Manage SAML 2.0 Applications

info

SAML applications are only available in Ory Network and are not supported in self-hosted Ory Kratos. If you have any questions, or if you would like more information about transitioning to Ory Network, please don't hesitate to reach out.

Ory is now a SAML 2.0 Identity Provider, enabling you to connect your Ory-managed identities to third-party SAML-compatible applications.

Key Capabilities

• Configure Ory as a SAML IdP to external applications (SPs)
• Configure SAML applications with ACS URLs and Entity IDs
• Support for SP-initiated login flows
• Attribute mapping from Ory identities to SAML assertions (NameID, email, roles, etc.)
• Metadata endpoint to allow easy SP registration

Example Use Cases

• Enable SSO into your internal tools using Ory as the identity source
• Connect to enterprise SaaS apps that support SAML (e.g., Salesforce, Zendesk, GitLab)
• Allow federated login across business units or customer organizations

This documentation article explains how to manage SAML applications clients using the Ory Console, Ory SDK, Ory CLI, and Ory REST APIs.

Create SAML application

To create a new SAML application, use the following methods:

Ory Console

The Ory Console is a web-based user interface that allows you to manage SAML applications. To create a new application:

1. Go to Authentication → SAML Applications in the Ory Console
2. Click Add new SAML application and complete the form.

Ory CLI

ory create oauth2-client \
  --grant-type authorization_code --grant-type refresh_token  --grant-type client_credentials \
  --response-type code \
  --scope openid --scope offline_access \
  --token-endpoint-auth-method client_secret_post \
  --redirect-uri https://my-app.com/callback --redirect-uri http://my-other-app.com/callback

Ory SDK

import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function createOAuth2Client() {
  await ory.createOAuth2Client({
    oAuth2Client: {
      grant_types: ["authorization_code", "refresh_token"],
      redirect_uris: ["https://example.com"],
      scope: "offline openid",
      token_endpoint_auth_method: "client_secret_post",
    },
  })
}

REST API

See API documentation.

Update SAML application

To update an existing SAML application, use the following methods:

Ory Console

1. Go to Authentication → SAML Applications in the Ory Console.
2. Locate the application you want to update.
3. Click on the pen symbol to update the application's configuration.
4. When you are finished, scroll to the top and click Save.

Ory CLI

ory update oauth2-client --project <project-id> --workspace <workspace-id> {client.id} \
  --grant-type authorization_code --grant-type refresh_token  --grant-type client_credentials \
  --response-type code \
  --scope openid --scope offline_access \
  --token-endpoint-auth-method client_secret_post \
  --redirect-uri https://a-new-callback

Ory SDK

import { Configuration, OAuth2Api, OAuth2Client } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function updateOAuth2Client(
  id: string,
  update: Partial<OAuth2Client>,
) {
  // setOAuth2Client replaces all values (empty ones too),
  // which is why we include the original client.
  const { data: original } = await ory.getOAuth2Client({ id })
  await ory.setOAuth2Client({
    id,
    oAuth2Client: {
      ...original,
      ...update,
    },
  })
}

REST API

See API documentation.

Patch SAML application

To partially update an existing SAML application, use the following methods:

Ory Console

1. Go to Authentication → SAML Applications in the Ory Console.
2. Locate the application you want to update.
3. Click on the pen symbol to update the application's configuration.
4. When you are finished, scroll to the top and click Save.

Ory SDK

import { Configuration, JsonPatch, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function patchOAuth2Client(id: string, patches: JsonPatch[]) {
  await ory.patchOAuth2Client({
    id,
    jsonPatch: [
      ...patches,
      {
        op: "replace",
        path: "owner",
        value: "New owner",
      },
    ],
  })
}

REST API

See API documentation.

Delete SAML application

To delete an existing SAML application, use the following methods:

Ory Console

1. Go to Authentication → SAML Applications in the Ory Console.
2. Locate the application you want to update.
3. Click on trash bin symbol to update the application's configuration.
4. Confirm the dialog to complete the deletion.

Ory CLI

ory delete oauth2-client {client.id}

Ory SDK

import { Configuration, OAuth2Api } from "@ory/client"

const ory = new OAuth2Api(
  new Configuration({
    basePath: `https://${process.env.ORY_PROJECT_SLUG}.projects.oryapis.com`,
    accessToken: process.env.ORY_API_KEY,
  }),
)

export async function deleteOAuth2Client(id: string) {
  await ory.deleteOAuth2Client({ id })
}

REST API

See API documentation.