SSO
In your UI Bakery instance, it is possible to configure Single Sign On with a custom OpenID provider that utilizes the Authorization Code Flow.
To set up OAuth2 SSO with UI Bakery, you will need to register the redirect URI in the provider's settings. The redirect URI should be
UI_BAKERY_APP_SERVER_NAME/auth/oauth2/callback
. In addition, you will need to provide the following variables:UI_BAKERY_OAUTH_CLIENT_ID=0oa3deycosL4fFEvx5d0
UI_BAKERY_OAUTH_SECRET=sO8BPgTb5MVs9kS37Qoml5sCEK7faFX78VDP2E3q
UI_BAKERY_OAUTH_SCOPE=openid email offline_access profile
UI_BAKERY_OAUTH_AUTH_URL=https://mybakery.okta.com/oauth2/v1/authorize
UI_BAKERY_OAUTH_TOKEN_URL=https://mybakery.okta.com/oauth2/v1/token
UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS= {"entity_id": "asd"}
UI_BAKERY_OAUTH_USERINFO_URL=https://mybakery.okta.com/oauth2/v1/userinfo
UI_BAKERY_OAUTH_EMAIL_KEY=email
UI_BAKERY_OAUTH_ID_KEY=sub
The SSO user token that is obtained can be used in the HTTP data source configuration to be included in all requests. The token is available as the
UI_BAKERY_SSO_TOKEN
placeholder. To use the token, you can set up the Authorization header with the value Bearer UI_BAKERY_SSO_TOKEN
in the data source configuration. The placeholder UI_BAKERY_SSO_TOKEN
will be replaced with the actual token before the request is sent.To enable token broadcasting, you need to set the following environment variable:
UI_BAKERY_SSO_BROADCAST_TOKEN=true
When the OAuth token expires, UI Bakery will try to refresh it under the following conditions:
- The variable
UI_BAKERY_SSO_BROADCAST_TOKEN
must be set totrue
- The
refresh_token
claim must be present - The
expires_in
claim must also be present
If you don't have
expires_in
in token, UI Bakery will not be able to refresh the token, and requests will start to fail. In this case, you can set the variable UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH
to true
to force OAuth token refresh on every UI Bakery token refresh attempt. If the token cannot be refreshed and the variableUI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED
is set to true
, the user will be logged out from UI Bakery. If you have enabled roles synchronization, you can set the variable UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH
to true
to enable the synchronization on every token refresh.- 1.Configure your Identity provider. In identity provider settings, set Sign on URL and Reply URL to
https://APP_LOCATION/api/auth/login/saml
. ReplaceAPP_LOCATION
with UI Bakery instance URL. Configure name and role attributes. You can set claim name in identity provider settings or in UI Bakery env variablesUI_BAKERY_SSO_NAME_CLAIM
andUI_BAKERY_SSO_ROLE_CLAIM
. - 2.Provide the URL of your identity provider metadata and entity ID via the following env variables:UI_BAKERY_SAML_METADATA_URL=https://your.identityprovider.com/federationmetadata/2007-06/federationmetadata.xml.UI_BAKERY_SAML_ENTITY_ID=http://appregestry.com/myapp/primary
- 3.Set variable
UI_BAKERY_SAML_ENABLED=true
By default, UI Bakery will not sync any roles provided by the Identity Provider.
- 1.To enable roles synchronization, set the variable
UI_BAKERY_SSO_SYNC_ROLES=true
. Out of the box, UI Bakery will try to match received roles by names. Roles sync will be done only during the sign up process. If a match is found (e.g. SSO returned asupport
role and UI Bakery has this role in the workspace), current user roles will be deleted and the matched SSO role(s) will be assigned to the user.
During user sign-up, a default
user
role will be assigned unless UI_BAKERY_SSO_HARD_SYNC_ROLES
is enabled.If no match is found, UI Bakery will leave the current user roles. See
UI_BAKERY_SSO_HARD_SYNC_ROLES
to change this behaviour.- 2.Additionally, you can configure a role mapping from identity provider role id/name to a UI Bakery role:
UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2
- 3.If your setup requires a complete synchronization, when UI Bakery overwrites all roles, removing existing ones and adding new ones received from Identity Provider even if SSO returns no matching roles (e.g. user has no access to the system), use the following variable:
UI_BAKERY_SSO_HARD_SYNC_ROLES=true
Please note, if no roles are found, the user will be removed from the organization and will no longer be able to access it.
- 1.To sync roles during the login as well, set
UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true
- 2.By default, UI Bakery will only sync roles for end-users, leaving the
admin
andeditor
roles untouched. To sync roles for all users, setUI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN=true.
Please note, that in a case of malformed configuration, admin accounts may lose access to the system
- 1.You can set the variable
UI_BAKERY_SSO_LOGIN_AUTO
to true to enable automatic login. Any unauthorized user will be redirected to the SSO login flow. - 2.You can disable email authentication by providing the environment variable
UI_BAKERY_EMAIL_AUTH_ENABLED=false
- 3.Provide
UI_BAKERY_AUTH_RESTRICTED_DOMAIN=domain.com
environment variable to restrict Google login only to the specified domain.
Last modified 1mo ago