Portal SSO
Last updated
Was this helpful?
Last updated
Was this helpful?
After deploying the environment and enabling the , also referred to as the Form.io Developer Portal, your next objective might be to utilize Single Sign-On (SSO) to authenticate the environment users into the deployed Developer Portal interface.
This is done by setting up a SAML or OIDC authentication application and integrating the provider into your
There are two primary SSO authentication methods for accessing the Developer Portal. Visit one of the Provider documentation links below for details on application setup and integration with the Form.io Project.
SSO
SSO
Modify the Portal Base User Login form to enable SSO authentication for SAML users accessing the Developer Portal. Before this workflow can be established, ensure you have your properly configured within the Portal Base Project.
Ensure a has been properly configured within the Portal Base Project.
Navigate to the OAuth settings of your Portal Base Project and ensure the provider credentials have been properly configured Settings > Authorization > Oauth
Ensure the correct SAML Roles are properly mapped to the correct Form.io Role
Follow the steps below to achieve SAML SSO authentication using a Form.io Login form.
Edit the authentication Form embedded within your application
Drag and drop a Button component
Modify the Label to reflect SAML authentication
Click the Action dropdown and select Custom
Copy the following code and paste it into the Button Custom Logic code block
Add a Hidden component
Click the Data tab and open the Custom Default Value tab
Add the following JavaScript within the code block
Save the Settings and Form
Navigate to the Form.io deployed environment Authentication page
Click the SSO with SAML button
The SAML Provider authentication page should display
Enter the OIDC User credentials
The SAML User should authenticate into the deployed portal environment with their assigned Form.io Role.
The Automatic Login authentication method will perform a login via SAML SSO as soon as the SAML User navigates to the authentication page of the Deployed Portal. This relieves the user from having to interface with the Login form and click additional buttons to authenticate into the Portal.
To enable Automatic SSO login to your developer portal, you will need to first ensure your SAML SSO Provider Integration settings have been configured within the Portal Base Project. The User Login Form within the Portal Base Project will then be modified to support the automatic SAML login integration.
Navigate to the User Login Form within the Portal Base project
Drag a Hidden component to the form
Configure the Label (for ex. samlAutoLogin)
Go to the Data tab and under Persistent configuration choose 'None'
Scroll down to the Custom Default Value section and insert this code:
Save the component and the form
Navigate to your environment endpoint. If you have already authenticated into your SAML provider, you should automatically log in to the environment. If you have not yet authenticated, you should be prompted to enter your SAML credentials and then authenticate. When logging out, the SAML user should be redirected to the SAML provider authentication page.
Since Automatic SSO Authentication bypasses the Login form, you will be unable to log in as the Super Admin for the environment. This is necessary when needing to make modifications to the Portal Base Project.
To temporarily bypass the authentication method, pass the disableAutoLogin=true URL query parameter within your browser.
Alternatively, if you're already authenticated into the environment, set Formio.disableAutoLogin=true from within the DevTools console
Edit the User Login form
Add a Button component called SSO with OIDC and configure the following settings
Set the Action to OAuth
Set the OAuth Provider to OpenID
Click the Actions tab and add the OAuth action
Within the OAuth action, configure the following settings
Set OAuth Provider to OpenID
Set Action to Remote Authentication
Set Sign-In With OAuth Button to the SSO Button - SSO with OIDC
If you are not delegating OIDC Roles, leave the Claim and Value setting blank and select a Form.io role you want to assign the user. The following configuration will delegate every OIDC user logging in to carry the Form.io Authenticated role.
Optional - If you are delegating Claims, ensure you set the Claim and related Value within your Project settings and OAuth action. In the example below, the OIDC provider utilizes the 'groups' claim (found within the support scopes). The Value is the OIDC Role name the OIDC User is associated with. You can then map these OIDC roles to a Form.io role enabling granular permissions.
Your Login form should look something like this
Navigate to your Applications authentication page and click the SSO with OIDC button. You should be prompted to enter your OIDC credentials
The authenticated OIDC user should carry the OIDC Group Role (Member) as well as the correct Form.io Role ID (Authenticated 65de..) within the metadata of the user object. This was accomplished in the previous step by mapping the OIDC group role to the Form.io Role configured within the OAuth action.
SSO Teams relieve the need to manually add individual SSO Users to a Team. Instead, during the SSO authentication process, OIDC groups associated with OIDC users are automatically linked to a Team if the Form.io Team name matches the OIDC Group name.
Depending on the SSO Provider, it may be necessary to configure the Group 'Claim' parameter within the provider's configuration. This will ensure the SAML Role associated with the authenticating SAML user is returned to Form.io so it can be mapped to a Form.io role.
After enabling the variable
Create a new Form.io Team from the Developer Portal
Check the new SSO Team setting checkbox: This setting will communicate to the API server this should be an SSO Team.
The Team Name should match the Group associated with the SAML User
Next, you will need to assign that Team to the projects you wish to allow SSO users to have access to within the Form.io developer portal interface.
Navigate to the project you wish to provide access to
Click the Teams within the Projects navigation bar
Select the role you wish that team to have within the given Project.
After this is set up, anyone with a SAML or OIDC Role/Group name matching the Team's name will be automatically assigned to that team and granted access to the project
These Users will have access and permissions to Project(s) the SSO Team has been assigned to.
Important: Make sure that you configure a separate SSO application within your SAML provider to use the correct project URLs instead of using the same SAML configuration provided in the previous step.
After you do that, you will now need to provide the SSO configuration within your project's Public Configuration section.
Aside from SSO, OIDC can also link or create user within a Form.io Resource. Below are additional OIDC authentication methods for deployed portal users:
Each of these methods can be used to establish a variety of authentication strategies within the Form.io platform. To achieve this within Form.io, an OIDC provider must be established first. Once OIDC has been set up, credentials generated from the provider will be integrated into the Form.io project. Modifications of your Form.io authentication forms will be necessary to establish the final connection between your forms and the OIDC provider.
Preconditions for the authentication method examples:
Ensure the Project is configured to support your OIDC Provider
The following default forms that are created with a Form.io project are being utilized: User Login Form User Registration Form
The Registration and Login Forms are being mapped to the default User Resource
The OIDC User Registration method allows OIDC Users to register their accounts using Form.io, saving their OIDC User record within a Form.io Resource. Most Form.io Projects come with a User Register form by default which will be modified in this example to support OIDC registration.
In this example, the User Registration form is embedded within my application to enable SSO registration that will save to the User Resource within my project.
To get started, navigate to your Project and edit the User Registration Form.
Add a Hidden field called Email and a Hidden field called Name
Add a Button called Register with OIDC and modify the following settings
Set a Label for the button like Register with OIDC
Set the Action to OAuth
Set the OAuth Provider to OpenID
This action will integrate the OIDC Provider and map the provider claims to the User Resource within the Form.io Project.
Set OAuth Provider to OpenID
Set Action to Register New Resource
Set Resource to User
Set Sign-in with OAuth Button to Register With OIDC
Set the OAuth Callback URL to your application Domain
These settings will dictate what information from the OIDC User scope should be saved with the Registration record. Since the data input will be done on the OIDC authentication page, no physical fields on the form are needed. The hidden email and name field will be used to map the email and name from the OIDC User scope to the submission object.
Set the Claim to email and select the Email field
Set the Claim to name and select the Name field
Save the Action
Now that the OAuth settings have been mapped to the User Resource, a Save Submission action will be added to ensure the data submitted against the Registration form is stored within the User Resource.
Add a Save Submission Action and configure the following settings
Set the Save Submission To field to the User Resource
Map the Name and Email field on the form to the corresponding fields on the User Resource
After saving the Action, our Registration form should look like this
With the Registration form modified, we are now ready to test the workflow.
Navigate to your application's registration page
Click the Register with OIDC button and enter the OIDC User credentials
Navigate to the User Resource Data tab within the Project and ensure a User record was generated based on OIDC User registration.
Once these conditions have been met, the User Login form can be configured to authenticate the OIDC User against the User Resource within the project.
Edit the User Login form within your Project
Add a Button component called Login with OIDC and configure the following settings
Set a Label for the button like Login with OIDC
Set the Action to OAuth
Set the OAuth Provider to OpenID
Set OAuth Provider to OpenID
Set Action to Register New Resource
Set Resource to User
Set Sign-in with OAuth Button to Register With OIDC
Now click Save and our form is now configured for Login using OIDC!
With the Registration form modified, we are now ready to test the workflow.
Navigate to your application's login page
Click the Login with OIDC button and enter the OIDC User credentials
This authentication method will "link" an external OIDC user entity with an existing Form.io user record. This method requires custom code within your application to properly link the user records with the OIDC user.
Create a Form called Link User
Edit the Submit Button and modify the following settings:
Set the Action to OAuth and the Provider to OIDC
Embed the form somewhere in your application where only authenticated users can access it, like a user settings page.
Navigate to the
Modify the Portal Base User Login form to enable SSO authentication for SAML users accessing the Developer Portal. Before this workflow can be established, ensure you have your properly configured within the Portal Base Project.
Ensure your is properly configured within the Portal Base Project.
As an environment Admin, navigate to the
See or examples for more information
Before an SSO Team can be created, the feature will need to be enabled for your environment. To do so, add the following within your deployment API server .
about Teams and different permission settings that can be granted
To enable the with SAML SSO authentication, you will need to first navigate to your project, and just like you did for the Portal Base project above, configure this project with the same SAML configuration.
For a description of all Configurations available go to the documentation.
- Creates a new user record within a Form.io Resource by utilizing the user credentials from the OAuth provider.
- Utilizes the remote OIDC User authentication to locate a Form.io user record within a resource to establish authentication.
- This will "link" an external OIDC user entity with an existing Form.io user record.
It's important to note that this workflow does not register a user with an OIDC provider, but rather registers an OIDC user within the Form.io Project. This registration can be applied to the within your deployed environment or for a connected application.
Add an to the Registration form and modify the following settings
This Authentication method will utilize OIDC User credentials to log in a User that has been saved within the User Resource of the Form.io Project. The OIDC User and Form.io User record must be '' or '' using the OIDC methods detailed within this documentation to establish a proper connection.
Add an to the Registration form and modify the following settings
The same user created using the method is now authenticated into the application.
Add custom logic within the Application to hide the form for users who have already logged in. Specifically, check if the user has an externalIds entry for your provider. Here is some sample code that will check if the user has been linked with GitHub using the library:
