Which Option Fits Your Environment?
| If your environment… | Use |
|---|---|
| Allows external network connectivity (ingress + egress) | WorkOS |
| Is air-gapped or restricts external connectivity | Ory Polis |
Option 1: WorkOS
For environments with standard network connectivity. Powered by WorkOS.Network Requirements
Your environment needs both outbound and inbound connectivity:- Egress: HTTPS (port 443) to Cloudflare IP ranges
- Ingress: HTTPS from WorkOS IP addresses (for webhook events)
What you control
- Configure your IdP connection (Okta, Azure AD, Google Workspace, etc.) through the WorkOS Admin Portal
- Manage SSO settings, user provisioning rules, and directory sync
- Monitor authentication events and audit logs
Option 2: Ory Polis
For air-gapped, on-prem, or data-residency-constrained environments. Powered by Ory Polis.Network Requirements
None. We deploy Polis within our infrastructure in a configuration that requires no external connectivity from your environment.What you control
- Configure your IdP connection through the Ory Admin Portal we provision for you
- Manage SSO settings, user provisioning, and access policies
- All authentication data stays within the isolated environment
Supported Identity Providers
Both options work with:- Okta
- Microsoft Entra ID (Azure AD)
- Google Workspace
- OneLogin
- PingFederate
- Any SAML 2.0 or OIDC-compliant provider
Directory Sync (SCIM)
Automatically sync users and groups from your identity provider:- Provision users on first login
- Update attributes when they change in your IdP
- Deprovision access when users are removed