The error message you're seeing indicates that the Ory CLI can't find a project with the slug or ID "xxx" in your list of known projects. The list of "known slugs" comes from the projects that are associated with your current Ory CLI session. When you authenticate with the Ory CLI, it retrieves the projects you have access to in your workspace. The error message is showing that only project "yyy" is known to your current CLI session. There are a few possible reasons for this issue: 1. You might be logged into a different Ory account or workspace than the one containing project "xxx" 2. The project might exist but your current user doesn't have access to it 3. There might be a typo in the project slug or ID To resolve this, you can try: 1. Verify the correct project slug by listing all your projects:

ory list projects

2. If you need to switch to a different project, you can use:

ory use project <project-id-or-slug>

This will set the specified project as your default [as documented in the CLI reference](https://www.ory.sh/docs/cli/ory-use-project#ory-use-project). 3. If you're working with multiple workspaces, make sure you're in the correct workspace that contains both projects. If project "xxx" truly exists in the same workspace as "yyy" but isn't showing up, you might need to log out and log back in to refresh your session, or check your permissions for that project. Remember that the Ory Tunnel is essential for local development as it allows Ory APIs to be exposed on the same domain as your application, which is necessary for cookie-based authentication to work properly [as explained in the documentation](https://www.ory.sh/docs/getting-started/local-development#local-development).

To integrate Microsoft Authenticator for SSO with Ory's Enterprise SSO, you'll need to set up a SAML or OIDC connection between your Microsoft identity provider and Ory. Here's how to do it: ## Setting up Microsoft SSO in Ory You can set up Microsoft as a social sign-in provider or as an Enterprise SSO connection in Ory: ### Option 1: Using Microsoft as a Social Sign-In Provider 1. Go to Authentication → Social Sign-In in the [Ory Console](https://console.ory.sh/projects/current/social-signin) 2. Click the switch next to the Microsoft logo to start configuration 3. Copy the Redirect URI from Ory (you'll need this for Azure setup) 4. In the Azure portal: - Go to Microsoft Entra ID - Register a new application - Choose the appropriate account type (for social sign-in: "Accounts in any organizational directory and personal Microsoft accounts") - Add the Redirect URI from Ory - Copy the Application (client) ID, Directory (tenant) ID, and create a client secret 5. Paste these values into the corresponding fields in Ory Console 6. Add the

email

and

profile

scopes for basic setup 7. Click "Save Configuration" [Microsoft Social Sign-In Documentation](https://www.ory.sh/docs/kratos/social-signin/microsoft) ### Option 2: Using Enterprise SSO with SAML If you're specifically looking to use Microsoft Authenticator as part of your enterprise SSO solution, you'll want to set up a SAML connection: 1. Go to Authentication → Enterprise SSO in the [Ory Console](https://console.ory.sh/projects/current/authentication/organizations) 2. Create an organization or select an existing one 3. Select "Add a new Enterprise SAML SSO connection" 4. Fill out the form with: - Label: A descriptive name for the SAML connection - Data mapping: A mapping from SAML attributes to Ory's identity schema - Raw IDP metadata XML: The XML metadata file from your Microsoft SAML Identity Provider [SAML Documentation](https://www.ory.sh/docs/kratos/organizations#saml) Alternatively, you can use the API to set up the organization and SAML connection:

# Create an organization curl -X POST --location "<https://api.console.ory.sh/projects/$PROJECT_ID/organizations>" \        -H "Authorization: Bearer $WORKSPACE_API_KEY" \        -H "Content-Type: application/json" \        -d '{              "label":  "Microsoft SSO organization",              "domains": ["<http://yourdomain.com|yourdomain.com>"]            }'  # Enable SAML authentication curl -X PATCH --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \        -H "Authorization: Bearer $WORKSPACE_API_KEY" \        -H "Content-Type: application/json" \        -d '[              {                "op": "replace",                "path": "/services/identity/config/selfservice/methods/saml/enabled",                "value": true              }            ]'

Note that SAML is available exclusively on select Enterprise plans, so you may need to [contact Ory](https://www.ory.sh/contact/) if you need SAML support. ### Troubleshooting If you encounter issues with your Microsoft SSO integration, common problems include: - Redirect URI mismatch - Redirect loops during registration - Domain verification issues For troubleshooting, refer to the [Social sign-in troubleshooting documentation](https://www.ory.sh/docs/troubleshooting/troubleshooting-social-sign-in).

I can see you're encountering an OAuth2 error during SSO login with Ory. This error indicates an issue with client authentication. ## Understanding the Error The error message

"invalid_client" "The client secret supplied for a confidential client is invalid"

suggests that there's a problem with the client credentials being used during the OAuth2 flow. This typically happens when: 1. The client secret doesn't match what's configured on the server 2. The client authentication method is incorrect 3. The client ID might be wrong or the client doesn't exist ## Troubleshooting Steps Here are some steps to resolve this issue: ### 1. Verify Client Configuration Check that your OAuth 2.0 Client has the correct configuration:

ory get oauth2-client {client.id}

This will show you the client configuration (excluding the secret). Make sure the values are correct, especially the

token_endpoint_auth_method

[as documented in the troubleshooting guide](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method). ### 2. Check Authentication Method By default, OAuth 2.0 clients use HTTP Basic Authorization (

client_secret_basic

). If you're trying to authenticate with credentials in the POST body, but your client is configured for basic auth, it will fail. Verify your client's authentication method:

ory get oauth2-client {client.id}

Look for the

token_endpoint_auth_method

field in the response. It should match how you're sending the credentials [as explained in the documentation](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method). ### 3. Check for Special Characters in Client Secret If your client secret contains special characters like hyphens (-) or underscores (_), there might be issues with how they're being encoded. This has been reported as a potential issue in Ory Hydra [as noted in this GitHub issue](https://github.com/ory/hydra/issues/3581). ### 4. Reset Client Secret If you're certain the client ID is correct but the secret might be wrong, you can update the client with a new secret:

ory update oauth2-client {client.id} --client-secret {new-secret}

### 5. Check for Secret Length Limitations If you're using BCrypt for hashing (default in Ory), be aware that there's a 72 character limit for BCrypt hashed secrets [as mentioned in the troubleshooting documentation](https://www.ory.sh/docs/troubleshooting/bcrypt-secret-length). ## Common Causes Based on similar reported issues: 1. The client secret might have been changed or is incorrect 2. The authentication method doesn't match how you're sending credentials 3. There might be encoding issues with special characters in the client secret 4. The client ID might be wrong or the client doesn't exist in your project If you continue to experience issues after trying these steps, you may need to check your project logs for more detailed error information or contact Ory support with your specific project details.