Hi, I was wondering if there's a way we could implement an invite only flow but force the user to use SSO to login rather than reset a password. Basically what I want to do is: • Invite user and create the shadow account in Ory • Trigger the recovery flow • Then when the user clicks he link, I want to force them to use the sso provider associated with the email rather than have them set a password

A couple of us had the same question: https://ory-community.slack.com/archives/C02MR4DEEGH/p1725274868511209 The correct approach here isn't clear. For now we're just having SSO users set a password

I managed to hack something, maybe it helps people out: 1. We create the account and are triggering the recovery flow as described in their docs for invite 2. When the user clicks the link sent to them they are in an elevated session 3. Instead of making them set a password we redirect to linking the desired SSO provider (google in our case) It worked with registration disabled for us, but it's not ideal, theoretically the password flow is still active. I assume I can use a post login hook to block authentication if people use password 🤷‍♀️

Instead of making them set a password we redirect to linking the desired SSO provider

Where are you doing that redirect? Do you have a custom UI?

Yes

Ah ok. I think we'll eventually end up with a custom UI so we should be able to do that then. Thanks!

No worries