To get the SSO providers of a given Enterprise SSO organization in Ory, you can use either the Ory Console or the API. ### Using the API You can retrieve the SSO connections (providers) for an organization by getting the project configuration and filtering for the providers that have the specific organization ID. Here's how to do it:

bash curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY" \    | jq ".services.identity.config.selfservice.methods.oidc.config.providers | map(select(.organization_id == \"$ORGANIZATION_ID\"))"

This command: 1. Gets the project configuration 2. Uses

jq

to filter the OIDC providers that belong to the specific organization ID ### Using the Ory Console You can also view the SSO connections for an organization through the Ory Console: 1. Go to Authentication → Enterprise SSO in the [Ory Console](https://console.ory.sh/projects/current/authentication/organizations) 2. Find and select the organization you're interested in 3. The SSO connections for that organization will be displayed ### Getting Organization ID If you need to first get the organization ID, you can list all organizations in your project:

bash curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID/organizations>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY"

Or get a specific organization by ID:

bash curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID/organizations/$ORGANIZATION_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY"

You can also filter organizations by domain:

bash curl -X GET --location "<https://api.console.ory.sh/projects/$PROJECT_ID/organizations?domain=example.com>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY"

[Ory API Reference](https://www.ory.sh/docs/reference/api) provides more details on these API endpoints. [Create SSO connections for an organization](https://www.ory.sh/docs/kratos/organizations#create-sso-connections-for-an-organization) has additional information about managing SSO connections.

Yes, Ory can act as an Identity Provider (IdP) in a Single Sign-On (SSO) scenario through Ory OAuth2 and OpenID Connect. This functionality allows you to become a federated identity provider, similar to Google, Facebook, or GitHub. ### Ory as an SSO Provider Ory OAuth2 and OpenID Connect, built on the open-source [Ory Hydra Federation Server](https://www.ory.sh/docs/oauth2-oidc), enables you to: 1. Create a "Sign in with $YourBrand" service 2. Authenticate users across multiple applications with a single set of credentials 3. Provide identity federation for third-party applications As stated in the documentation: > Ory OAuth2 and OpenID Connect is the perfect solution for securely connecting users, applications, and services. Whether you need single sign-on (SSO), mobile and third-party application authorization, API access management, server-to-server communication, or federated identity, you can find a solution based on Ory OAuth2 and OpenID Connect. [Introduction to OAuth2 and OpenID Connect](https://www.ory.sh/docs/oauth2-oidc) ### Setting Up Ory as an IdP To set up Ory as an IdP, you would: 1. Create an Ory Network project to serve as the SSO provider 2. Create OAuth2 clients for the applications that will use this SSO provider 3. Configure the appropriate scopes and redirect URIs Here's a code snippet showing how to create an OAuth2 client using the Ory CLI:

bash ory create oauth2-client --project "$PROJECT_ID" \  --name "Example Corp" \  --grant-type authorization_code,refresh_token \  --response-type code \  --scope openid,offline_access,email \  --redirect-uri <https://your-project-slug.projects.oryapis.com/self-service/methods/oidc/callback/H1o_k--i>

[Ory as a Social Sign-in Provider](https://www.ory.sh/docs/kratos/social-signin/ory) provides detailed instructions on this setup. ### Key Benefits - Certified Implementation: Ory is a [Certified OpenID Connect Implementation](https://www.ory.sh/docs/oauth2-oidc) meeting all requirements set by the OpenID Foundation - Flexible Integration: Can connect with existing user management systems - Global Deployment: Available in data centers worldwide for low-latency access - Security-First Architecture: Designed to neutralize common attack vectors Ory can also support enterprise SSO scenarios with SAML connections for B2B use cases on Enterprise plans, as described in the [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network) documentation.

Yes, Ory Network provides several ways to audit relationship changes in the permissions system. Here are the available options: ## Live Event Streams Ory Network offers live event streams that capture permission-related activities in real-time. These events include: - RelationtuplesCreated: When new relationships are created - RelationtuplesDeleted: When relationships are removed - RelationtuplesChanged: When relationships are modified - PermissionsChecked: When permission checks are performed - PermissionsExpanded: When permissions are expanded As noted in the documentation, "Live event streams are available for Ory Network enterprise contracts" and allow you to "stream events in real-time, live as they happen in your Ory Network project, to your own infrastructure." [Live event streams](https://www.ory.sh/docs/actions/live-events) ## GitOps for Auditing Changes You can implement a GitOps approach to track changes to your Ory Network configuration, including permission relationships: 1. Store your permission configurations in Git 2. Use GitHub Actions (or similar CI/CD) to update configurations 3. Track changes through Git history and pull requests This approach provides an audit trail of who made what changes and when, as all changes go through version control. [Manage Ory Network configuration in git](https://www.ory.sh/docs/guides/gitops) ## API-Based Auditing You can use the Ory Permissions API to: 1. List relationships to see current state 2. Compare with previous states to identify changes The List API allows you to "audit permissions in the system" by querying relationships. [API overview](https://www.ory.sh/docs/keto/concepts/api-overview) ## Security Measures Ory implements several security measures that support auditing: - Logging and audit trail: "Ory uses logging in its cloud network, enabling forensic analysis of potential incidents." [Protection against data breaches](https://www.ory.sh/docs/security-compliance/gdpr#protection-against-data-breaches) ## Enterprise Features There appears to be ongoing development for more comprehensive auditing features. A closed GitHub issue mentions plans for: - Activity logs for various actions including privileged operations - Logs carrying timestamp, identity, device, and IP information - Logs separated by tenant and accessible to admins only - Retention policies for audit data [GitHub Issue #118](https://github.com/ory/network/issues/118) For the most comprehensive auditing capabilities, I recommend reaching out to Ory directly about enterprise features, as some advanced auditing capabilities may be part of enterprise contracts. Would you like more specific information about implementing any of these auditing approaches?