< chilly king 10285> how to link an SSO account using Ory ne Ory Community #ory-copilot

Join Slack

<@U04UQ68083H> how to link an SSO account using Or...

# ory-copilot

bland-finland-95044

02/14/2025, 8:52 PM

@chilly-king-10285 how to link an SSO account using Ory network with a custom UI

brief-egg-61061

02/14/2025, 8:52 PM

A message from kapa.ai

brief-egg-61061

02/14/2025, 8:52 PM

To link an SSO account using Ory Network with a custom UI, you need to implement the account linking functionality in your custom user interface. Here's a brief overview of how to achieve this: 1. First, ensure that you have configured at least two sign-up methods in your Ory project, including a social sign-in provider. 2. Implement a settings page in your custom UI where users can manage their account settings, including social sign-in options. 3. In the social sign-in section of your settings page, provide buttons or options for users to link available social sign-in providers. 4. When a user clicks on a button to link a social sign-in provider, you'll need to initiate the OAuth2 flow for that provider. 5. After successful authentication with the social sign-in provider, you'll need to send the obtained token to Ory Network to complete the account linking process. To implement this in your custom UI, you'll need to use the Ory API endpoints for managing social sign-in providers and account linking. Unfortunately, the provided knowledge sources don't contain specific API details for implementing this functionality in a custom UI. For more detailed information on implementing a custom UI with Ory, you can refer to the following resources: 1. [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration) 2. [Configure Ory to use your UI](https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui) These resources provide general guidance on integrating a custom UI with Ory, but they don't specifically cover the account linking process. For detailed API information and specific steps to implement account linking in your custom UI, you may need to consult the Ory API documentation or reach out to Ory support for more specific guidance.

bland-finland-95044

02/17/2025, 8:03 PM

@chilly-king-10285 How does one link the SSO provider for a user under an Enterprise SSO Organization? In our case, each email domain will only map to one Organization, and each Organization will only have one SSO provider I'm creating a settings flow like this:

Copy code

ory
	.createBrowserSettingsFlow({
		returnTo: returnTo,
	})

Then I update the settings flow like this:

Copy code

const body: UpdateSettingsFlowBody = {
	method: "oidc",
	link: "SSO_PROVIDER_FOR_ORG_HERE",
};
ory
	.updateSettingsFlow({
		flow: String(flow.id),
		updateSettingsFlowBody: body,
	})
	.then(({ data }) => {
		setFlow(data);
		if (returnTo) {
			router.push(returnTo || window.location.origin);
		}
	})
	.catch((err: unknown) => {
		if (err instanceof AxiosError && err.response?.status === 422) {
			const errorData = err.response.data;
			if (errorData.redirect_browser_to) {
				console.log(errorData.redirect_browser_to as string);
			}
		} else {
			setLoading(false);
		}
	});

That returns a 422 response that contains

redirect_browser_to

field with a URL from my SSO provider. If I redirect the browser to the URL, it successfully links the SSO account, but then the user gets sent to an error page:

An error occurred with the following message: The settings flow is disabled for this organization

How else am I supposed to link an SSO provider without a settings flow? It seems like the settings flow half-way works, since it does link the SSO account. Am I approaching this the wrong way? I did try setting

After OIDC Redirect URL

to our application URL, no luck there

brief-egg-61061

02/17/2025, 8:03 PM

A message from kapa.ai

brief-egg-61061

02/17/2025, 8:03 PM

Based on the information provided in the knowledge sources, I don't have enough specific details to fully address your question about linking an SSO provider for a user under an Enterprise SSO Organization using a custom UI. However, I can provide some insights and suggestions based on the available information. 1. Enterprise SSO Organizations: The concept of Enterprise SSO Organizations is mentioned in the [B2B Single Sign-On & SAML documentation](https://www.ory.sh/docs/kratos/organizations). It states that organizations contain multiple OIDC SSO connections, and all members of an organization must use one of the organization's OIDC SSO connections to log in. 2. Settings Flow for Organizations: There seems to be a limitation with the settings flow for organizations. The error message you're receiving ("The settings flow is disabled for this organization") suggests that the standard settings flow might not be the correct approach for Enterprise SSO Organizations. 3. Account Linking: The [User account linking documentation](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account) describes how users can link their accounts to social sign-in providers after they've signed up. However, this documentation seems to be focused on the Ory Account Experience rather than a custom UI. 4. SSO Connections for Organizations: The [Create SSO connections for an organization documentation](https://www.ory.sh/docs/kratos/organizations#create-sso-connections-for-an-organization) provides information on how to add SSO OIDC connections to an organization. This is done at the organization level, not the individual user level. Given these points, it appears that the approach for Enterprise SSO Organizations might be different from the standard account linking process. Here are some suggestions: 1. Instead of using the settings flow, you might need to use a different API endpoint specifically for Enterprise SSO Organizations. Unfortunately, the knowledge sources don't provide information about such an endpoint. 2. The SSO connection might need to be set up at the organization level rather than the individual user level. You may need to check if the SSO provider is already configured for the organization and simply associate the user with it. 3. The redirect URL you're receiving (

redirect_browser_to

) seems to be the correct way to initiate the SSO linking process. The fact that it successfully links the account suggests this part is working as intended. 4. The error you're encountering after the successful link might be due to the settings flow being disabled for organizations. You might need to handle this redirect differently for Enterprise SSO Organizations. Unfortunately, the provided knowledge sources don't contain enough information to give a definitive solution to your specific use case. It seems that handling Enterprise SSO Organizations with a custom UI might require a different approach than the standard settings flow.

brief-egg-61061

02/17/2025, 8:03 PM

redirect_browser_to

bland-finland-95044

02/17/2025, 8:29 PM

@chilly-king-10285 how to query for SSO providers. In particular, how to find the SSO provider of a given B2B org

brief-egg-61061

02/17/2025, 8:29 PM

A message from kapa.ai

brief-egg-61061

02/17/2025, 8:29 PM

To query for SSO providers, particularly to find the SSO provider of a given B2B organization, you can use the Ory API. Here's how you can do it: 1. First, you need to list the organizations in your project. You can do this using the following API endpoint:

Copy code

GET /projects/{project_id}/organizations

This endpoint is described in the [Ory API Reference](https://www.ory.sh/docs/reference/api). You'll need to authenticate your request using your workspace API key. 2. Once you have the organization ID, you can get the details of the specific organization using:

Copy code

GET /projects/{project_id}/organizations/{organization_id}

This endpoint is also described in the [Ory API Reference](https://www.ory.sh/docs/reference/api). 3. To get the SSO providers (OIDC connections) for the organization, you need to query the project configuration. You can use this curl command:

Copy code

bash curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY" \    | jq ".services.identity.config.selfservice.methods.oidc.config.providers"

This command is provided in the [Create SSO connections for an organization documentation](https://www.ory.sh/docs/kratos/organizations#create-sso-connections-for-an-organization). The response will include all SSO providers configured for your project. Each provider object in the response will include an

organization_id

field. You can filter the results to find the provider(s) associated with your specific organization. Here's an example of what a provider object in the response might look like:

Copy code

json {   "client_id": "...",   "client_secret": "...",   "id": "ory-GPx1yPH4",   "issuer_url": "<https://example.org>",   "label": "My OIDC provider",   "mapper_url": "<https://storage.googleapis.com/bac-gcs-production/94292215dbabe405bebff988b5356663fcf5cba35b10fc6ca2cfea7bc7049e906e01d271a3daeb844203efdfbf2cff356274daa63d5afc2a379bbe93b8b40e63.jsonnet>",   "organization_id": "6bb1c7d1-3b3e-4995-9e09-35649dc45a2b",   "provider": "generic",   "scope": ["openid", "offline_access", "email"] }

You can match the

organization_id

in this response with the ID of the organization you're interested in. Remember to replace

$PROJECT_ID

and

$WORKSPACE_API_KEY

with your actual project ID and workspace API key when making these requests.

9 Views

Open in Slack

Previous Next