UI_BAKERY_SSO_CONFIGURATION variable accepts a JSON array of configuration objects. Each object represents one SSO connection, whether it's OAuth or SAML.
Optionally, you can define a unique role mapping for each provider. If a configuration object lacks role syncing settings, the values from the corresponding environment variable will be used.
Configuration for OAuth provider
{
"type": "oauth2",
"name": "okta_login",
// required, equilient to UI_BAKERY_OAUTH_CLIENT_ID env variable
"oauthClientId": "",
// required, equilient to UI_BAKERY_OAUTH_SECRET env variable
"oauthClientSecret": "",
// required, equilient to UI_BAKERY_OAUTH_AUTH_URL env variable
"oauthAuthorizationUrl": "",
// required, equilient to UI_BAKERY_OAUTH_TOKEN_URL env variable
"oauthTokenUrl": "",
// required if "oauthGetClaimsFromToken" is false,
// equilient to UI_BAKERY_OAUTH_USERINFO_URL env variable
"oauthUserInfoUrl": "",
// equilient to UI_BAKERY_OAUTH_GET_CLAIMS_FROM_TOKEN env variable
"oauthGetClaimsFromToken": false,
// required, equilient to UI_BAKERY_OAUTH_SCOPE env variable
"oauthScope": "profile email openid",
// equilient to UI_BAKERY_OAUTH_EMAIL_KEY env variable
"oauthEmailKey": "email",
// equilient to UI_BAKERY_OAUTH_ID_KEY env variable
"oauthIdKey": "sub",
// equilient to UI_BAKERY_OAUTH_TOKEN_URL_ADDITIONAL_PARAMS env variable
"oauthTokenUrlAdditionalParams": { "param": "value"},
// equilient to UI_BAKERY_OAUTH_SIGN_OUT_WHEN_TOKEN_EXPIRED env variable
"oauthSignOutWhenTokenExpired": false,
// equilient to UI_BAKERY_OAUTH_FORCE_TOKEN_REFRESH env variable
"oauthForceTokenRefresh": false,
// equilient to UI_BAKERY_OAUTH_SYNC_ROLES_ON_TOKEN_REFRESH env variable
"oauthSyncRolesOnTokenRefresh": false,
// equilient to UI_BAKERY_AUTH_RESTRICTED_DOMAIN env variable
"restrictedDomain": "example.com",
// equilient to UI_BAKERY_LOGOUT_REDIRECT
"logoutRedirect": "https://example.com/logout"
}
Configuration for SAML provider
For SAML providers, when registering SSO integration with JSON, the Sign-On URL should match: https://YOUR_INSTANCE/api/auth/login/{samlSSO}, where {samlSSO} is the name provided in the UI Bakery configuration.
{
"type": "saml",
"name": "samlSSO",
// required, equilient to UI_BAKERY_SAML_ENTITY_ID env variable
"samlEntityId": "string",
// required required if "metadataXML" is not provided,
// equilient to UI_BAKERY_SAML_METADATA_URL env variable
"samlMetadataURL": "https://provider/metadata.xml",
// required if "metadataURL" is not provided
"samlMetadataXML": "<xml ..."
}
Common settings for OAuth and SAML integrations
{
// required, can be "oauth2" or "saml"
"type": "oauth2",
// required, unique name, can contain words, digits, "_" or "-"
"name": "ssoName",
// is sync roles enabled for the described configuration
// equilient to UI_BAKERY_SSO_SYNC_ROLES env variable
"syncRoles": false,
// equilient to UI_BAKERY_SSO_SYNC_ROLES_BY_NAME env variable
"syncRolesByName": false,
// equilient to UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN env variable
"syncRolesOnLogin": false,
// equilient to UI_BAKERY_SSO_HARD_SYNC_ROLES env variable
"hardRoleSync": false,
// equilient to UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN env variable
"syncRoleForEditorAndAdmin": false,
// equilient to UI_BAKERY_ROLE_MAPPING env variable
"roleMapping": "role1->editor,role2->admin",
// equilient to UI_BAKERY_SSO_ROLE_CLAIM env variable
"roleClaim": "role",
// equilient to UI_BAKERY_SSO_NAME_CLAIM env variable
"nameClaim": "name",
// equilient to UI_BAKERY_LOGOUT_REDIRECT env variable,
// requires UI_BAKERY_SSO_BROADCAST_TOKEN=true
"logoutRedirect": "https://example.com/logout",
// equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_TEXT env variable
"buttonText": "Login with SSO",
// equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_STYLES env variable
"buttonStyles": "height 16px; color: red;",
// equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON env variable
"buttonIcon": "ICON URL",
// equilient to UI_BAKERY_BRANDING_AUTH_SSO_BTN_ICON_STYLES env variable
"buttonIconStyles": "height 16px; width: 16px"
}
