// the find
ory/polis
Streamline your web application's authentication with Polis, an SSO service supporting SAML and OpenID Connect protocols. Beyond enterprise-grade Single Sign-On, it also supports Directory Sync via the SCIM 2.0 protocol for automatic user and group provisioning/de-provisioning.
Ory Polis (formerly BoxyHQ Jackson) is a SAML/OIDC-to-OAuth2 bridge service — it sits in front of your app and translates enterprise SSO protocols into a standard OAuth 2.0 flow your app already knows how to speak. It's aimed at SaaS builders who need to ship enterprise SSO and directory sync without becoming SAML experts themselves.
The OAuth2 abstraction layer is the real value: you write one OAuth2 integration and get SAML 2.0, OIDC, and SCIM for free behind it. The 'bring your own database' model (Postgres, MySQL, Mongo, Redis, DynamoDB) means you're not locked into a separate persistence layer. The setup link flow — where you generate a tenant-specific link that walks IT admins through IdP configuration step-by-step — is a genuinely good UX decision that most auth libraries completely ignore. The E2E test suite covers SAML, OIDC, SCIM, and federation flows at the API level, which is reassuring for a security-sensitive component.
The enterprise feature split is a real trap: identity federation, branding, and product-level isolation live under `ee/` with a separate commercial license, so the open-source version is meaningfully incomplete for multi-tenant SaaS use cases — you find this out after you've already integrated. The repo was renamed from BoxyHQ Jackson to Ory Polis after Ory acquired it, which means a lot of the community knowledge, Stack Overflow answers, and third-party blog posts still reference the old name and may not reflect current API shape. Running this as a separate service (the recommended path) adds an auth proxy hop to every login flow with no obvious high-availability story in the self-hosted docs.