Your scenario involves two SAML integrations: 1. Ory Network as a SAML Service Provider (SP) authenticating users via Google Workspace (which acts as the SAML Identity Provider, IdP). 2. Ory Network as a SAML Identity Provider (IdP) for AWS, so users authenticated in Ory can access AWS via SAML SSO. ### 1. Ory Network as SAML SP (Google Workspace as IdP) Ory Network supports SAML SSO, allowing you to configure Google Workspace as the SAML IdP. Here’s how you can set this up: - In the Ory Console, go to Authentication → Enterprise SSO and add a new SAML connection. - Provide the required metadata from Google Workspace (IdP metadata XML). - Map SAML attributes from Google to your Ory identity schema using Jsonnet. - The SAML callback URL for Ory is:

<https://api.console.ory.sh/saml/api/oauth/saml>

- Enable SAML authentication in your Ory project configuration. Example API call to enable SAML and add a provider (replace placeholders with your actual values):

bash curl -X PATCH --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY" \      -H "Content-Type: application/json" \      -d '[              {                "op": "replace",                "path": "/services/identity/config/selfservice/methods/saml/enabled",                "value": true              }            ]'

bash curl -X PATCH --location "<https://api.console.ory.sh/projects/$PROJECT_ID>" \      -H "Authorization: Bearer $WORKSPACE_API_KEY" \      -H "Content-Type: application/json" \      -d '[              {                "op": "add",                "path": "/services/identity/config/selfservice/methods/saml/config/providers/-",                "value": {                  "id": "google-workspace",                  "label": "Google Workspace",                  "mapper_url": "base64://...",                  "raw_idp_metadata_xml": "base64://...",                  "organization_id": "$ORGANIZATION_ID"                }              }            ]'

For attribute mapping, see the [SAML data mapping example](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network) in the docs. References: [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network) --- ### 2. Ory Network as SAML IdP (AWS as SP) The knowledge sources do not explicitly document Ory Network acting as a SAML Identity Provider (IdP) for downstream applications like AWS. The available documentation focuses on Ory as a SAML Service Provider (SP), integrating with upstream IdPs (such as Google Workspace) to authenticate users, not as an IdP for other services. Summary: - You can use Ory Network to authenticate users via SAML with Google Workspace as the IdP. - The documentation does not provide information on configuring Ory Network as a SAML IdP for AWS or other SPs. If you require Ory to act as a SAML IdP for AWS, I recommend reaching out to [Ory Support](support@ory.sh) or your Ory account representative to confirm if this feature is available or planned, as it is not covered in the current documentation. References: [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network) [SAML Overview](https://www.ory.sh/docs/kratos/organizations#saml) --- In summary: - Ory Network can replace Okta for SSO as a SAML SP (authenticating users via Google Workspace). - There is no documented support for Ory Network acting as a SAML IdP for AWS. Please contact Ory for further guidance.

@chilly-king-10285 How about OIDC instead of SAML for AWS ?

I'm sorry, but the knowledge sources do not contain information about using Ory Network as an OpenID Connect (OIDC) Identity Provider (IdP) for AWS. The available documentation covers Ory Network acting as an OIDC provider for social sign-in and SSO scenarios, and as a SAML Service Provider (SP) for upstream IdPs like Google Workspace, but does not mention configuring Ory as an OIDC IdP for AWS or similar service providers. If you need this specific functionality, I recommend reaching out to Ory Support for clarification or feature requests, as it is not covered in the current documentation or knowledge sources provided[Docs > Kratos > Social-signin > Ory](https://www.ory.sh/docs/kratos/social-signin/ory), [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network).

I'm sorry, but the knowledge sources do not contain information on how to obtain the SAML metadata XML from Ory Network. The documentation describes how to configure Ory as a SAML Service Provider (SP) by uploading the IdP metadata XML from your SAML Identity Provider (such as Google Workspace), but it does not mention how to retrieve Ory's own SAML metadata XML for use as an Identity Provider (IdP) with other services [SAML via Ory Network](https://www.ory.sh/docs/kratos/organizations#saml-via-ory-network). If you need to obtain SAML metadata XML from Ory, I recommend contacting Ory Support for further guidance, as this is not covered in the current documentation.