Based on the available knowledge sources, when you enable SAML SSO for an organization's domain (e.g.,

<http://acme.com|acme.com>

) in Ory Network, all registrations and logins for email addresses matching that domain are routed through the organization's SSO connections. Specifically, the documentation states: > Registrations for email addresses with a domain that belongs to an organization must go through one of the organization's OIDC SSO connections. > All members of an organization must use one of the organization's OIDC SSO connections to log in. > An organization can have multiple domains. > ...Organizations require identifier-first authentication and two-step registration when using Account Experience 2.x or Ory Elements 1.x. [Ory Kratos B2B SSO & SAML](https://www.ory.sh/docs/kratos/organizations) There is no mention in the documentation of a configuration option to allow users with a managed domain (e.g.,

@acme.com

) to bypass SAML SSO and use other sign-in or sign-up methods (such as password or social login) once SAML SSO is enabled for that domain. The flow is designed to enforce SSO for all users matching the organization's domains. Therefore, based on the current documentation, it is not possible to allow users with a managed domain to sign in or sign up using other methods if SAML SSO is enabled for that domain. All such users are required to use SAML SSO for authentication. If you require more flexibility, you may need to contact Ory support to discuss potential workarounds or feature requests, as the knowledge sources do not describe such an option.