Skip to content

docs: document update identity on login for SAML connections#2659

Open
jonas-jonas wants to merge 1 commit into
masterfrom
jonas-jonas/saml-update-identity-on-login
Open

docs: document update identity on login for SAML connections#2659
jonas-jonas wants to merge 1 commit into
masterfrom
jonas-jonas/saml-update-identity-on-login

Conversation

@jonas-jonas

Copy link
Copy Markdown
Member

Add an "Update identity on login" subsection to the SAML section of the Organizations guide. It mirrors the existing OIDC data-mapping option: setting update_identity_on_login to automatic re-runs the connection's Jsonnet data mapper on every SAML login and refreshes the identity's traits and metadata, including the metadata_public group claims used for just-in-time provisioning.

Covers Console and API configuration, accessing the current identity via std.extVar('identity') in the mapper, and the write/preservation and schema-validation behavior.

Related Issue or Design Document

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

Add an "Update identity on login" subsection to the SAML section of the
Organizations guide. It mirrors the existing OIDC data-mapping option:
setting update_identity_on_login to automatic re-runs the connection's
Jsonnet data mapper on every SAML login and refreshes the identity's
traits and metadata, including the metadata_public group claims used for
just-in-time provisioning.

Covers Console and API configuration, accessing the current identity via
std.extVar('identity') in the mapper, and the write/preservation and
schema-validation behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 2, 2026 13:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the Kratos Organizations “SAML” documentation by adding guidance for keeping identities synchronized with an upstream SAML Identity Provider via update_identity_on_login=automatic, including Console and API configuration details and Jsonnet mapper behavior notes.

Changes:

  • Adds an “Update identity on login” subsection to the SAML data-mapping documentation in the Organizations guide.
  • Documents Console + API configuration and how to access the current identity via std.extVar('identity').
  • Describes preservation/clearing semantics for metadata, schema validation behavior, and what is not updated.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/kratos/organizations/organizations.mdx
@jonas-jonas jonas-jonas changed the title docs(kratos): document update identity on login for SAML connections docs: document update identity on login for SAML connections Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants