Hi there! I am building SaaS application where each person gets it's own website on either their custom domain or my subdomain. Is it by any chance possible to have login/register forms on that website (that is controlled by me) so they do not need to go through the process of being redirected to my main application. That will help a lot if possible since with that I can allow my customers to hide SaaS app branding, without that, they will probably see domain of app when redirected for login. I do not need sessions to be shared across all those subdomains/custom domains they assign, so they need to explicitly login. Can I utilize Reverse Proxy to proxy it to same instance and override cookie names, etc. or use some different approach?

Hello @steep-greece-67535 So you have a scenario where your users have their own custom domain and you want to display login/register forms on that website? So they would set up the custom domain before they register? I don't think I fully understand the flow you are proposing, do you have some sort of diagram for it maybe? If you dont need to share sessions across custom domain it makes things a lot easier. Overriding cookie names sounds like a bad idea, but again I am not sure I fully understand what you are looking for.

Hi, Here are a better explanation so you can better understand my needs: In my SaaS application each customer (e.g., a business owner) gets their own booking website, which can be hosted on: • A custom domain (e.g.,

<http://business1.com|business1.com>

) • A subdomain of my platform (e.g.,

<http://business1.onapp.com|business1.onapp.com>

) • Or both, or many custom domains The setup: 1. Administrator Backoffice: Business owners log into a backoffice (e.g.,

<http://admin.app.com|admin.app.com>

) to manage their business, set up services, and configure their booking website. 2. Public Booking Websites: Each business has a booking website (e.g.,

<http://business1.onapp.com|business1.onapp.com>

or

<http://business1.com|business1.com>

), where their customers (end-users) can browse services and book appointments. The login requirement: • End-users should be able to log in or register directly on the booking website (

<http://business1.onapp.com|business1.onapp.com>

or

<http://business1.com|business1.com>

) without being redirected to

<http://app.com|app.com>

. • These login forms would authenticate users against the same user database, but each business’s booking website would handle authentication independently (i.e., sessions don’t need to be shared across different businesses). • The goal is to allow white-labeling, so the business’s customers don’t see my SaaS branding in the authentication process. I hope this helps.

I see. Ory does offer a solution for this called "multi-brand" - see the docs here: https://www.ory.sh/docs/kratos/bring-your-own-ui/configure-ory-to-use-your-ui#multiple-custom-domains You can configure multiple custom domains for your project/tenant on Ory Network - then the users can register on any of the domains and use the same credentials across multiple domains. With subdomains only it also works without the multibrand feature, you only need it if you have multiple different TLDs. As for the exact setup, I would recommend to have one project for your Administrator backoffice - I assume this domain is always the same - and one (or several) projects for the end-users. This does mean that all the end-user booking websites would share identities - meaning if I create an account at business1.com I can also authenticate with the same credentials at business2.com - not sure if that how you would intend it. If they should not share identities then I would recommend a project per booking websites (here it depends how many of those you have, technically there are no limits, but it can be bit confusing to manage if you have e.g. >100) The above is a feature of Ory Network - the managed service.

Identities will be shared across all booking websites / domains, so if user have account at business1.com they can login with same credentials at business2.com or at app.com I think that simplifies the process a lot because business owner do not have access or management over their client identities (owner can just remove it from that business so they can't access that business but they still have account to access any other business they are part of, or create their own business). So for this use case, do I still need to use Ory Network, or it can be achieved on self host instance via Reverse Proxy or something similar? Another approach will be using the unified domain for all authentications like id.app.com and connect.app.com but that will be my last choice if nothing else is possible.

owner can just remove it from that business

How do you imagine this part in practice? If the identities are shared across all domains then how can an owner of one domain remove the idenitity? I guess you could implement some kind of "deny-list on a per domain basis, but that would require extra code🤔

So for this use case, do I still need to use Ory Network, or it can be achieved on self host instance via Reverse Proxy or something similar?

Well everything is possible 😉 but Ory Network has this "out-of-the-box". I am not sure how you would do this multi-tenant setup when self-hosting. You can scale Kratos horizontally, but it is recommended to not do this on your own as it gets very complex quickly.

How do you imagine this part in practice?

In my API there will is business identity relation table, if that identity isn't part of business we will just prevent login, or login and show message like not allowed. That is handled outside of Kratos/Hydra.

I am not sure how you would do this multi-tenant setup when self-hosting.

Multi-tenancy is already implement within my application as identity - business relations. With Kratos we only care about identities and treat them separate, so i just needs a way to login / register a user to one same userbase, not multiple. And I do not need shared session, e.g. user logged in business1.com and needs to be logged into business2.com also, we will just let them login again, and save those session only for that domain. But credentials overall is shared and it should be in one Kratos instance. I hope this helps better understand my situation.

but Ory Network has this "out-of-the-box".

I have that in mind for the future if and when my application grows. Right now, it's still in development and a very small startup, so we're focused on keeping costs low. That feature is part of Ory Kratos' Enterprise plan, which we don’t really need at the beginning.

Oh I see now I understand why you were proposing the proxy rewrite 🤔 I am not really sure how that would work in practice though to be honest. You could maybe do something with Ory Oathkeeper, here are some example snippets for it: https://github.com/ory/awesome-ory/tree/master/oathkeeper (+ docs)

Okay, I will explore and try to do something with it. Appreciate your help!

In general this sounds very much like a OAuth2/OIDC use-case. See this post for details where it makes sense: https://www.ory.sh/blog/oauth2-openid-connect-do-you-need-use-cases-examples

As a user, I'd be confused and would not trust to use the same credentials on different (seemingly unrelated) domains. Also, stuff like webauthn/passkeys/social credentials get super tricky. I know because we had to make it work for Ory Network

You are right. This is the thing that I never thought of, and it makes so much sense!

Also, from experience what we heard from other similar customers, you should probably use separate user-pools from the get-go. Eventually, you will have a customer who wants to use a specific SSO provider, SCIM, manage all their users, or some other complex requirement that will be a night mare to implement in a single system.

I am thinking about that now after you opened my eyes to those issues. But here is the problem: Since my niche is salon booking and scheduling, I might need a centralized shared user base. If a salon client books appointments at multiple salons (for nails, hair, etc.), it would be easier for them to use shared credentials rather than remembering different login details for each salon. On the other hand, salon owners may explicitly want their clients to be associated only with their salon or use a specific SSO provider, as you mentioned. So now I’m stuck on what works best and what should be used in this scenario. If you have any suggestions, I’d love to hear them. However, this issue doesn’t seem directly related to Ory, so it feels more like my own problem to solve. Anyways, thanks for the help, guys. Without it, I would probably go the wrong way.

Sounds like you want to use the centralized "My saloon-booking.com account" approach I outlined above using OIDC to sign into the saloon booking app with the same account. So the same way you can use google to sign into other apps, but for you as the user it is clear that your google account is different.

Yes, I will go with that approach initially and then switch to multiple instances or multi tenancy on Ory Network if needed. Thanks Patrik!