https://www.ory.sh/ logo
Join Slack
Powered by
Currently getting this error even though the ident...
# ory-network
b
Currently getting this error even though the identity in ORY with which I'm trying to sign-in does not have OIDC enabled. What's going on?
b
Do you have b2b sso/organizations defined?
b
Yes, I have a B2B SSO org setup though it is not connected to any accounts yet.
b
the organizations work by matching against the identity's email address. So if you define an org with the domain example.com. All accounts with an email address @example.com will be managed by the organization.
b
So, for context, I have a B2B SSO org that matches against the following domains (used 
<http://example.com|example.com>
here instead of actual domain for privacy/security): • 
@mail.example.com
Let's call the problem account 
<mailto:mark@example.com|mark@example.com>
. As part of some testing, I registered this account using the B2B SSO config. I did this by typing 
<mailto:mark@mail.example.com|mark@mail.example.com>
into the sign-up form but then when signing in with my 3rd party IdP, I used 
<mailto:mark@example.com|mark@example.com>
. I saw the screenshotted error above when trying to access the settings page. So then I removed the OIDC authentication methods for this account using the 
/admin/identities
API:
Copy code
curl -X DELETE ${ORY_SDK_URL}/admin/identities/{identity-id}/credentials/oidc?identifier={oidc-credential-id}
However, when I try to access the settings page, I still see the error above. The strange thing is that when I try to log in with a different account that has never used the B2B SSO login flow (e.g. 
<mailto:mark+temp@example.com|mark+temp@example.com>
), I am able to login and access the settings page successfully. So it looks like there is some stale data introducing corruption and preventing login.
Turns out that the issue was that even when the OIDC connection is deleted, the 
organization_id
field in the identity object is still non-null. Identity retrieved using:
Copy code
curl -X GET ${ORY_SDK_URL}/admin/identities/{id} \  
-H "Authorization: bearer ${ORY_API_KEY}" | jq -r
Replacing the organization ID with null solves the problem. This looks like a bug to me. If an Enterprise SSO OIDC connection is disconnected from an identity, the organization ID should also be deleted from the identity metadata, correct?
Also, would be very helpful if the documentation could be updated with the details of this bug/behaviour
b
Thanks for the detailed write-up. And yes, I think this is a bug, and the documentation is probably lacking the details here. Sorry about that. cc @narrow-van-43826 @magnificent-energy-493
r
It is not entirely obvious to me that this is a bug. If you delete the OIDC connection, do you expect the users who have signed up with B2B SSO to simply be released into the "normal"/"public" user pool? That seems to me would have a bunch of weird implications.
m
So the scenarios are a) user misstypes their email b) delete organisations? we can add a guide how to handle these. I agree that you probably dont want to add them to normal users when you delete the org. But then again I havent seen this yet before
b
If you delete the OIDC connection, do you expect the users who have signed up with B2B SSO to simply be released into the "normal"/"public" user pool? That seems to me would have a bunch of weird implications.
Yes, we would not want such users to be released into the public pool in our use case. The situation above was encountered because I was trying to test out the Enterprise SSO registration flow for only 1 of N users in the organisation, before releasing it to all users. So I had to use the hack of a "mis-styped" email domain - 
<http://mail.example.com|mail.example.com>
instead of 
<http://example.com|example.com>
. A better solution could come through the ability to enable Enterprise SSO for individual email addresses within a given domain. This would simplify testing before full roll-out.
2 Views
Open in Slack
PreviousNext
Powered by