Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi,

We've ran into a bit of an issue with SSO when registration is disabled

We can create an identity programmatically with the API, but when the user tries to login via SSO, they get the error message "Registration is not allowed because it was disabled."

I see there is this documentation. But it requires asking for the user's subject from their IdP in advance, which isn't really a scalable solution
<https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#social-sign-in-connections>

Ideally, Ory wouldn't consider adding an SSO provider on a pre-existing identity to be a registration in the context of the "Enable registration" setting, or there would be a separate setting for this

I don't really see a clean way to work around this since the before registration hook doesn't fire if registration is disabled

This seems like it would be a common use case for B2B applications