Hey @crooked-jelly-294 thank you for the valuable feedback! Would you mind sharing how your desired flow looks like? We already had some discussions going on and I‘m sure we can figure out a way to make your case working

Thanks for the response. Our apps are invite only, and we are looking for multi-tenant federated IDP support (many different customers using their own Okta OIDC, for example, to login to our apps). In short, here is our current desired invite flow: An admin from our company will pre-register a user (in Ory), setting any custom attributes (info relative to our system), provision them for specific apps, and onboard them into our internal systems so their data can be managed via our internal tools. The admin will then initiate an invite to a user via email with the list of websites they can login to. The user clicks on a website from the email, and is automatically signed in to that site via their IDP, or lands on the Ory login page if not signed in. If not signed in, the user provides their email address, and Ory either requires a password or automatically redirects to the appropriate IDP login based on that email address. After successful login from their external IDP, the user's claims (first/last name, etc) updates in Ory, and the user begins using the app immediately. Some customers will not have an external IDP, and their users will login with a password, but follow a similar invite flow. These apps are all web-based (browser apps).

Thanks @crooked-jelly-294, I think you could solve this with login codes: 1. Set up use in ory using the admin endpoint 2. Enable email code login, and enable “allow email code as fallback” 3. Send the use an email (need to do this yourself - “You have been invited …“) where you link to the login screen 4. User tries to login with their email, receives a code 5. Enters code 6. User is signed in

sorry, just saw your response. I will give it a try.

Maybe I misunderstood- are you looking for this? https://www.ory.sh/docs/kratos/organizations

i know of the organizations. The main issue we're stuck on is automatically linking an external IDP OIDC user with a pre-registered user in Ory without needing to involve an Ory password. We met with Vincent a while back and he mentioned they would work on making it a button click or something else.

I see, it would probably make sense wo pair you with product management to understand the requirement better and see what we can do. Why don’t you reach out to aeneas@ory.sh and we set something up for next week?

We met with Jonathan Clark and Vincent Kraus a couple weeks ago and discussed things with them. I think they have it covered..

OK