Ory Network Domain Migration: Please Review SAML and Network Allowlist Configurations

As part of our ongoing migration from the ory.sh domain to ory.com, authentication flows may increasingly use ory.com endpoints in addition to existing ory.sh endpoints.

At this time, no immediate action is required and existing ory.sh endpoints continue to be supported. However, we recommend that customers begin updating their configurations to use the ory.com endpoints where possible.

If your organization uses domain or URL allowlists/whitelists for SAML, SSO, firewalls, proxies, or other network security controls, please ensure that ory.com domains are permitted. We have seen cases where authentication flows were blocked because only ory.sh domains had been allowlisted. 

For example, SAML authentication flows will redirect from:

https://api.console.ory.sh/saml/api/oauth/saml to https://api.console.ory.com/saml/api/oauth/saml

If your SAML ACS URL is already on the project slug domain (https://<slug>.projects.oryapis.com/self-service/methods/saml/organizations/<org_id>) then no action is necessary.

Recommended actions: 

• Review any allowlists, firewall rules, proxy rules, or identity provider configurations that reference ory.sh and add the corresponding ory.com domains.

• If possible, allow both domains during the migration period to ensure a smooth transition.

• Update SAML configurations and integrations to reference the ory.com ACS URL where applicable.

We will communicate timelines and any future changes to endpoint support well in advance.

If you have any questions or would like assistance validating your configuration, please contact Ory Support.