# Multiple SSO

UI Bakery supports configuring more than one SSO provider. You can achieve this by modifying the following environment variables:

```
UI_BAKERY_SSO_CONFIGURATION='[ { SSO_CONFIG }, { SSO_CONFIG }, { SSO_CONFIG }]'
UI_BAKERY_SSO_CONFIGURATION_ENABLED=true
```

`UI_BAKERY_SSO_CONFIGURATION` variable accepts a JSON array of configuration objects. Each object represents one SSO connection, whether it's OAuth or SAML.

Optionally, you can define a unique role mapping for each provider. If a configuration object lacks role syncing settings, the values from the corresponding environment variable will be used.

## Disabling MFA from UI Bakery

UI Bakery allows you to enable MFA on the *UI Bakery level*. When enabled, it is required for:

* users signing in with **email/password**
* users signing in via **SSO (OpenID, SAML, etc.)**

But some SSO providers may also enforce their own MFA, so users will have to complete *two MFA prompts*: from the SSO provider and from UI Bakery.

To avoid this and let users complete only their SSO MFA, you need to configure the following variable in your SSO configuration: `"disableMfa": true`.\
This setting is applied **per SSO provider**. You can disable UI Bakery MFA for one provider while keeping it enabled for another.

With this variable set to *true:*

* **SSO users** will only complete MFA handled by the SSO providers
* **Email/password users** will complete MFA handled by UI Bakery

## Configuration for OAuth provider

```javascript
{
  "type": "oauth2",
  "name": "okta_login",
  
  // required, equilient to UI_BAKERY_OAUTH_CLIENT_ID env variable
  "oauthClientId": "",
  // required, equilient to UI_BAKERY_OAUTH_SECRET env variable
  "oauthClientSecret": "",
  // required, equilient to UI_BAKERY_OAUTH_AUTH_URL env variable
  "oauthAuthorizationUrl":  "",
  // required, equilient to UI_BAKERY_OAUTH_TOKEN_URL env variable
  "oauthTokenUrl": "",
  // required if "oauthGetClaimsFromToken" is false,
  // equilient to UI_BAKERY_OAUTH_USERINFO_URL env variable
  "oauthUserInfoUrl":  "",
  // equilient to UI_BAKERY_OAUTH_GET_CLAIMS_FROM_TOKEN env variable
  "oauthGetClaimsFromToken":  false,
  // required, equilient to UI_BAKERY_OAUTH_SCOPE env variable
  "oauthScope": "profile email openid",
  // equilient to UI_BAKERY_OAUTH_EMAIL_KEY env variable
  "oauthEmailKey":  "email",
  // equilient to UI_BAKERY_OAUTH_ID_KEY env variable
  "oauthIdKey": "sub",
  // equilient to UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS env variable
  "oauthTokenUrlAdditionalParams":  { "param": "value"},
  // equilient to UI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED env variable
  "oauthSignOutWhenTokenExpired": false,
  // equilient to UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH env variable
  "oauthForceTokenRefresh":  false,
  // equilient to UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH env variable
  "oauthSyncRolesOnTokenRefresh": false,
  // equilient to UI_BAKERY_AUTH_RESTRICTED_DOMAIN env variable
  "restrictedDomain": "example.com",
  // equilient to UI_BAKERY_LOGOUT_REDIRECT
  "logoutRedirect": "https://example.com/logout" 
}

```

***

## Configuration for SAML provider

{% hint style="warning" %}
For SAML providers, when registering SSO integration with JSON, the Sign-On URL should match: **`https://YOUR_INSTANCE/api/auth/login/{samlSSO}`**, where **`{samlSSO}`** is the name provided in the UI Bakery configuration.
{% endhint %}

```javascript
{
  "type": "saml",
  "name": "samlSSO",
  
   // required, equilient to UI_BAKERY_SAML_ENTITY_ID env variable
   "samlEntityId":  "string",  
   
   // required required if "metadataXML" is not provided,
   // equilient to UI_BAKERY_SAML_METADATA_URL env variable  
   "samlMetadataURL":  "https://provider/metadata.xml",
   
   // required if "metadataURL" is not provided 
   "samlMetadataXML":  "<xml ..."
}
```

***

## Common settings for OAuth and SAML integrations

<pre class="language-javascript"><code class="lang-javascript">{
  // required, can be "oauth2" or "saml"
  "type": "oauth2",
  // required, unique name, can contain words, digits, "_" or "-"
  "name": "ssoName",
  
  // is sync roles enabled for the described configuration
  // equilient to UI_BAKERY_SSO_SYNC_ROLES env variable 
  "syncRoles": false,
  // equilient to UI_BAKERY_SSO_SYNC_ROLES_BY_NAME env variable 
  "syncRolesByName": false,
  // equilient to UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN env variable 
  "syncRolesOnLogin":  false,
  // equilient to UI_BAKERY_SSO_HARD_SYNC_ROLES env variable 
  "hardRoleSync": false,
<strong>  // equilient to UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN env variable 
</strong>  "syncRoleForEditorAndAdmin":  false,
  // equilient to UI_BAKERY_ROLE_MAPPING env variable 
  "roleMapping": "role1->editor,role2->admin",
  // equilient to UI_BAKERY_SSO_ROLE_CLAIM env variable 
  "roleClaim":  "role",
  // equilient to UI_BAKERY_SSO_NAME_CLAIM env variable 
  "nameClaim": "name",
  // equilient to UI_BAKERY_LOGOUT_REDIRECT env variable,
  // requires UI_BAKERY_SSO_BROADCAST_TOKEN=true
  "logoutRedirect": "https://example.com/logout",
  

  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_TEXT env variable 
  "buttonText":  "Login with SSO",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_STYLES env variable 
  "buttonStyles": "height 16px; color: red;",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON env variable 
  "buttonIcon":  "ICON URL",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON_STYLES env variable 
  "buttonIconStyles": "height 16px; width: 16px"
}
</code></pre>