In our case, each email domain will only map to one Organization, and each Organization will only have one SSO provider I'm creating a settings flow like this:

ory
	.createBrowserSettingsFlow({
		returnTo: returnTo,
	})

Then I update the settings flow like this:

const body: UpdateSettingsFlowBody = {
	method: "oidc",
	link: "SSO_PROVIDER_FOR_ORG_HERE",
};
ory
	.updateSettingsFlow({
		flow: String(flow.id),
		updateSettingsFlowBody: body,
	})
	.then(({ data }) => {
		setFlow(data);
		if (returnTo) {
			router.push(returnTo || window.location.origin);
		}
	})
	.catch((err: unknown) => {
		if (err instanceof AxiosError && err.response?.status === 422) {
			const errorData = err.response.data;
			if (errorData.redirect_browser_to) {
				router.push(errorData.redirect_browser_to as string);
			}
		} else {
			setLoading(false);
		}
	});

That returns a 422 response that contains a

redirect_browser_to

field with a URL from my SSO provider. If I redirect the browser to the URL, it successfully links the SSO account, but then the user gets sent to an error page with this message:

An error occurred with the following message: The settings flow is disabled for this organization

How else am I supposed to link an SSO provider without a settings flow? It seems like the settings flow half-way works, since it does link the SSO provider to the identity. I just need to redirect back to my application after the SSO provider is linked instead of going to that error page I did try setting

After OIDC Redirect URL

to our application URL, no luck there

Yep, that works and is a lot simpler. I remember provisioning SSO users was a pain point we identified when we first evaluated Ory, so this is a great update 👍