docs: document update identity on login for SAML connections#2659
Open
jonas-jonas wants to merge 1 commit into
Open
docs: document update identity on login for SAML connections#2659jonas-jonas wants to merge 1 commit into
jonas-jonas wants to merge 1 commit into
Conversation
Add an "Update identity on login" subsection to the SAML section of the
Organizations guide. It mirrors the existing OIDC data-mapping option:
setting update_identity_on_login to automatic re-runs the connection's
Jsonnet data mapper on every SAML login and refreshes the identity's
traits and metadata, including the metadata_public group claims used for
just-in-time provisioning.
Covers Console and API configuration, accessing the current identity via
std.extVar('identity') in the mapper, and the write/preservation and
schema-validation behavior.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the Kratos Organizations “SAML” documentation by adding guidance for keeping identities synchronized with an upstream SAML Identity Provider via update_identity_on_login=automatic, including Console and API configuration details and Jsonnet mapper behavior notes.
Changes:
- Adds an “Update identity on login” subsection to the SAML data-mapping documentation in the Organizations guide.
- Documents Console + API configuration and how to access the current identity via
std.extVar('identity'). - Describes preservation/clearing semantics for metadata, schema validation behavior, and what is not updated.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an "Update identity on login" subsection to the SAML section of the Organizations guide. It mirrors the existing OIDC data-mapping option: setting update_identity_on_login to automatic re-runs the connection's Jsonnet data mapper on every SAML login and refreshes the identity's traits and metadata, including the metadata_public group claims used for just-in-time provisioning.
Covers Console and API configuration, accessing the current identity via std.extVar('identity') in the mapper, and the write/preservation and schema-validation behavior.
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
Further comments