Basic Information

<%= form.select :strategy, options_for_select([ ["OpenID Connect", "openid_connect"], ["SAML 2.0", "saml"], ["Google OAuth2", "google_oauth2"], ["GitHub", "github"] ], sso_provider.strategy), { label: "Strategy" }, { data: { action: "change->admin-sso-form#toggleFields" } } %> <%= form.text_field :name, label: "Name", placeholder: "e.g., keycloak, authentik", required: true, data: { action: "input->admin-sso-form#updateCallbackUrl" } %>

Unique identifier (lowercase, numbers, underscores only)

<%= form.text_field :label, label: "Button Label", placeholder: "e.g., Sign in with Keycloak", required: true %>

<%= form.text_field :icon, label: "Icon (optional)", placeholder: "e.g., key, shield" %>

Lucide icon name for the login button

<%= t("admin.sso_providers.form.enabled_label") %>

<%= t("admin.sso_providers.form.enabled_help") %>

<%= form.toggle :enabled %>

OAuth/OIDC Configuration

"> <%= form.text_field :issuer, label: "Issuer URL", placeholder: "https://your-idp.example.com/realms/your-realm", data: { action: "blur->admin-sso-form#validateIssuer" } %>

OIDC issuer URL (validates .well-known/openid-configuration)

<%= form.text_field :client_id, label: "Client ID", placeholder: "your-client-id", required: true %> <%= form.password_field :client_secret, label: "Client Secret", placeholder: sso_provider.persisted? ? "••••••••" : "your-client-secret", required: !sso_provider.persisted? %> <% if sso_provider.persisted? %>

Leave blank to keep existing secret

<% end %>

"> Callback URL

<%= "#{request.base_url}/auth/#{sso_provider.name.presence || 'PROVIDER_NAME'}/callback" %>

Configure this URL in your identity provider

<%= t("admin.sso_providers.form.saml_configuration") %>

<%= t("admin.sso_providers.form.idp_metadata_url") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="https://idp.example.com/metadata" autocomplete="off">

<%= t("admin.sso_providers.form.idp_metadata_url_help") %>

<%= t("admin.sso_providers.form.manual_saml_config") %>

<%= t("admin.sso_providers.form.manual_saml_help") %>

<%= t("admin.sso_providers.form.idp_sso_url") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="https://idp.example.com/sso" autocomplete="off">

<%= t("admin.sso_providers.form.idp_slo_url") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="https://idp.example.com/slo (optional)" autocomplete="off">

<%= t("admin.sso_providers.form.idp_certificate") %>

<%= t("admin.sso_providers.form.idp_certificate_help") %>

<%= t("admin.sso_providers.form.idp_cert_fingerprint") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm font-mono" placeholder="AB:CD:EF:..." autocomplete="off">

<%= t("admin.sso_providers.form.name_id_format") %>

SP Callback URL (ACS URL)

<%= "#{request.base_url}/auth/#{sso_provider.name.presence || 'PROVIDER_NAME'}/callback" %>

Configure this URL as the Assertion Consumer Service URL in your IdP

<%= t("admin.sso_providers.form.provisioning_title") %>

<%= form.select "settings[default_role]", options_for_select([ [t("admin.sso_providers.form.role_guest", default: "Guest"), "guest"], [t("admin.sso_providers.form.role_member"), "member"], [t("admin.sso_providers.form.role_admin"), "admin"], [t("admin.sso_providers.form.role_super_admin"), "super_admin"] ], sso_provider.settings&.dig("default_role").to_s.presence || "member"), { label: t("admin.sso_providers.form.default_role_label"), include_blank: false } %>

<%= t("admin.sso_providers.form.default_role_help") %>

<%= t("admin.sso_providers.form.role_mapping_title") %>

<%= t("admin.sso_providers.form.role_mapping_help") %>

<%= t("admin.sso_providers.form.super_admin_groups") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="Platform-Admins, IdP-Superusers" autocomplete="off">

<%= t("admin.sso_providers.form.groups_help") %>

<%= t("admin.sso_providers.form.admin_groups") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="Team-Leads, Managers" autocomplete="off">

<%= t("admin.sso_providers.form.member_groups") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="* (all groups)" autocomplete="off">

<%= t("admin.sso_providers.form.guest_groups", default: "Guest Groups") %> " class="w-full px-3 py-2 border border-primary rounded-lg text-sm" placeholder="Early-Access-Guests" autocomplete="off">

<%= t("admin.sso_providers.form.advanced_title") %>

<%= form.text_field "settings[scopes]", label: t("admin.sso_providers.form.scopes_label"), value: sso_provider.settings&.dig("scopes"), placeholder: "openid email profile groups" %>

<%= t("admin.sso_providers.form.scopes_help") %>

<%= form.select "settings[prompt]", options_for_select([ [t("admin.sso_providers.form.prompt_default"), ""], [t("admin.sso_providers.form.prompt_login"), "login"], [t("admin.sso_providers.form.prompt_consent"), "consent"], [t("admin.sso_providers.form.prompt_select_account"), "select_account"], [t("admin.sso_providers.form.prompt_none"), "none"] ], sso_provider.settings&.dig("prompt")), { label: t("admin.sso_providers.form.prompt_label"), include_blank: false } %>

<%= t("admin.sso_providers.form.prompt_help") %>

<% if sso_provider.persisted? %> <% end %>

<%= link_to "Cancel", admin_sso_providers_path, class: "px-4 py-2 text-sm font-medium text-secondary hover:text-primary" %> <%= form.submit sso_provider.persisted? ? "Update Provider" : "Create Provider", class: "px-4 py-2 bg-primary text-inverse rounded-lg text-sm font-medium hover:bg-primary/90" %>