Another problem is also that "standards" like OAuth2/OIDC are used for a thousand use cases that weren't intended by the authors, so people get really creative with them.
Plus the spec itself is vague on many essential things, for example how logout should work.
Thankfully I never had to implement SAML but I would guess it's even worse there...
Ory Polis also sounds great, but also suffers from:
> Organizations that require advanced features, enhanced security, and enterprise-grade support for Ory's identity and access management solutions benefit from the Ory Enterprise License (OEL) as a self-hosted, premium offering including: Additional features not available in the open-source version, Regular releases that address CVEs and security vulnerabilities, with strict SLAs for patching based on severity, Support for advanced scaling and multi-tenancy features.
You can use other parts of the Ory ecosystem to add these features, such as Ory Polis for SAML/SCIM support: https://github.com/ory/polis
CAPTCHAs aren’t a big help anymore in my personal opinion, but you can easily integrate them on the frontend when using Kratos. The commercial offering just bundles all of this out of the box for you.
If Keycloak fits your needs well and you see no room for improvement, that’s perfectly fine; by all means use what works best for you.
This is a nightmare for security for companies that aren't big enough to pay the tax - which is most companies.
Every product, every fucking product, if it does anything, should have RBAC and SSO. These are the bare minimum. You want to hold off on SCIM for large customers, fine. Do that.
These are fair concerns, and I want to clarify what's included versus what's paid.
The confusion here is about two different types of SSO:
_Admin SSO (for managing Ory itself)_ - Ory is fundamentally an API. For self-hosted deployments, you control access however you want - through your infrastructure, reverse proxy, or using Ory Polis. This is not gated.
_Organizations SSO (for your end users)_ - This is the paid feature. It allows your B2B customers to bring their own identity provider. If you're building a SaaS product and BigCorp wants their employees to authenticate using Okta or Azure AD, Organizations handles that federation.
The distinction matters because maintaining integrations with enterprise IDPs is continuous work.
For example Google randomly changes their OIDC implementation on a Saturday evening. Someone needs to wake up and fix that. For products serving other businesses at scale, that operational burden is real.
Organizations is one of the few areas where we charge, specifically targeting the B2B SaaS use case. If you're self-hosting for internal use or building a consumer product, you don't need Organizations.
If you're selling to enterprises that require SSO, you're generating revenue to support the cost.
If every plan is not getting access to at least SSO / RBAC, you are contributing to a weaker security ecosystem that disproportionately impacts non-Enterprise organizations (most organizations).
Ory Kratos itself doesn't support SAML that is correct.
However the newest addition to the Ory ecosystem, called Ory Polis (formerly known as BoxyHQ) does close that gap.
It is also Apache2 licensed, do check it out here: https://github.com/ory/polis
i feel you; working with a heavily patched fork of anything can be rough
check out the new version, i'm sure it has improved quite a bit since then.
Of course simpler solutions than Ory Kratos exist, but they often come with other tradeoffs
You can convert an issue to a discussion and vice versa, so no duplication is needed and your notification should be preserved.
Or do you mean something else?
reply