Role synchronization

Role synchronization allows automatic role assignment to users based on their identity provider

Last updated 7 months ago

Was this helpful?

Role synchronization

Role synchronization allows automatic role assignment to users based on their identity provider

Enable role syncronization

By default, UI Bakery does not sync any roles provided by the Identity Provider. To enable role synchronization, set the following environment variables:

UI_BAKERY_SSO_SYNC_ROLES=true
UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true

Out of the box, UI Bakery will attempt to match received roles by names. UI Bakery will try to retrieve the role name(s) from a claim (attribute) named role. If a match is found (e.g., the SSO returned a role=support claim, and UI Bakery has a support role in the workspace), the user's current roles will be replaced with the matched SSO role(s).

Advanced settings

You can fine-tune role synchronization with the variables below.

UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN

By default, it is set to false, and roles are synchronized only during sign-up. If set to true, roles are synchronized every time during login and sign-up. For OpenID providers, it is also possible to sync roles with every .

UI_BAKERY_SSO_ROLE_MAPPING

Set up a mapping between SSO provider roles/groups and UI Bakery roles when they aren't matched by name, e.g:

UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2

UI_BAKERY_SSO_SYNC_ROLES_BY_NAME

By default is set to true. You can set it to false to control role syncing exclusively using the mapping UI_BAKERY_SSO_ROLE_MAPPING variable.

UI_BAKERY_SSO_HARD_SYNC_ROLES

By default, it's false. When set to true, UI Bakery overwrites all roles, removing existing ones and adding new ones received from the Identity Provider even if there are no roles provided.

Please note, that if no roles are matched, the user will be removed from the organization and will no longer be able to access it.

UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN

By default, UI Bakery syncs roles only for end-users, leaving admin and editor roles untouched. Set it to true to sync roles for all users.

Please note, that in a case of malformed configuration, admin accounts may lose access to the system

UI_BAKERY_SSO_ROLE_CLAIM

By default has role value. You can change this variable to configure which claim is used as the source for roles.

PreviousAzure AD SAML NextMultiple SSO

Last updated 7 months ago

Was this helpful?

Enable role syncronization

By default, UI Bakery does not sync any roles provided by the Identity Provider. To enable role synchronization, set the following environment variables:

UI_BAKERY_SSO_SYNC_ROLES=true
UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true

Advanced settings

You can fine-tune role synchronization with the variables below.

UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN

UI_BAKERY_SSO_ROLE_MAPPING

Set up a mapping between SSO provider roles/groups and UI Bakery roles when they aren't matched by name, e.g:

UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2

UI_BAKERY_SSO_SYNC_ROLES_BY_NAME

By default is set to true. You can set it to false to control role syncing exclusively using the mapping UI_BAKERY_SSO_ROLE_MAPPING variable.

UI_BAKERY_SSO_HARD_SYNC_ROLES

By default, it's false. When set to true, UI Bakery overwrites all roles, removing existing ones and adding new ones received from the Identity Provider even if there are no roles provided.

Please note, that if no roles are matched, the user will be removed from the organization and will no longer be able to access it.

UI_BAKERY_SSO_SYNC_ROLES_FOR_EDITOR_AND_ADMIN

By default, UI Bakery syncs roles only for end-users, leaving admin and editor roles untouched. Set it to true to sync roles for all users.

Please note, that in a case of malformed configuration, admin accounts may lose access to the system

UI_BAKERY_SSO_ROLE_CLAIM

By default has role value. You can change this variable to configure which claim is used as the source for roles.