I apologize, but I couldn't find specific information about handling enterprise SSO in a custom UI with React/Next.js in the provided knowledge sources. The documents mainly focus on basic authentication flows and custom UI integration with Ory, but they don't contain details about enterprise SSO implementation. However, I can provide some general guidance based on the available information: 1. Ory provides SDKs and integration examples for React and Next.js applications. You can start by setting up a basic custom UI using these tools. 2. The custom UI examples typically use the Ory SDK to interact with Ory's authentication APIs. You would likely need to extend this to handle enterprise SSO flows. 3. You might need to configure your Ory project to support the specific enterprise SSO providers you want to use. 4. In your React/Next.js application, you would probably need to add UI elements and logic to initiate the SSO flow and handle the response. For more specific guidance on implementing enterprise SSO with a custom UI in React/Next.js, I recommend checking the official Ory documentation or reaching out to Ory support. The knowledge sources provided don't contain enough detailed information to give a comprehensive answer to your question. If you're looking for basic custom UI integration examples with React or Next.js (without enterprise SSO), you can refer to these resources: 1. [Custom UI examples](https://www.ory.sh/docs/getting-started/custom-ui) 2. [Integrate authentication into Next.js](https://www.ory.sh/docs/getting-started/integrate-auth/nextjs) These examples might provide a starting point for building your custom UI, which you could then extend to support enterprise SSO.

Based on the information provided in the knowledge sources, I can offer some insights into why you might be encountering a 404 error when trying to access organizations for your project. The endpoint you're trying to access seems to be incorrect. According to the Ory API Reference, the correct endpoint for listing organizations should be:

GET <https://api.console.ory.sh/projects/{project_id}/organizations>

Here are a few points to consider: 1. Endpoint: Make sure you're using the correct base URL. Instead of

$mycustomdomain

, you should be using

<https://api.console.ory.sh>

. 2. Project ID: Ensure that

$myprojectid

is correctly replaced with your actual project ID. 3. Authentication: This endpoint requires authentication. Make sure you're including a valid authorization header with your request. As per the documentation, you should use a workspace API key:

-H "Authorization: Bearer $WORKSPACE_API_KEY"

4. Permissions: Ensure that you have the necessary permissions to access this endpoint. A 403 Forbidden error in the response would indicate a permissions issue. 5. API Availability: Organizations are only available in Ory Network and are not supported in self-hosted Ory Kratos. Make sure you're using Ory Network for this feature. Here's an example of how to correctly make this request using curl:

bash export PROJECT_ID="your_project_id" export WORKSPACE_API_KEY="your_workspace_api_key"  curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID/organizations>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY"

If you're still encountering issues after verifying these points, you may want to check the [Ory API Reference](https://www.ory.sh/docs/reference/api) for any updates or changes to the API endpoints. If the problem persists, consider reaching out to Ory support for further assistance.

Based on the information provided in the knowledge sources, I'm afraid there isn't a way to get the organizations with a regular project API key. The documentation is quite clear on this point. Let me explain why: 1. Authentication requirement: According to the [Ory API Reference](https://www.ory.sh/docs/reference/api), the

listOrganizations

endpoint specifically requires authentication using a workspace API key (

oryWorkspaceApiKey

). 2. Workspace vs Project API keys: The [Ory Network API Keys documentation](https://www.ory.sh/docs/concepts/personal-access-token#workspace-api-keys-vs-project-api-keys) provides a clear distinction between what operations can be performed with Workspace API keys versus Project API keys. It states that only Workspace API keys can be used for "CRUD B2B SSO organizations" (Create, Read, Update, Delete operations on organizations). 3. Base URL difference: The documentation also notes that Workspace API keys use the base URL

api.console.ory.sh

, while Project API keys use

$<http://PROJECT_SLUG.projects.oryapis.com|PROJECT_SLUG.projects.oryapis.com>

. The organizations endpoint is part of the Workspace API. 4. Explicit mention: The [B2B Single Sign-On & SAML documentation](https://www.ory.sh/docs/kratos/organizations) specifically mentions that to manage organizations via the API, you need to "create a workspace API key". Given these points, it's clear that you cannot use a regular project API key to get the organizations. You must use a workspace API key for this operation. If you need to perform this operation and only have a project API key, you would need to create a workspace API key in the Ory Console. The process for creating a workspace API key is described in the [Authorizing Ory Network Workspace Admin APIs](https://www.ory.sh/docs/concepts/personal-access-token#authorizing-ory-network-workspace-admin-apis) section of the documentation. Remember, workspace API keys have broader permissions, so they should be handled with extra care and security considerations.

The error message you're encountering is related to Cross-Site Request Forgery (CSRF) protection in Ory. This is a security feature to prevent unauthorized actions on behalf of authenticated users. Let's analyze the issue based on the provided code and the knowledge sources: 1. CSRF Protection: Ory implements CSRF protection for all flows, including login. As mentioned in the [Integration basics documentation](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug), you must send a CSRF token in the body and CSRF cookie back when submitting a flow. 2. Cookie Handling: Your code sets

withCredentials: true

in the configuration, which is correct. This ensures that cookies are sent with cross-origin requests. 3. CSRF Token: The error suggests that the CSRF token is missing or incorrect. In your

updateLoginFlow

call, you're not explicitly including the CSRF token. To resolve this issue, try the following: 1. Ensure you're mapping the CSRF token from the login flow UI nodes. Look for an input field with the name

csrf_token

and the

hidden

attribute. 2. Include the CSRF token in your

updateLoginFlowBody

. Here's an example of how to do this:

typescript const csrfToken = flow.ui.nodes.find(   node => node.attributes.name === "csrf_token" )?.attributes.value;  const body = {   ...formData,   csrf_token: csrfToken };  await ory.updateLoginFlow({   flow: flow.id,   updateLoginFlowBody: body, });

3. If the issue persists, try clearing your browser cookies and cache, then restart the flow. 4. Ensure you're using the latest version of the

@ory/client

package, as older versions might have issues with CSRF handling. 5. Double-check that your Ory project is correctly configured for CORS if you're making cross-origin requests. You may need to [add your domain](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration#debug) to the Ory Project settings. If you continue to face issues after implementing these changes, you might want to check the network tab in your browser's developer tools to ensure the CSRF cookie is being set and sent correctly with your requests. For more detailed information on handling CSRF in Ory, refer to the [CSRF troubleshooting documentation](https://www.ory.sh/docs/troubleshooting/csrf). Remember, it's crucial to handle CSRF correctly to maintain the security of your application. If you're still encountering problems after trying these solutions, you may need to reach out to Ory support for more specific assistance with your configuration.

Based on the knowledge sources provided, it appears that Ory Identities (Kratos) does not support having multiple identities associated with the same email address by default. Here's why: 1. Unique Identifiers: According to the [Ory Identities documentation](https://www.ory.sh/docs/kratos/concepts/credentials), each credential - regardless of its type - has one or more identifiers attached to it, and each identifier is universally unique. This means that if you try to create or update an identity with an email address that's already associated with another identity, the system will reject the request with a 409 Conflict state. 2. Credential Types: While it's possible to have the same identifier (like an email address) across different credential types (e.g., password and OIDC), it's not possible to have multiple separate identities with the same email address for the same credential type. 3. Account Linking: Ory does support [automatic account linking](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#automatic-account-linking) for social sign-in accounts. However, this feature links different authentication methods to the same identity, rather than creating multiple separate identities. 4. Security Considerations: The uniqueness of email addresses is a security feature. As mentioned in the [documentation about choosing between username, email, and phone number](https://www.ory.sh/docs/kratos/manage-identities/customize-identity-schema#choosing-between-username-email-and-phone-number), using email as a unique identifier helps prevent certain types of attacks and confusion. However, there is one scenario where you might encounter what appears to be multiple identities with the same email: 5. Different Credential Types: As stated in the [credentials documentation](https://www.ory.sh/docs/kratos/concepts/credentials), "While credentials must be unique per type, there can be duplicates amongst multiple types." This means you could have one identity using an email for password login and another identity using the same email for OIDC login. But these would still be treated as separate identities by the system. If you need to associate multiple accounts or roles with a single email address, you might need to consider alternative approaches, such as using a different unique identifier or implementing a custom solution on top of Ory's identity management. For more detailed information on identity management in Ory, you can refer to the [Identity Model documentation](https://www.ory.sh/docs/kratos/manage-identities/overview).