We are adding Enterprise SSO to our SPA, and i am ...
# ory-networka
astonishing-oxygen-21376
09/02/2024, 11:01 AMWe are adding Enterprise SSO to our SPA, and i am unsure how Enterprise SSO will affect our current invite flow. We do not have registration, you have to be invited by email. When someone invites another user we create an Ory identity for that user and send a recovery link on email.
Is this approach still the way to go for SSO users?
The recovery link will give them a session without requiring them to log in at the external login page, is this ok?
Also, These users should not have to set a ory password. How can the sso id and the ory identity be linked without the user having to explicitly do the linking (i.e click link button etc)?
Should I for instance redirect the user to the external login page when they access the recovery link, and then link the identities in the background when the user returns?
Not sure what the recommended approach is, hopefully this has been solved before 🙂 Thanks for any advice!
astonishing-oxygen-21376
09/02/2024, 12:30 PMUserAuthCardorganizationb
bland-finland-95044
09/03/2024, 5:25 PMI also had some questions about SSO when self-registration is disabled: https://ory-community.slack.com/archives/C02MR4DEEGH/p1724697900268399
I'm interested to see what the response is here
a
astonishing-oxygen-21376
09/04/2024, 7:11 AMSeems our use cases are the same. The way i understand it now, If the linking needs to happen by entering their sso credentials, while also having a ory session in advance (to not be considered a new registration), doing it when they access a recovery link (not sure if you use that) could be an approach. But that relies on them completing the linking the first time they use that link, so its not going to be great (i.e they access the link, get a session, but then dont login with the external idp to complete the linking). The link is now expired, and the only way to recover is to receive a new recovery link by email. Have you tried something like that?
b
bland-finland-95044
09/04/2024, 3:29 PMThat does work. It does feel pretty janky though. Also, if the user doesn't set a password when they follow the recovery link, then when they try to login, they get this confusing page where there's no password entry box
bland-finland-95044
09/04/2024, 3:33 PMActually, after clearing cookies and then trying to log in again, I still get the
Registration is not allowed because it was disabled.bland-finland-95044
09/09/2024, 9:26 PMWhat we decided to do is enable self-registration but point the "Sign up" link to a contact page instead of the default registration form.
However, I do also have the same question Sverre did about SSO users having to set a password. Based on this, it sounds like there's no way for users in an Enterprise SSO Organization to link an SSO account without first setting a password?
https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#security-considerations
a
astonishing-oxygen-21376
09/10/2024, 6:56 AMWe will also enable self-registration. My understanding is that its not possible to link an account without setting the password, so we will have to continue to support recovery for these users after sso is enabled for their domain. Since the recovery flow is disabled for domains connected to an organization, this will have to be through the admin api, which is a bit annoying. What are your thoughts on this?
b
bland-finland-95044
09/10/2024, 4:14 PMHmm yes, it's not ideal that on one hand Enterprise SSO accounts require a password but on the other hand some of their password functionality is disabled