in most cases you dont need explicit permission but you need to sign a CLA (Individual Contributor License Agreement) - which kind of includes permission
Coming from Germany I found it funny how tiny the subway lines are in major cities in the US compared to medium-sized cities here.
I always thought Germany was a country centered a lot around cars but it was so much more extreme in the states; seemed not possible to live in a city(!) without a car.
These are fair concerns, and I want to clarify what's included versus what's paid.
The confusion here is about two different types of SSO:
_Admin SSO (for managing Ory itself)_ - Ory is fundamentally an API. For self-hosted deployments, you control access however you want - through your infrastructure, reverse proxy, or using Ory Polis. This is not gated.
_Organizations SSO (for your end users)_ - This is the paid feature. It allows your B2B customers to bring their own identity provider. If you're building a SaaS product and BigCorp wants their employees to authenticate using Okta or Azure AD, Organizations handles that federation.
The distinction matters because maintaining integrations with enterprise IDPs is continuous work.
For example Google randomly changes their OIDC implementation on a Saturday evening. Someone needs to wake up and fix that. For products serving other businesses at scale, that operational burden is real.
Organizations is one of the few areas where we charge, specifically targeting the B2B SaaS use case. If you're self-hosting for internal use or building a consumer product, you don't need Organizations.
If you're selling to enterprises that require SSO, you're generating revenue to support the cost.
sorry to hear that, hope you have a better experience going forward.
if you feel like it send me some details on what was most painful and we'll fix it.
Another problem is also that "standards" like OAuth2/OIDC are used for a thousand use cases that weren't intended by the authors, so people get really creative with them.
Plus the spec itself is vague on many essential things, for example how logout should work.
Thankfully I never had to implement SAML but I would guess it's even worse there...
You can use other parts of the Ory ecosystem to add these features, such as Ory Polis for SAML/SCIM support: https://github.com/ory/polis
CAPTCHAs aren’t a big help anymore in my personal opinion, but you can easily integrate them on the frontend when using Kratos. The commercial offering just bundles all of this out of the box for you.
If Keycloak fits your needs well and you see no room for improvement, that’s perfectly fine; by all means use what works best for you.
Ory Kratos itself doesn't support SAML that is correct.
However the newest addition to the Ory ecosystem, called Ory Polis (formerly known as BoxyHQ) does close that gap.
It is also Apache2 licensed, do check it out here: https://github.com/ory/polis
i feel you; working with a heavily patched fork of anything can be rough
check out the new version, i'm sure it has improved quite a bit since then.
Of course simpler solutions than Ory Kratos exist, but they often come with other tradeoffs