Hey guys, I hope you all are enjoying the quiet time at the end of the year with your family and friends! I've been working on the draft stage of my project and I'm currently in the technology selection, so I hope you may be able to help me out a bit. The application is supposed to be a B2B SaaS that allows customers to use their own SSO providers, so basically a multi tenant system. I would like to hand the auth concerns off to a hosted solution like Ory, but I'm not sure if its a good fit. Beyond bringing in customer's SSO providers I also need to be able to customize the non-SSO related user signup and activation flow. I'm curious, what are your experiences, given the (admittedly limited) information, do you think ory would be a good fit? I appreciate your replies!

Adding other SSO providers is no problem provided they implement OIDC: https://www.ory.sh/docs/kratos/social-signin/generic, Flows also have options to customize, depending what you mean by that, for example you can use hooks to execute webhooks for different stages of flows : https://www.ory.sh/docs/kratos/hooks/configure-hooks and you have a lot of options in the UI as well. Let me know if that helps

Thank you Vincent! Hooks look like they could be a good fit, I will try to implement a proof of concept with them! Regarding the OIDC compatibility, this should not be an issue. To check if I understand correctly, basically the best way would be to set up the OIDC provider for each tenant? Is there any functionality built into Ory that would allow me to authenticate a specific tenant's users with the appropriate OIDC provider automatically (say x@acme.com wants to sign in -> gets redirected to acme.com's OIDC provider) or is this functionality that is in no way covered by Ory and would require my own customizing?

Hey Moritz, It depends a bit on the specifics of your use case. If you use one Ory Network project for all tenants, all identities are saved in the same Ory project and you can add all OIDC providers to that project. If you spin up a project for each tenant (IMO makes sense if the tenants are big enough, say +2k daily users), and then add the OIDC providers for just that tenant. To implement an automatic flow - I attached a rough diagram - you can use a custom UI with a look up or similar that checks what provider to use for a given email. This requires some coding on your part at the moment, but we have it on the roadmap to provide out-of-the-box soon. The best way to solve this right now would best be to use a webhook after registration, and store in an extra table in your system what method the user used. Then, in the custom ui, you can look up the method associated with the email and redirect to the correct provider/UI. Let me know if that makes it clearer 🙂

Thank you for that clear explanation! I'm excited to see where the Ory project will continue to evolve. Personally, I would prefer to use Ory Network instead of running Ory on my own infra. Based on my previous experiences, daily active users will likely max out at 1k/tenant, so I guess I'll be fine with Ory Network?

Sure 🙂 It would be the same principle in Ory Network or in selfhosted Ory. If you have one Ory Network project (aka one Ory Kratos+Keto+Hydra+db instance) you would save all identities and config in this one project. Then you have a login screen for each tenant pointing to that one project. Or you have multiple Ory Network projects (aka multiple Ory Kratos+Keto+Hydra+db instances), so the identities for each tenant are saved in different dbs and you have dedicated config for each tenant. I think the multiple projects makes sense if you have more than 2k daily users per tenant. If you have something around 1k daily in total, definitely go with one instance for all tenants.