From 9a48c6e63123fa14a3ac09115361b25fb1a7f2c1 Mon Sep 17 00:00:00 2001 From: jhickmanit Date: Mon, 7 Apr 2025 08:20:15 -0700 Subject: [PATCH 1/3] Added note regarding: ORY-04-001 WP2 and informing users of the behavior of unverified email domains. --- docs/kratos/organizations/organizations.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/kratos/organizations/organizations.mdx b/docs/kratos/organizations/organizations.mdx index 8011d8226..1e708121b 100644 --- a/docs/kratos/organizations/organizations.mdx +++ b/docs/kratos/organizations/organizations.mdx @@ -258,6 +258,16 @@ the identity, or by updating the identity's data using the Ory APIs. SAML (Security Assertion Markup Language) is an XML-based open standard used for exchanging authentication and authorization data between parties. The SAML integration in Ory Network uses the B2B Organization feature. +:::note + +Some SAML identity providers do not validate email domain ownership. This can lead to situations where Enterprise SSO with Organizations +is configured for a specified domain (eg @ory.sh), but due to this lack of this email domain ownership validation by the identity provider, +a users with other email domains (eg @gmail.com) can still authenticate successfully via the identity provider. + +This will end up with the user being part of the configured organizaiton in your Ory project, even if the domain does not match the one(s) configured. + +::: + ### SAML via Ory Network This guide will walk you through the steps required to set up SAML Single Sign-On (SSO) with Ory Network. From cda45f04167b623ba9550d0806ba027c1e4e5ee7 Mon Sep 17 00:00:00 2001 From: jhickmanit Date: Tue, 8 Apr 2025 13:26:37 -0700 Subject: [PATCH 2/3] removed note format and formatting fixes. --- docs/kratos/organizations/organizations.mdx | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/kratos/organizations/organizations.mdx b/docs/kratos/organizations/organizations.mdx index c2fd1933c..30e686f25 100644 --- a/docs/kratos/organizations/organizations.mdx +++ b/docs/kratos/organizations/organizations.mdx @@ -258,15 +258,13 @@ the identity, or by updating the identity's data using the Ory APIs. SAML (Security Assertion Markup Language) is an XML-based open standard used for exchanging authentication and authorization data between parties. The SAML integration in Ory Network uses the B2B Organization feature. -:::note - -Some SAML identity providers do not validate email domain ownership. This can lead to situations where Enterprise SSO with Organizations -is configured for a specified domain (eg @ory.sh), but due to this lack of this email domain ownership validation by the identity provider, -a users with other email domains (eg @gmail.com) can still authenticate successfully via the identity provider. +Some SAML identity providers do not validate email domain ownership. This can lead to situations where Enterprise SSO with +Organizations is configured for a specified domain such as `@example.com`, but due to this lack of this email domain ownership +validation by the identity provider, a users with other email domains such as `@gmail.com` can still authenticate successfully via +the identity provider. -This will end up with the user being part of the configured organizaiton in your Ory project, even if the domain does not match the one(s) configured. - -::: +This will end up with the user being part of the configured organization in your Ory project, even if the domain does not match +any of the configured domains. ### SAML via Ory Network From d47853b8d748ed067f2e03f66e1e930f64f4a4b4 Mon Sep 17 00:00:00 2001 From: jhickmanit Date: Thu, 10 Apr 2025 11:57:28 -0700 Subject: [PATCH 3/3] moved to Organizations block as this impacts both SAML and OIDC. Removed SAML reference. --- docs/kratos/organizations/organizations.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/kratos/organizations/organizations.mdx b/docs/kratos/organizations/organizations.mdx index 30e686f25..35f148a1c 100644 --- a/docs/kratos/organizations/organizations.mdx +++ b/docs/kratos/organizations/organizations.mdx @@ -31,6 +31,14 @@ members of an organization must use one of the organization's OIDC SSO connectio An organization can have multiple domains. Registrations for email addresses with a domain that belongs to an organization must go through one of the organization's OIDC SSO connections. +Some identity providers do not validate email domain ownership. This can lead to situations where Enterprise SSO with +Organizations is configured for a specified domain such as `@example.com`, but due to this lack of this email domain ownership +validation by the identity provider, a users with other email domains such as `@gmail.com` can still authenticate successfully via +the identity provider. + +This will end up with the user being part of the configured organization in your Ory project, even if the domain does not match +any of the configured domains. + ```mdx-code-block