Skip to content

chore: saml idp docs #2233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

chore: saml idp docs #2233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
192 changes: 192 additions & 0 deletions docs/kratos/applications/applications.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
---
id: applications
title: Manage SAML 2.0 Applications
sidebar_label: SAML Applications
---

:::info

SAML applications are only available in Ory Network and are not supported in self-hosted Ory Kratos. If you have any questions, or
if you would like more information about transitioning to Ory Network, please don't hesitate to
[reach out](https://www.ory.sh/contact/).

:::

Ory is now a SAML 2.0 Identity Provider, enabling you to connect your Ory-managed identities to third-party SAML-compatible
applications.

**Key Capabilities**

- Configure Ory as a SAML IdP to external applications (SPs)
- Configure SAML applications with ACS URLs and Entity IDs
- Support for SP-initiated login flows
- Attribute mapping from Ory identities to SAML assertions (NameID, email, roles, etc.)
- Metadata endpoint to allow easy SP registration

**Example Use Cases**

- Enable SSO into your internal tools using Ory as the identity source
- Connect to enterprise SaaS apps that support SAML (e.g., Salesforce, Zendesk, GitLab)
- Allow federated login across business units or customer organizations

This documentation article explains how to manage SAML applications clients using the Ory Console, Ory SDK, Ory CLI, and Ory REST
APIs.

## Create SAML application

To create a new SAML application, use the following methods:

````mdx-code-block
import Tabs from '@theme/Tabs'
import TabItem from '@theme/TabItem'

<Tabs>
<TabItem value="console" label="Ory Console" default>

The Ory Console is a web-based user interface that allows you to manage SAML applications. To create a new application:

1. Go to <ConsoleLink route="project.authentication.applications" />
2. Click **Add new SAML application** and complete the form.

</TabItem>
<TabItem value="cli" label="Ory CLI">

```shell
ory create oauth2-client \
--grant-type authorization_code --grant-type refresh_token --grant-type client_credentials \
--response-type code \
--scope openid --scope offline_access \
--token-endpoint-auth-method client_secret_post \
--redirect-uri https://my-app.com/callback --redirect-uri http://my-other-app.com/callback
```

</TabItem>
<TabItem value="sdk" label="Ory SDK">

```mdx-code-block
import CodeBlock from '@theme/CodeBlock'
import createTs from '!!raw-loader!../../../code-examples/sdk/typescript/src/oauth2/client-create.ts'

<CodeBlock language="tsx">{createTs}</CodeBlock>
```

</TabItem>
<TabItem value="rest" label="REST API">

See [API documentation](../../reference/api#tag/oAuth2/operation/createOAuth2Client).

</TabItem>
</Tabs>
````

## Update SAML application

To update an existing SAML application, use the following methods:

````mdx-code-block
<Tabs>
<TabItem value="console" label="Ory Console" default>

1. Go to <ConsoleLink route="project.authentication.applications" />.
2. Locate the application you want to update.
3. Click on the **pen symbol** to update the application's configuration.
3. When you are finished, scroll to the top and click **Save**.

</TabItem>
<TabItem value="cli" label="Ory CLI">

```
ory update oauth2-client --project <project-id> --workspace <workspace-id> {client.id} \
--grant-type authorization_code --grant-type refresh_token --grant-type client_credentials \
--response-type code \
--scope openid --scope offline_access \
--token-endpoint-auth-method client_secret_post \
--redirect-uri https://a-new-callback
```

</TabItem>
<TabItem value="sdk" label="Ory SDK">

```mdx-code-block
import updateTs from '!!raw-loader!../../../code-examples/sdk/typescript/src/oauth2/client-update.ts'

<CodeBlock language="tsx">{updateTs}</CodeBlock>
```

</TabItem>
<TabItem value="rest" label="REST API">

See [API documentation](../../reference/api#tag/oAuth2/operation/setOAuth2Client).

</TabItem>
</Tabs>
````

## Patch SAML application

To partially update an existing SAML application, use the following methods:

````mdx-code-block
<Tabs>
<TabItem value="console" label="Ory Console" default>

1. Go to <ConsoleLink route="project.authentication.applications" />.
2. Locate the application you want to update.
3. Click on the **pen symbol** to update the application's configuration.
3. When you are finished, scroll to the top and click **Save**.

</TabItem>
<TabItem value="sdk" label="Ory SDK">

```mdx-code-block
import patchTs from '!!raw-loader!../../../code-examples/sdk/typescript/src/oauth2/client-patch.ts'

<CodeBlock language="tsx">{patchTs}</CodeBlock>
```

</TabItem>
<TabItem value="rest" label="REST API">

See [API documentation](../../reference/api#tag/oAuth2/operation/patchOAuth2Client).

</TabItem>
</Tabs>
````

## Delete SAML application

To delete an existing SAML application, use the following methods:

````mdx-code-block
<Tabs>
<TabItem value="console" label="Ory Console" default>

1. Go to <ConsoleLink route="project.authentication.applications" />.
2. Locate the application you want to update.
3. Click on **trash bin symbol** to update the application's configuration.
3. Confirm the dialog to complete the deletion.

</TabItem>
<TabItem value="cli" label="Ory CLI">

```
ory delete oauth2-client {client.id}
```

</TabItem>
<TabItem value="sdk" label="Ory SDK">

```mdx-code-block
import clientDeleteTs from '!!raw-loader!../../../code-examples/sdk/typescript/src/oauth2/client-delete.ts'

<CodeBlock language="tsx">{clientDeleteTs}</CodeBlock>
```

</TabItem>
<TabItem value="rest" label="REST API">

See [API documentation](../../reference/api#tag/oAuth2/operation/deleteOAuth2Client).

</TabItem>
</Tabs>
````
4 changes: 4 additions & 0 deletions src/components/ConsoleLink/console-nav-data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,10 @@ export const authenticationPaths: Path[] = [
title: "Enterprise SSO",
href: routes.project.authentication.organizations.route,
},
{
title: "SAML Applications",
href: routes.project.authentication.applications.route,
},
{
title: "Account recovery",
href: routes.project.recovery.route,
Expand Down
5 changes: 5 additions & 0 deletions src/components/ConsoleLink/console-routes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,11 @@ export const routes = {
`/projects/${project}/authentication/organizations/${id}`,
},
},
applications: {
route: "/projects/[project]/authentication/applications",
href: (project: string) =>
`/projects/${project}/authentication/applications`,
},
},
hostedUI: {
registration: (base: string) => `${base}/registration`,
Expand Down
1 change: 1 addition & 0 deletions src/sidebar.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,7 @@ const kratos: SidebarItemsConfig = [
"kratos/passwordless/one-time-code",
"kratos/passwordless/passkeys",
"kratos/organizations/organizations",
"kratos/applications/applications",
"kratos/emails-sms/custom-email-templates",
],
},
Expand Down
Loading