3. Decide whether you want to enable auto join. When enabled, this will automatically add users who sign up or login to Read with an email address matching one of your verified domains to your workspace. (This setting is only available once domain capture is enabled.)
Block non-workspace accounts
4. Decide whether you want to block non-workspace domain accounts. This effectively applies domain capture retroactively to accounts that were created before you enabled it. (This setting is only available once domain capture is enabled.)
If Block Non-Workspace Domain Accounts is enabled:
- Users with primary emails matching the captured domain can log in only if they are members of that workspace.
- Accounts outside the workspace using the captured domain will be blocked - they won’t be able to log in or use Read AI.
- Blocked users will receive an email notification and, if they try to log in and are unsuccessful, a clear message explaining that they’re blocked and how to get unblocked.
- Users can only be unblocked either by receiving a workspace invitation, successfully logging into Read (i.e. via SAML SSO), or if the admin turns off the “Block Non-Workspace Domain Accounts” option.
Auto-charge
5. Decide whether you want to enable license auto-charge. If you reach your license cap but new users join the workspace, this will automatically generate an invoice for those new users.