Hi everyone, I’m working on a multi-tenant SaaS application and I’d like to use the self-hosted Ory stack (Kratos, Keto, Oathkeeper, and Polis). My requirements are: • Each tenant (organization) in the app should be able to add their own identity provider (e.g. Azure AD / Entra ID, Okta, Google, etc.). • Once configured, users from that IdP should be able to log in via SSO (SAML/OIDC) without creating a separate password in my app. • Ideally, tenants should be able to manage their own IdP configuration in a self-service way (not something I configure globally for all tenants). • Optional: user provisioning via SCIM or JIT creation on first login. My questions are: a. Is it possible to build this scenario with the self-hosted Ory stack today, or do some of these features only exist in Ory Cloud / Enterprise (e.g. Polis)? b. If it is possible, what would the recommended architecture look like (Kratos + Oathkeeper + Keto + Polis)? c. Is there any guidance, examples, or best practices for implementing tenant-specific IdP onboarding on top of Ory? Thanks a lot for your help — I want to make sure I’m choosing the right approach before investing deeply in this stack.

It is possible but requires you to build some small features that are already part of the Ory Enterprise License. The details on what you actually need and the architecture depend a lot on your requirements, so I can't say much about that. Multi-tenancy (tenant isolation) can be achieved with open-source by running one instance per tenant against separated databases, but that does not scale well.

So i basically need to create: • multi tenancy, while using only one kratos instance since multiple will not scale well. The whole multi tenancy logic has to done in my backend via e.g x-tenant-id header • Invitation flows for tenants • Idp linking logic (saml/Oidc) Seems more then just some small features :/