Support for Ory Authentication Flows

[uncvrd]

Hi! I've hit a bit of a wall going through official Ory channels, so I wanted to extend the conversation directly to the BoxyHQ team...

Ory has dropped development support for SAML and is recommending its users to utilize SAML Jackson instead.

ory/kratos#275 (comment)

This is totally fine, but I haven't been able to successfully implement this strategy within Ory since all authentication "sources" must be hardcoded within a configuration file. When talking to Tucker at Ory, he said that this would be possible for Ory Network users but not OSS users. See below:

Hey Jordan, hope this email finds you well.   I connected with Deepak from BoxyHQ earlier this week and it sounds like they have a way to make this work within Ory Network, but I don't believe they'll be able to support this in Ory Open Source. 

Since I've asked in that thread (linked above) about how this implementation could be possible without any response, I was hoping to collaborate on the BoxyHQ side to help make this a possibility for OSS users.

I am curious how this implementation can be made to work in Ory Network but not OSS? I'm happy to hop on a call to discuss options as I know many users would like an official guide to solve this.

Thanks a lot for your time regardless, any guidance is super appreciated.

[deepakprabhakara]

Thanks for reaching out @uncvrd, I'll ping you to set up a call.

[ramu-n]

Hi! Recently, Ory Kratos Open Source introduced support for the BoxyHQ SAML Jackson provider. Below are some of the pull requests related to this integration:

ory/kratos#4242
ory/kratos#4268

I’ve started integrating the BoxyHQ SAML Jackson provider with the latest Ory Kratos code changes in my local deployment for SAML-based SSO login. Unfortunately, I haven’t been able to complete the integration successfully. I believe this might be because the feature has not yet been officially released in the Ory Kratos OSS version, and additional changes might still be required to make it fully functional.

I’m interested in contributing to make this work. In this context, I have the following query:

When Ory Kratos calls the BoxyHQ SAML Jackson /api/oauth/authorize endpoint, BoxyHQ SAML Jackson makes a successful SAML SSO login with IdP(I’m using Okta), then BoxyHQ SAML Jackson redirects to the Ory Kratos redirect_url with code and state parameters.

I assume that Ory Kratos would then use the authorization code to obtain an access token and then with that token fetch the user profile (similar to OIDC SSO login). Is this assumption is correct for SAML SSO logins as well? If not, how does Ory Kratos retrieve the user profile to create an identity for SAML SSO logins?

I’d appreciate your guidance on this!