Integrate GoRules BRMS with your identity provider using standard OIDC PKCE authentication.
BRMS supports Single Sign-On (SSO) authentication using the OpenID Connect (OIDC) protocol with PKCE (Proof Key for Code Exchange). This provides a secure, standards-based authentication flow that works with any OIDC-compliant identity provider.
Verified Identity Providers
While BRMS should work with any standards-compliant OIDC provider, it has been verified with:
- Okta
- Microsoft Entra ID (Azure AD)
- Keycloak
- PingID
1. Minimal Configuration
To enable OIDC SSO, configure the following required environment variables:
| BRMS Environment Variable | Description |
|---|---|
SSO_OAUTH2_PROVIDER | Set to oidc |
SSO_OAUTH2_CLIENT_ID | Client ID from your identity provider |
SSO_OAUTH2_ISSUER | Issuer URL from your identity provider |
SSO_OAUTH2_JWKS_URI | JWKS URI for token signature validation |
Example:
SSO_OAUTH2_PROVIDER=oidc
SSO_OAUTH2_CLIENT_ID=your-client-id
SSO_OAUTH2_ISSUER=https://your-idp.example.com
SSO_OAUTH2_JWKS_URI=https://your-idp.example.com/protocol/openid-connect/certsWhen the provider is set to
oidcandSSO_OAUTH2_JWKS_URIis not configured, BRMS will not validate the token signature. ALWAYS set the JWKS URI in production environments. You should only remove this variable if you know what you are doing, for example you are hosting BRMS API behind API Gateway with Authorizers configured.
Upon setting configuration you will need to re-deploy BRMS for changes to take effect.
2. Additional Configuration Options
| BRMS Environment Variable | Description | Default |
|---|---|---|
SSO_OAUTH2_SCOPES | OAuth2 scopes to request | openid email profile |
SSO_OAUTH2_REDIRECT_URI | Callback path for OAuth2 flow | /_callback |
SSO_OAUTH2_AUTHORITY_URL | Authority URL (set only if different from issuer) | - |
SSO_OAUTH2_IDENTITY_TOKEN_SOURCE | Which token to use for identity claims (access_token or id_token) | access_token |
SSO_OAUTH2_CUSTOM_CLAIM_NAME | JWT claim name containing user groups | groups |
You should configure your application to redirect to /_callback as this is the URL that handles callbacks.
3. SSO Permissions and Role Mapping
BRMS supports two levels of permissions with two different mapping approaches:
Permission Levels
-
Global Permissions (Configured via Environment Variables)
admin- Full system access and administrative capabilitiesmember- Standard user access
-
Per Project/Repository Permissions (Configured inside BRMS)
- Fine-grained access control for individual projects and repositories
- Configurable through the BRMS UI with automatic IDP group mapping
Method 1: Global User Type Mapping (Environment Variables)
Automatically map SSO groups/roles to global permission levels using environment variables.
Required Environment Variables
SSO_OAUTH2_CUSTOM_CLAIM_NAME=groups
SSO_OAUTH2_GROUPS_MAPPING=<group-mappings>Configuration Examples
Example 1: Keycloak Role Mapping
For Keycloak, roles are typically nested under resource_access.account.roles. Configure as follows:
SSO_OAUTH2_CUSTOM_CLAIM_NAME=resource_access.account.roles
SSO_OAUTH2_GROUPS_MAPPING=Infra_architect->admin,tech_manager->admin,developers->memberExample 2: Standard Groups Claim
For identity providers that use a simple groups claim:
SSO_OAUTH2_CUSTOM_CLAIM_NAME=groups
SSO_OAUTH2_GROUPS_MAPPING=AdminGroup->admin,ManagerGroup->admin,UserGroup->memberHow Global Mapping Works
- Extract Groups from Token: BRMS reads the claim specified in
SSO_OAUTH2_CUSTOM_CLAIM_NAMEfrom the JWT token - Match Against Mapping: Compares user's groups against the mappings defined in
SSO_OAUTH2_GROUPS_MAPPING - Assign Permission:
- If user belongs to a mapped group → Assign the specified permission (
adminormember) - If user doesn't belong to any mapped group → Assign default
memberpermission
- If user belongs to a mapped group → Assign the specified permission (
Mapping Format
<sso-group-name>->admin,<another-group>->admin,<third-group>->member- Comma-separated list of mappings
- Each mapping:
<SSO_GROUP_NAME>-><PERMISSION_LEVEL> - Permission levels:
adminormember
Method 2: Fine-Grained Per-Project Role Mapping (BRMS UI)
For more granular control, BRMS allows you to define custom roles with specific permissions per project and automatically map them to IDP groups.
Enable Fine-Grained Role Mapping
Add the following environment variable:
SSO_OAUTH2_ROLES_MAPPING_ENABLED=trueConfigure Roles in BRMS
Once enabled, administrators can configure roles through the BRMS interface:
- Navigate to Settings > Users & Roles > Roles
- Create a new role or update an existing one
- Configure the following:
- Role Name: Custom role identifier
- IDP Groups: Tag-based selector to map SSO/IDP groups to this role
- Project Access: Assign access to specific projects
- Permissions: Define granular permissions for this role
How Per-Project Mapping Works
- User logs in with SSO credentials
- BRMS extracts groups from the user's token (using
SSO_OAUTH2_CUSTOM_CLAIM_NAME) - BRMS matches token groups against the
idpGroupsfield in defined roles - User is automatically assigned to matching roles with their configured permissions
- Permissions are applied on a per-project basis
4. Summary
| Feature | Global Mapping (Env Vars) | Per-Project Mapping (BRMS UI) |
|---|---|---|
| Configuration | Environment variables | BRMS Settings UI |
| Granularity | System-wide (admin/member) | Per-project with custom permissions |
| Use Case | Global user type mapping | Complex, multi-project permissions |
| Required Env Var | SSO_OAUTH2_GROUPS_MAPPING | SSO_OAUTH2_ROLES_MAPPING_ENABLED=true |
Best Practice: Use both methods together—environment variable mapping for global admins, and per-project mapping for fine-grained control. Global admins have access to every project.