UI Bakery Docs
Sign InRoadmapRelease notes
Search
K
Links

SSO

SSO with OpenId providers

In your UI Bakery instance, it is possible to configure Single Sign On with a custom OpenID provider that utilizes the Authorization Code Flow.
To set up OAuth2 SSO with UI Bakery, you will need to register the redirect URI in the provider's settings. The redirect URI should be UI_BAKERY_APP_SERVER_NAME/auth/oauth2/callback. In addition, you will need to provide the following variables:
UI_BAKERY_OAUTH_CLIENT_ID=0oa3deycosL4fFEvx5d0
UI_BAKERY_OAUTH_SECRET=sO8BPgTb5MVs9kS37Qoml5sCEK7faFX78VDP2E3q
UI_BAKERY_OAUTH_SCOPE=openid email offline_access profile
UI_BAKERY_OAUTH_AUTH_URL=https://mybakery.okta.com/oauth2/v1/authorize
UI_BAKERY_OAUTH_TOKEN_URL=https://mybakery.okta.com/oauth2/v1/token
UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS= {"entity_id": "asd"}
UI_BAKERY_OAUTH_USERINFO_URL=https://mybakery.okta.com/oauth2/v1/userinfo
UI_BAKERY_OAUTH_EMAIL_KEY=email
UI_BAKERY_OAUTH_ID_KEY=sub
The SSO user token that is obtained can be used in the HTTP data source configuration to be included in all requests. The token is available as the UI_BAKERY_SSO_TOKEN placeholder. To use the token, you can set up the Authorization header with the value Bearer UI_BAKERY_SSO_TOKEN in the data source configuration. The placeholder UI_BAKERY_SSO_TOKEN will be replaced with the actual token before the request is sent.
To enable token broadcasting, you need to set the following environment variable:
UI_BAKERY_SSO_BROADCAST_TOKEN=true

SSO token refresh

When the OAuth token expires, UI Bakery will try to refresh it under the following conditions:
  • The variable UI_BAKERY_SSO_BROADCAST_TOKEN must be set to true
  • The refresh_token claim must be present
  • The expires_in claim must also be present
If you don't have expires_in in token, UI Bakery will not be able to refresh the token, and requests will start to fail. In this case, you can set the variable UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH to true to force OAuth token refresh on every UI Bakery token refresh attempt. If the token cannot be refreshed and the variableUI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED is set to true, the user will be logged out from UI Bakery. If you have enabled roles synchronization, you can set the variable UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH to true to enable the synchronization on every token refresh.

SAML authentication setup

  1. 1.
    Configure your Identity provider. In identity provider settings, set Sign on URL and Reply URL to https://APP_LOCATION/api/auth/login/saml. Replace APP_LOCATION with UI Bakery instance URL. Configure name and role attributes. You can set claim name in identity provider settings or in UI Bakery env variables UI_BAKERY_SSO_NAME_CLAIM and UI_BAKERY_SSO_ROLE_CLAIM.
  2. 2.
    Provide the URL of your identity provider metadata and entity ID via the following env variables:
    UI_BAKERY_SAML_METADATA_URL=https://your.identityprovider.com/federationmetadata/2007-06/federationmetadata.xml.
    UI_BAKERY_SAML_ENTITY_ID=http://appregestry.com/myapp/primary
  3. 3.
    Set variable UI_BAKERY_SAML_ENABLED=true

SSO roles synchronization

By default, UI Bakery will not sync any roles provided by the Identity Provider.
  1. 1.
    To enable roles synchronization, set the variable UI_BAKERY_SSO_SYNC_ROLES=true. Out of the box, UI Bakery will try to match received roles by names. Roles sync will be done only during the sign up process. If a match is found (e.g. SSO returned a support role and UI Bakery has this role in the workspace), current user roles will be deleted and the matched SSO role(s) will be assigned to the user.
During user sign-up, a default userrole will be assigned unless UI_BAKERY_SSO_HARD_SYNC_ROLES is enabled.
If no match is found, UI Bakery will leave the current user roles. See UI_BAKERY_SSO_HARD_SYNC_ROLES to change this behaviour.
  1. 2.
    Additionally, you can configure a role mapping from identity provider role id/name to a UI Bakery role:
UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2
  1. 3.
    If your setup requires a complete synchronization, when UI Bakery overwrites all roles, removing existing ones and adding new ones received from Identity Provider even if SSO returns no matching roles (e.g. user has no access to the system), use the following variable:
UI_BAKERY_SSO_HARD_SYNC_ROLES=true
Please note, if no roles are found, the user will be removed from the organization and will no longer be able to access it.
  1. 1.
    To sync roles during the login as well, set UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true
  2. 2.
    By default, UI Bakery will only sync roles for end-users, leaving the admin and editor roles untouched. To sync roles for all users, set UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN=true.
Please note, that in a case of malformed configuration, admin accounts may lose access to the system

Other authentication settings

  1. 1.
    You can set the variable UI_BAKERY_SSO_LOGIN_AUTO to true to enable automatic login. Any unauthorized user will be redirected to the SSO login flow.
  2. 2.
    You can disable email authentication by providing the environment variable UI_BAKERY_EMAIL_AUTH_ENABLED=false
  3. 3.
    Provide UI_BAKERY_AUTH_RESTRICTED_DOMAIN=domain.com environment variable to restrict Google login only to the specified domain.
On-premise - Previous
SCIM 2.0
Next
Azure AD SSO - OAuth2
Last modified 1mo ago