Hi, how does one link an SSO provider to a user un...
# ory-network
b
Hi, how does one link an SSO provider to a user under an Enterprise SSO Organization when using a Custom UI? Details in thread
In our case, each email domain will only map to one Organization, and each Organization will only have one SSO provider I'm creating a settings flow like this:
Copy code
ory
	.createBrowserSettingsFlow({
		returnTo: returnTo,
	})
Then I update the settings flow like this:
Copy code
const body: UpdateSettingsFlowBody = {
	method: "oidc",
	link: "SSO_PROVIDER_FOR_ORG_HERE",
};
ory
	.updateSettingsFlow({
		flow: String(flow.id),
		updateSettingsFlowBody: body,
	})
	.then(({ data }) => {
		setFlow(data);
		if (returnTo) {
			router.push(returnTo || window.location.origin);
		}
	})
	.catch((err: unknown) => {
		if (err instanceof AxiosError && err.response?.status === 422) {
			const errorData = err.response.data;
			if (errorData.redirect_browser_to) {
				router.push(errorData.redirect_browser_to as string);
			}
		} else {
			setLoading(false);
		}
	});
That returns a 422 response that contains a
redirect_browser_to
field with a URL from my SSO provider. If I redirect the browser to the URL, it successfully links the SSO account, but then the user gets sent to an error page with this message:
An error occurred with the following message: The settings flow is disabled for this organization
How else am I supposed to link an SSO provider without a settings flow? It seems like the settings flow half-way works, since it does link the SSO provider to the identity. I just need to redirect back to my application after the SSO provider is linked instead of going to that error page I did try setting
After OIDC Redirect URL
to our application URL, no luck there
b
In b2b sso scenarios, you can't use the settings flow, and don't need to link the provider explicitly. We now also have added the option to automatically link pre-provisioned users to an OIDC provider: https://www.ory.sh/docs/kratos/organizations#pre-provisioning-identities-in-an-organization
b
Ah excellent, I'll try that. Thanks
Yep, that works and is a lot simpler. I remember provisioning SSO users was a pain point we identified when we first evaluated Ory, so this is a great update 👍