# Multiple SSO UI Bakery supports configuring more than one SSO provider. You can achieve this by modifying the following environment variables: ``` UI_BAKERY_SSO_CONFIGURATION='[ { SSO_CONFIG }, { SSO_CONFIG }, { SSO_CONFIG }]' UI_BAKERY_SSO_CONFIGURATION_ENABLED=true ``` `UI_BAKERY_SSO_CONFIGURATION` variable accepts a JSON array of configuration objects. Each object represents one SSO connection, whether it's OAuth or SAML. Optionally, you can define a unique role mapping for each provider. If a configuration object lacks role syncing settings, the values from the corresponding environment variable will be used. ## Disabling MFA from UI Bakery UI Bakery allows you to enable MFA on the *UI Bakery level*. When enabled, it is required for: * users signing in with **email/password** * users signing in via **SSO (OpenID, SAML, etc.)** But some SSO providers may also enforce their own MFA, so users will have to complete *two MFA prompts*: from the SSO provider and from UI Bakery. To avoid this and let users complete only their SSO MFA, you need to configure the following variable in your SSO configuration: `"disableMfa": true`.\ This setting is applied **per SSO provider**. You can disable UI Bakery MFA for one provider while keeping it enabled for another. With this variable set to *true:* * **SSO users** will only complete MFA handled by the SSO providers * **Email/password users** will complete MFA handled by UI Bakery ## Configuration for OAuth provider ```javascript { "type": "oauth2", "name": "okta_login", // required, equilient to UI_BAKERY_OAUTH_CLIENT_ID env variable "oauthClientId": "", // required, equilient to UI_BAKERY_OAUTH_SECRET env variable "oauthClientSecret": "", // required, equilient to UI_BAKERY_OAUTH_AUTH_URL env variable "oauthAuthorizationUrl": "", // required, equilient to UI_BAKERY_OAUTH_TOKEN_URL env variable "oauthTokenUrl": "", // required if "oauthGetClaimsFromToken" is false, // equilient to UI_BAKERY_OAUTH_USERINFO_URL env variable "oauthUserInfoUrl": "", // equilient to UI_BAKERY_OAUTH_GET_CLAIMS_FROM_TOKEN env variable "oauthGetClaimsFromToken": false, // required, equilient to UI_BAKERY_OAUTH_SCOPE env variable "oauthScope": "profile email openid", // equilient to UI_BAKERY_OAUTH_EMAIL_KEY env variable "oauthEmailKey": "email", // equilient to UI_BAKERY_OAUTH_ID_KEY env variable "oauthIdKey": "sub", // equilient to UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS env variable "oauthTokenUrlAdditionalParams": { "param": "value"}, // equilient to UI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED env variable "oauthSignOutWhenTokenExpired": false, // equilient to UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH env variable "oauthForceTokenRefresh": false, // equilient to UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH env variable "oauthSyncRolesOnTokenRefresh": false, // equilient to UI_BAKERY_AUTH_RESTRICTED_DOMAIN env variable "restrictedDomain": "example.com", // equilient to UI_BAKERY_LOGOUT_REDIRECT "logoutRedirect": "https://example.com/logout" } ``` *** ## Configuration for SAML provider {% hint style="warning" %} For SAML providers, when registering SSO integration with JSON, the Sign-On URL should match: **`https://YOUR_INSTANCE/api/auth/login/{samlSSO}`**, where **`{samlSSO}`** is the name provided in the UI Bakery configuration. {% endhint %} ```javascript { "type": "saml", "name": "samlSSO", // required, equilient to UI_BAKERY_SAML_ENTITY_ID env variable "samlEntityId": "string", // required required if "metadataXML" is not provided, // equilient to UI_BAKERY_SAML_METADATA_URL env variable "samlMetadataURL": "https://provider/metadata.xml", // required if "metadataURL" is not provided "samlMetadataXML": "{ // required, can be "oauth2" or "saml" "type": "oauth2", // required, unique name, can contain words, digits, "_" or "-" "name": "ssoName", // is sync roles enabled for the described configuration // equilient to UI_BAKERY_SSO_SYNC_ROLES env variable "syncRoles": false, // equilient to UI_BAKERY_SSO_SYNC_ROLES_BY_NAME env variable "syncRolesByName": false, // equilient to UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN env variable "syncRolesOnLogin": false, // equilient to UI_BAKERY_SSO_HARD_SYNC_ROLES env variable "hardRoleSync": false, // equilient to UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN env variable "syncRoleForEditorAndAdmin": false, // equilient to UI_BAKERY_ROLE_MAPPING env variable "roleMapping": "role1->editor,role2->admin", // equilient to UI_BAKERY_SSO_ROLE_CLAIM env variable "roleClaim": "role", // equilient to UI_BAKERY_SSO_NAME_CLAIM env variable "nameClaim": "name", // equilient to UI_BAKERY_LOGOUT_REDIRECT env variable, // requires UI_BAKERY_SSO_BROADCAST_TOKEN=true "logoutRedirect": "https://example.com/logout", // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_TEXT env variable "buttonText": "Login with SSO", // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_STYLES env variable "buttonStyles": "height 16px; color: red;", // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON env variable "buttonIcon": "ICON URL", // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON_STYLES env variable "buttonIconStyles": "height 16px; width: 16px" } --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.uibakery.io/on-premise/sso/multiple-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.