Multiple SSO

How to connect more that one SSO provider in UI Bakery

UI Bakery supports configuring more than one SSO provider. You can achieve this by modifying the following environment variables:

UI_BAKERY_SSO_CONFIGURATION='[ { SSO_CONFIG }, { SSO_CONFIG }, { SSO_CONFIG }]'
UI_BAKERY_SSO_CONFIGURATION_ENABLED=true

UI_BAKERY_SSO_CONFIGURATION variable accepts a JSON array of configuration objects. Each object represents one SSO connection, whether it's OAuth or SAML.

Optionally, you can define a unique role mapping for each provider. If a configuration object lacks role syncing settings, the values from the corresponding environment variable will be used.

Disabling MFA from UI Bakery

UI Bakery allows you to enable MFA on the UI Bakery level. When enabled, it is required for:

users signing in with email/password
users signing in via SSO (OpenID, SAML, etc.)

But some SSO providers may also enforce their own MFA, so users will have to complete two MFA prompts: from the SSO provider and from UI Bakery.

To avoid this and let users complete only their SSO MFA, you need to configure the following variable in your SSO configuration: "disableMfa": true. This setting is applied per SSO provider. You can disable UI Bakery MFA for one provider while keeping it enabled for another.

With this variable set to true:

SSO users will only complete MFA handled by the SSO providers
Email/password users will complete MFA handled by UI Bakery

Configuration for OAuth provider

{
  "type": "oauth2",
  "name": "okta_login",
  
  // required, equilient to UI_BAKERY_OAUTH_CLIENT_ID env variable
  "oauthClientId": "",
  // required, equilient to UI_BAKERY_OAUTH_SECRET env variable
  "oauthClientSecret": "",
  // required, equilient to UI_BAKERY_OAUTH_AUTH_URL env variable
  "oauthAuthorizationUrl":  "",
  // required, equilient to UI_BAKERY_OAUTH_TOKEN_URL env variable
  "oauthTokenUrl": "",
  // required if "oauthGetClaimsFromToken" is false,
  // equilient to UI_BAKERY_OAUTH_USERINFO_URL env variable
  "oauthUserInfoUrl":  "",
  // equilient to UI_BAKERY_OAUTH_GET_CLAIMS_FROM_TOKEN env variable
  "oauthGetClaimsFromToken":  false,
  // required, equilient to UI_BAKERY_OAUTH_SCOPE env variable
  "oauthScope": "profile email openid",
  // equilient to UI_BAKERY_OAUTH_EMAIL_KEY env variable
  "oauthEmailKey":  "email",
  // equilient to UI_BAKERY_OAUTH_ID_KEY env variable
  "oauthIdKey": "sub",
  // equilient to UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS env variable
  "oauthTokenUrlAdditionalParams":  { "param": "value"},
  // equilient to UI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED env variable
  "oauthSignOutWhenTokenExpired": false,
  // equilient to UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH env variable
  "oauthForceTokenRefresh":  false,
  // equilient to UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH env variable
  "oauthSyncRolesOnTokenRefresh": false,
  // equilient to UI_BAKERY_AUTH_RESTRICTED_DOMAIN env variable
  "restrictedDomain": "example.com",
  // equilient to UI_BAKERY_LOGOUT_REDIRECT
  "logoutRedirect": "https://example.com/logout" 
}

Configuration for SAML provider

For SAML providers, when registering SSO integration with JSON, the Sign-On URL should match: https://YOUR_INSTANCE/api/auth/login/{samlSSO}, where {samlSSO} is the name provided in the UI Bakery configuration.

{
  "type": "saml",
  "name": "samlSSO",
  
   // required, equilient to UI_BAKERY_SAML_ENTITY_ID env variable
   "samlEntityId":  "string",  
   
   // required required if "metadataXML" is not provided,
   // equilient to UI_BAKERY_SAML_METADATA_URL env variable  
   "samlMetadataURL":  "https://provider/metadata.xml",
   
   // required if "metadataURL" is not provided 
   "samlMetadataXML":  "<xml ..."
}

Common settings for OAuth and SAML integrations

{
  // required, can be "oauth2" or "saml"
  "type": "oauth2",
  // required, unique name, can contain words, digits, "_" or "-"
  "name": "ssoName",
  
  // is sync roles enabled for the described configuration
  // equilient to UI_BAKERY_SSO_SYNC_ROLES env variable 
  "syncRoles": false,
  // equilient to UI_BAKERY_SSO_SYNC_ROLES_BY_NAME env variable 
  "syncRolesByName": false,
  // equilient to UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN env variable 
  "syncRolesOnLogin":  false,
  // equilient to UI_BAKERY_SSO_HARD_SYNC_ROLES env variable 
  "hardRoleSync": false,
  // equilient to UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN env variable 
  "syncRoleForEditorAndAdmin":  false,
  // equilient to UI_BAKERY_ROLE_MAPPING env variable 
  "roleMapping": "role1->editor,role2->admin",
  // equilient to UI_BAKERY_SSO_ROLE_CLAIM env variable 
  "roleClaim":  "role",
  // equilient to UI_BAKERY_SSO_NAME_CLAIM env variable 
  "nameClaim": "name",
  // equilient to UI_BAKERY_LOGOUT_REDIRECT env variable,
  // requires UI_BAKERY_SSO_BROADCAST_TOKEN=true
  "logoutRedirect": "https://example.com/logout",
  

  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_TEXT env variable 
  "buttonText":  "Login with SSO",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_STYLES env variable 
  "buttonStyles": "height 16px; color: red;",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON env variable 
  "buttonIcon":  "ICON URL",
  // equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON_STYLES env variable 
  "buttonIconStyles": "height 16px; width: 16px"
}

PreviousRole synchronization NextLogout redirect

Last updated 4 months ago

Was this helpful?