From c0c81a05743d684011dd41d6343fbef5db5ec77b Mon Sep 17 00:00:00 2001
From: Jason Sherman <tools@usingtechnolo.gy>
Date: Thu, 25 Jan 2024 08:26:02 -0800
Subject: [PATCH] Identity Provider from hardcode to config

Signed-off-by: Jason Sherman <tools@usingtechnolo.gy>
---
 .devcontainer/README.md                       |  33 +++++
 .devcontainer/devcontainer.json               |  25 ++++
 .devcontainer/post-install.sh                 |   2 +
 .vscode/launch.json                           |   4 +-
 .vscode/tasks.json                            |   6 +-
 .../src/components/base/BaseSecure.vue        |  14 ++-
 .../src/components/base/BaseStepper.vue       |   9 +-
 .../src/components/bcgov/BCGovNavBar.vue      |   5 +-
 .../src/components/designer/FormsTable.vue    |   5 +-
 .../designer/settings/FormAccessSettings.vue  |  34 ++---
 .../settings/FormFunctionalitySettings.vue    |  10 +-
 .../components/forms/manage/AddTeamMember.vue |  68 +++++-----
 .../forms/manage/TeamManagement.vue           |  21 +---
 .../submission/ManageSubmissionUsers.vue      |  49 ++++----
 app/frontend/src/main.js                      |  26 ++++
 app/frontend/src/router.js                    |  28 +++--
 app/frontend/src/services/rbacService.js      |   8 ++
 app/frontend/src/store/auth.js                |   4 +-
 app/frontend/src/store/identityProviders.js   | 114 +++++++++++++++++
 app/frontend/src/utils/constants.js           |  22 ++--
 app/frontend/src/utils/permissionUtils.js     |  11 +-
 app/frontend/src/views/Admin.vue              |   6 +-
 app/frontend/src/views/Login.vue              |  38 ++----
 app/frontend/src/views/file/Download.vue      |   6 +-
 app/frontend/src/views/form/Create.vue        |   3 +-
 app/frontend/src/views/form/Emails.vue        |   6 +-
 app/frontend/src/views/form/Export.vue        |   6 +-
 app/frontend/src/views/form/Manage.vue        |   6 +-
 app/frontend/src/views/form/Preview.vue       |   6 +-
 app/frontend/src/views/form/Submissions.vue   |   6 +-
 app/frontend/src/views/form/Teams.vue         |   6 +-
 app/frontend/src/views/form/View.vue          |   6 +-
 app/frontend/src/views/user/Submissions.vue   |   6 +-
 ...119172630_identity_provider_permissions.js | 118 ++++++++++++++++++
 app/src/forms/common/constants.js             |  17 +++
 .../common/models/tables/identityProvider.js  |   7 +-
 36 files changed, 534 insertions(+), 207 deletions(-)
 create mode 100644 app/frontend/src/store/identityProviders.js
 create mode 100644 app/src/db/migrations/20240119172630_identity_provider_permissions.js

diff --git a/.devcontainer/README.md b/.devcontainer/README.md
index fc50bfc97..1bc39036b 100644
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -15,6 +15,8 @@ The `.devcontainer` folder contains the `devcontainer.json` file which defines t
 
 In order to run CHEFS you require Keycloak (configured), Postgresql (seeded) and the CHEFS backend/API and frontend/UX. Previously, this was a series of downloads and configuration updates and numerous commands to run. See `.devcontainer/chefs_local` files.
 
+**NODE_CONFIG_DIR** to simplify loading a default configuration to the CHEFS infrastructure (Keycloak, Postgresql, etc), we set an environment variable [`NODE_CONFIG_DIR`](https://github.com/node-config/node-config/wiki/Environment-Variables#node_config_dir). This supercedes the files found under `app/config`. Running node apps and commands (ex. knex, launch configurations) will use this environment variable and load configuration from `.devcontainer/chefs_local`.
+
 Also included are convenient launch tasks to run and debug CHEFS.
 
 ## Open CHEFS in the devcontainer
@@ -65,6 +67,37 @@ When the devcontainer is built, it copies `.devcontainer/chefs_local/local.json.
 ## Formio Components
 If you are developing the formio components, you should build and redeploy them before running your local debug instances of CHEFS. Use tasks `Components build` and `Components Deploy`.
 
+## KNEX - Database tools
+[knex](https://knexjs.org) is installed globally and should be run from the `/app` directory where the knex configuration is located. Use knex to stub out migrations or to rollback migrations as you are developing.
+
+### create a migration file
+This will create a stub file with a timestamp. You will populate the up and down methods to add/update/delete database objects.
+
+```
+cd app
+knex migrate:make my_new_migration_script
+> Created Migration: /workspaces/common-hosted-form-service/app/src/db/migrations/20240119172630_my_new_migration_script.js
+```
+
+### rollback previous migration
+When developing your migrations, you may find it useful to run the migration and roll it back if it isn't exactly what you expect to happen. 
+
+#### run the migration(s)
+```
+cd app
+knex migrate:latest
+> Batch 2 run: 1 migrations
+```
+
+#### rollback the migration(s)
+```
+cd app
+knex migrate:rollback
+> Batch 2 rolled back: 1 migrations
+```
+
+Please review the [knex](https://knexjs.org) for more detail and how to leverage the tool.
+
 ## Troubleshooting
 All development machines are unique and here we will document problems that have been encountered and how to fix them.
 
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 84375ad6d..7d7b8355f 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -10,10 +10,35 @@
         }
     },
 
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "cweijan.vscode-postgresql-client2",
+                "Vue.volar",
+                "esbenp.prettier-vscode"
+            ],
+            "settings": {
+                "database-client.telemetry.usesOnlineServices": false,
+                "editor.defaultFormatter": null,
+                "editor.formatOnSave": false,
+                "[javascript]": {
+                    "editor.defaultFormatter": "esbenp.prettier-vscode",
+                    "editor.formatOnSave": true
+                },
+                "prettier.configPath": "${containerWorkspaceFolder}/app/frontend/.prettierrc", 
+                "prettier.documentSelectors": ["${containerWorkspaceFolder}/app/frontend/**/*.{js,vue}"]
+            }
+        }
+    },
+
     "features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
 	},
 
+    "containerEnv": {
+        "NODE_CONFIG_DIR": "${containerWorkspaceFolder}/.devcontainer/chefs_local"
+    },
+    
 	// Use this environment variable if you need to bind mount your local source code into a new container.
 	"remoteEnv": {
 		"LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
diff --git a/.devcontainer/post-install.sh b/.devcontainer/post-install.sh
index c6d2ea823..891641159 100644
--- a/.devcontainer/post-install.sh
+++ b/.devcontainer/post-install.sh
@@ -5,6 +5,8 @@ set -ex
 WORKSPACE_DIR=$(pwd)
 CHEFS_LOCAL_DIR=${WORKSPACE_DIR}/.devcontainer/chefs_local
 
+npm install knex -g
+
 # install app libraries, prepare for app development and debugging...
 cd app
 npm install
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 95afba61f..9f576b64a 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -14,9 +14,7 @@
       "runtimeArgs": ["run", "serve"],
       "runtimeExecutable": "npm",
       "type": "node",
-      "env": {
-        "NODE_CONFIG_DIR": "${workspaceFolder}/.devcontainer/chefs_local",
-      }
+      "env": {}
     },
     {
       "cwd": "${workspaceFolder}/app/frontend",
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index 85aa0490c..de14b394e 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -62,14 +62,16 @@
     {
       "label": "chefs_local up",
       "type": "shell",
-      "command": "docker-compose -f ${workspaceFolder}/.devcontainer/chefs_local/docker-compose.yml up -d",
+      "command": "docker-compose",
+      "args": ["-f", "${workspaceFolder}/.devcontainer/chefs_local/docker-compose.yml", "up", "-d"],
       "isBackground": true,
       "problemMatcher": [],
     },
     {
       "label": "chefs_local down",
       "type": "shell",
-      "command": "docker-compose -f ${workspaceFolder}/.devcontainer/chefs_local/docker-compose.yml down",
+      "command": "docker-compose",
+      "args": ["-f", "${workspaceFolder}/.devcontainer/chefs_local/docker-compose.yml", "down"],
       "isBackground": true,
       "problemMatcher": [],
     },
diff --git a/app/frontend/src/components/base/BaseSecure.vue b/app/frontend/src/components/base/BaseSecure.vue
index 0a27df9e3..30da86712 100755
--- a/app/frontend/src/components/base/BaseSecure.vue
+++ b/app/frontend/src/components/base/BaseSecure.vue
@@ -2,6 +2,7 @@
 import { mapActions, mapState } from 'pinia';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
+import { useIdpStore } from '~/store/identityProviders';
 
 export default {
   props: {
@@ -13,6 +14,10 @@ export default {
       type: Array,
       default: undefined,
     },
+    permission: {
+      type: String,
+      default: undefined,
+    },
   },
   computed: {
     ...mapState(useAuthStore, [
@@ -23,6 +28,7 @@ export default {
       'ready',
     ]),
     ...mapState(useFormStore, ['lang']),
+    ...mapState(useIdpStore, ['hasPermission']),
     mailToLink() {
       return `mailto:${
         import.meta.env.VITE_CONTACT
@@ -34,7 +40,9 @@ export default {
       return import.meta.env.VITE_CONTACT;
     },
   },
-  methods: mapActions(useAuthStore, ['login']),
+  methods: {
+    ...mapActions(useAuthStore, ['login']),
+  },
 };
 </script>
 
@@ -50,7 +58,7 @@ export default {
         </p>
       </div>
       <div
-        v-else-if="idp && idp.length > 0 && !idp.includes(identityProvider)"
+        v-else-if="permission && !hasPermission(identityProvider, permission)"
         class="text-center"
       >
         <h1 class="my-8" :lang="lang">
@@ -59,7 +67,7 @@ export default {
         <p :lang="lang">
           {{
             $t('trans.baseSecure.403ErrorMsg', {
-              idp: idp,
+              idp: permission,
             })
           }}
         </p>
diff --git a/app/frontend/src/components/base/BaseStepper.vue b/app/frontend/src/components/base/BaseStepper.vue
index df720f53c..c50f81251 100644
--- a/app/frontend/src/components/base/BaseStepper.vue
+++ b/app/frontend/src/components/base/BaseStepper.vue
@@ -2,7 +2,7 @@
 import { mapState } from 'pinia';
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import { useFormStore } from '~/store/form';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   name: 'BaseStepper',
@@ -17,7 +17,7 @@ export default {
   },
   computed: {
     ...mapState(useFormStore, ['lang', 'isRTL']),
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
     creatorStep() {
       return this.step;
     },
@@ -26,7 +26,10 @@ export default {
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR]" :class="{ 'dir-rtl': isRTL }">
+  <BaseSecure
+    :permission="APP_PERMS.VIEWS_FORM_STEPPER"
+    :class="{ 'dir-rtl': isRTL }"
+  >
     <v-stepper
       v-model="creatorStep"
       alt-labels
diff --git a/app/frontend/src/components/bcgov/BCGovNavBar.vue b/app/frontend/src/components/bcgov/BCGovNavBar.vue
index 9a988fc83..a3a6a30c7 100755
--- a/app/frontend/src/components/bcgov/BCGovNavBar.vue
+++ b/app/frontend/src/components/bcgov/BCGovNavBar.vue
@@ -2,7 +2,7 @@
 import { mapState } from 'pinia';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
-import { IdentityProviders } from '~/utils/constants';
+import { useIdpStore } from '~/store/identityProviders';
 
 export default {
   data() {
@@ -13,12 +13,13 @@ export default {
   computed: {
     ...mapState(useAuthStore, ['authenticated', 'isAdmin', 'identityProvider']),
     ...mapState(useFormStore, ['lang']),
+    ...mapState(useIdpStore, ['isPrimary']),
     hideNavBar() {
       // hide nav bar if user is on form submitter page
       return this.$route && this.$route.meta && this.$route.meta.formSubmitMode;
     },
     hasPrivileges() {
-      return this.identityProvider === IdentityProviders.IDIR;
+      return this.isPrimary(this.identityProvider);
     },
   },
 };
diff --git a/app/frontend/src/components/designer/FormsTable.vue b/app/frontend/src/components/designer/FormsTable.vue
index 98fb941ea..c55cf7af8 100644
--- a/app/frontend/src/components/designer/FormsTable.vue
+++ b/app/frontend/src/components/designer/FormsTable.vue
@@ -4,8 +4,8 @@ import { mapActions, mapState } from 'pinia';
 import { i18n } from '~/internationalization';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
+import { useIdpStore } from '~/store/identityProviders';
 import BaseDialog from '~/components/base/BaseDialog.vue';
-import { IdentityProviders } from '~/utils/constants';
 import { checkFormManage, checkSubmissionView } from '~/utils/permissionUtils';
 
 export default {
@@ -25,6 +25,7 @@ export default {
   computed: {
     ...mapState(useFormStore, ['formList', 'isRTL', 'lang']),
     ...mapState(useAuthStore, ['user']),
+    ...mapState(useIdpStore, ['isPrimary']),
     headers() {
       return [
         {
@@ -44,7 +45,7 @@ export default {
       ];
     },
     canCreateForm() {
-      return this.user.idp === IdentityProviders.IDIR;
+      return this.isPrimary(this.user.idp);
     },
     filteredFormList() {
       return this.formList.filter(
diff --git a/app/frontend/src/components/designer/settings/FormAccessSettings.vue b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
index d20c8204d..f89c163aa 100644
--- a/app/frontend/src/components/designer/settings/FormAccessSettings.vue
+++ b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
@@ -4,8 +4,9 @@ import { nextTick } from 'vue';
 
 import BasePanel from '~/components/base/BasePanel.vue';
 import BaseInfoCard from '~/components/base/BaseInfoCard.vue';
-import { IdentityMode, IdentityProviders } from '~/utils/constants';
+import { IdentityMode } from '~/utils/constants';
 import { useFormStore } from '~/store/form';
+import { useIdpStore } from '~/store/identityProviders';
 
 export default {
   components: {
@@ -28,13 +29,11 @@ export default {
   },
   computed: {
     ...mapState(useFormStore, ['isRTL', 'lang']),
+    ...mapState(useIdpStore, ['loginButtons', 'hasFormAccessSettings']),
     ...mapWritableState(useFormStore, ['form']),
     ID_MODE() {
       return IdentityMode;
     },
-    ID_PROVIDERS() {
-      return IdentityProviders;
-    },
   },
   methods: {
     userTypeChanged() {
@@ -128,31 +127,20 @@ export default {
             class="my-0"
             @update:model-value="updateLoginType"
           >
-            <v-radio class="mx-2" :value="ID_PROVIDERS.IDIR">
-              <template #label>
-                <span :class="{ 'mr-2': isRTL }"> IDIR </span>
-              </template>
-            </v-radio>
-            <v-radio class="mx-2" :value="ID_PROVIDERS.BCEIDBASIC">
-              <template #label>
-                <span :class="{ 'mr-2': isRTL }"> Basic BCeID </span>
-              </template>
-            </v-radio>
-            <v-radio class="mx-2" :value="ID_PROVIDERS.BCEIDBUSINESS">
+            <v-radio
+              v-for="button in loginButtons"
+              :key="button.type"
+              :value="button.type"
+              class="mx-2"
+            >
               <template #label>
-                <span :class="{ 'mr-2': isRTL }"> Business BCeID </span>
+                <span :class="{ 'mr-2': isRTL }"> {{ button.label }} </span>
               </template>
             </v-radio>
             <!-- Mandatory BCeID process notification -->
             <v-expand-transition>
               <BaseInfoCard
-                v-if="
-                  idpType &&
-                  [
-                    ID_PROVIDERS.BCEIDBASIC,
-                    ID_PROVIDERS.BCEIDBUSINESS,
-                  ].includes(idpType)
-                "
+                v-if="hasFormAccessSettings(idpType, 'idim')"
                 class="mr-4"
                 :class="{ 'dir-rtl': isRTL }"
               >
diff --git a/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue b/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
index d9b6a98d6..83b7e7575 100644
--- a/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
+++ b/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
@@ -3,7 +3,8 @@ import { mapState, mapWritableState } from 'pinia';
 import BasePanel from '~/components/base/BasePanel.vue';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
-import { IdentityMode, IdentityProviders } from '~/utils/constants';
+import { useIdpStore } from '~/store/identityProviders';
+import { IdentityMode } from '~/utils/constants';
 
 export default {
   components: {
@@ -24,12 +25,13 @@ export default {
   computed: {
     ...mapState(useAuthStore, ['identityProvider']),
     ...mapState(useFormStore, ['isFormPublished', 'isRTL', 'lang']),
+    ...mapState(useIdpStore, ['isPrimary']),
     ...mapWritableState(useFormStore, ['form']),
     ID_MODE() {
       return IdentityMode;
     },
-    idirUser() {
-      return this.identityProvider === IdentityProviders.IDIR;
+    primaryIdpUser() {
+      return this.isPrimary(this.identityProvider);
     },
   },
   methods: {
@@ -225,7 +227,7 @@ export default {
       v-model="form.subscribe.enabled"
       hide-details="auto"
       class="my-0"
-      :disabled="idirUser === false || !isFormPublished"
+      :disabled="primaryIdpUser === false || !isFormPublished"
     >
       <template #label>
         <div :class="{ 'mr-2': isRTL }">
diff --git a/app/frontend/src/components/forms/manage/AddTeamMember.vue b/app/frontend/src/components/forms/manage/AddTeamMember.vue
index 0315a74e1..ffdca0759 100644
--- a/app/frontend/src/components/forms/manage/AddTeamMember.vue
+++ b/app/frontend/src/components/forms/manage/AddTeamMember.vue
@@ -1,12 +1,13 @@
 <script>
 import _ from 'lodash';
-import { mapState } from 'pinia';
+import { mapState, mapActions } from 'pinia';
 import { i18n } from '~/internationalization';
 
 import userService from '~/services/userService';
-import { FormRoleCodes, IdentityProviders, Regex } from '~/utils/constants';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
+import { useIdpStore } from '~/store/identityProviders';
+import { Regex } from '~/utils/constants';
 
 export default {
   props: {
@@ -22,7 +23,7 @@ export default {
       isLoading: false,
       model: null,
       search: null,
-      selectedIdp: IdentityProviders.IDIR,
+      selectedIdp: null,
       selectedRoles: [],
       showError: false,
       entries: [],
@@ -32,25 +33,13 @@ export default {
   computed: {
     ...mapState(useAuthStore, ['identityProvider']),
     ...mapState(useFormStore, ['form', 'isRTL', 'lang']),
-    ID_PROVIDERS() {
-      return IdentityProviders;
-    },
+    ...mapState(useIdpStore, ['loginButtons', 'primaryIdp']),
     FORM_ROLES() {
-      if (this.selectedIdp === IdentityProviders.BCEIDBASIC)
-        return Object.values(FormRoleCodes).filter(
-          (frc) => frc === FormRoleCodes.FORM_SUBMITTER
-        );
-      else if (this.selectedIdp === IdentityProviders.BCEIDBUSINESS)
-        return Object.values(FormRoleCodes)
-          .filter(
-            (frc) =>
-              frc != FormRoleCodes.OWNER && frc != FormRoleCodes.FORM_DESIGNER
-          )
-          .sort();
-      return Object.values(FormRoleCodes).sort();
+      const idpRoles = this.listRoles(this.selectedIdp);
+      return Object.values(idpRoles).sort();
     },
     autocompleteLabel() {
-      return this.selectedIdp == IdentityProviders.IDIR
+      return this.isPrimary(this.selectedIdp)
         ? i18n.t('trans.addTeamMember.enterUsername')
         : i18n.t('trans.addTeamMember.enterExactUsername');
     },
@@ -82,7 +71,19 @@ export default {
       this.$emit('adding-users', this.addingUsers);
     },
   },
+  created() {
+    this.initializeSelectedIdp();
+  },
   methods: {
+    ...mapActions(useIdpStore, [
+      'isPrimary',
+      'listRoles',
+      'teamMembershipSearch',
+    ]),
+    // workaround so we can use computed value (primaryIdp) in created()
+    initializeSelectedIdp() {
+      this.selectedIdp = this.primaryIdp?.code;
+    },
     // show users in dropdown that have a text match on multiple properties
     filterObject(_itemTitle, queryText, item) {
       return Object.values(item)
@@ -119,17 +120,13 @@ export default {
       try {
         let params = {};
         params.idpCode = this.selectedIdp;
-        if (
-          this.selectedIdp == IdentityProviders.BCEIDBASIC ||
-          this.selectedIdp == IdentityProviders.BCEIDBUSINESS
-        ) {
-          if (input.length < 6)
-            throw new Error(
-              'Search input for BCeID username/email must be greater than 6 characters.'
-            );
+        let teamMembershipConfig = this.teamMembershipSearch(this.selectedIdp);
+        if (teamMembershipConfig) {
+          if (input.length < teamMembershipConfig.text.minLength)
+            throw new Error(i18n.t(teamMembershipConfig.text.message));
           if (input.includes('@')) {
             if (!new RegExp(Regex.EMAIL).test(input))
-              throw new Error('Email searches for BCeID must be exact.');
+              throw new Error(i18n.t(teamMembershipConfig.email.message));
             else params.email = input;
           } else {
             params.username = input;
@@ -141,7 +138,12 @@ export default {
         this.entries = response.data;
       } catch (error) {
         this.entries = [];
-        console.error(`Error getting users: ${error}`); // eslint-disable-line no-console
+        /* eslint-disable no-console */
+        console.error(
+          i18n.t('trans.manageSubmissionUsers.getUsersErrMsg', {
+            error: error,
+          })
+        ); // eslint-disable-line no-console
       } finally {
         this.isLoading = false;
       }
@@ -170,11 +172,11 @@ export default {
                 fluid
                 hide-details
               >
-                <v-radio class="my-0" label="IDIR" :value="ID_PROVIDERS.IDIR" />
-                <v-radio label="Basic BCeID" :value="ID_PROVIDERS.BCEIDBASIC" />
                 <v-radio
-                  label="Business BCeID"
-                  :value="ID_PROVIDERS.BCEIDBUSINESS"
+                  v-for="button in loginButtons"
+                  :key="button.type"
+                  :value="button.type"
+                  :label="button.display"
                 />
               </v-radio-group>
             </v-col>
diff --git a/app/frontend/src/components/forms/manage/TeamManagement.vue b/app/frontend/src/components/forms/manage/TeamManagement.vue
index 53f1134fa..777bfa49b 100644
--- a/app/frontend/src/components/forms/manage/TeamManagement.vue
+++ b/app/frontend/src/components/forms/manage/TeamManagement.vue
@@ -8,12 +8,12 @@ import { i18n } from '~/internationalization';
 import { rbacService, roleService } from '~/services';
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
+import { useIdpStore } from '~/store/identityProviders';
 import { useNotificationStore } from '~/store/notification';
 import {
   FormPermissions,
   FormRoleCodes,
   IdentityMode,
-  IdentityProviders,
 } from '~/utils/constants';
 
 export default {
@@ -52,6 +52,7 @@ export default {
   computed: {
     ...mapState(useAuthStore, ['user']),
     ...mapState(useFormStore, ['form', 'permissions', 'isRTL', 'lang']),
+    ...mapState(useIdpStore, ['listRoles']),
     canManageTeam() {
       return this.permissions.includes(FormPermissions.TEAM_UPDATE);
     },
@@ -199,21 +200,9 @@ export default {
         userType !== IdentityMode.TEAM
       )
         return true;
-      if (
-        user.identityProvider === IdentityProviders.BCEIDBUSINESS &&
-        (header === FormRoleCodes.OWNER ||
-          header === FormRoleCodes.FORM_DESIGNER)
-      )
-        return true;
-      if (
-        user.identityProvider === IdentityProviders.BCEIDBASIC &&
-        (header === FormRoleCodes.OWNER ||
-          header === FormRoleCodes.FORM_DESIGNER ||
-          header === FormRoleCodes.TEAM_MANAGER ||
-          header === FormRoleCodes.SUBMISSION_REVIEWER)
-      )
-        return true;
-      return false;
+      // if the header isn't in the IDPs roles, then disable
+      const idpRoles = this.listRoles(user.identityProvider);
+      return idpRoles && !idpRoles.includes(header);
     },
 
     async toggleRole(user) {
diff --git a/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue b/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
index 3a371a3aa..8f3b699d3 100644
--- a/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
+++ b/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
@@ -1,18 +1,13 @@
 <script>
-import { mapState } from 'pinia';
+import { mapState, mapActions } from 'pinia';
 import { i18n } from '~/internationalization';
 
 import BaseDialog from '~/components/base/BaseDialog.vue';
 import { rbacService, userService } from '~/services';
 import { useFormStore } from '~/store/form';
 import { useNotificationStore } from '~/store/notification';
-import {
-  FormPermissions,
-  IdentityProviders,
-  NotificationTypes,
-  Regex,
-} from '~/utils/constants';
-import { mapActions } from 'pinia';
+import { useIdpStore } from '~/store/identityProviders';
+import { FormPermissions, NotificationTypes, Regex } from '~/utils/constants';
 
 export default {
   components: {
@@ -38,18 +33,16 @@ export default {
 
       findUsers: null,
       isLoadingDropdown: false,
-      selectedIdp: IdentityProviders.IDIR,
+      selectedIdp: null,
       userSearchResults: [],
       userSearchSelection: null,
     };
   },
   computed: {
     ...mapState(useFormStore, ['form', 'isRTL', 'lang']),
-    ID_PROVIDERS() {
-      return IdentityProviders;
-    },
+    ...mapState(useIdpStore, ['loginButtons', 'primaryIdp']),
     autocompleteLabel() {
-      return this.selectedIdp == IdentityProviders.IDIR
+      return this.isPrimary(this.selectedIdp)
         ? i18n.t('trans.manageSubmissionUsers.requiredFiled')
         : i18n.t('trans.manageSubmissionUsers.exactEmailOrUsername');
     },
@@ -68,19 +61,13 @@ export default {
         // The form's IDP (only support 1 at a time right now), blank is 'team' and should be IDIR
         let params = {};
         params.idpCode = this.selectedIdp;
-        if (
-          this.selectedIdp == IdentityProviders.BCEIDBASIC ||
-          this.selectedIdp == IdentityProviders.BCEIDBUSINESS
-        ) {
-          if (input.length < 6)
-            throw new Error(
-              i18n.t('trans.manageSubmissionUsers.searchInputLength')
-            );
+        let teamMembershipConfig = this.teamMembershipSearch(this.selectedIdp);
+        if (teamMembershipConfig) {
+          if (input.length < teamMembershipConfig.text.minLength)
+            throw new Error(i18n.t(teamMembershipConfig.text.message));
           if (input.includes('@')) {
             if (!new RegExp(Regex.EMAIL).test(input))
-              throw new Error(
-                i18n.t('trans.manageSubmissionUsers.exactBCEIDSearch')
-              );
+              throw new Error(i18n.t(teamMembershipConfig.email.message));
             else params.email = input;
           } else {
             params.username = input;
@@ -104,10 +91,16 @@ export default {
     },
   },
   created() {
+    this.initializeSelectedIdp();
     this.getSubmissionUsers();
   },
   methods: {
     ...mapActions(useNotificationStore, ['addNotification']),
+    ...mapActions(useIdpStore, ['isPrimary', 'teamMembershipSearch']),
+    // workaround so we can use computed value (primaryIdp) in created()
+    initializeSelectedIdp() {
+      this.selectedIdp = this.primaryIdp?.code;
+    },
     // show users in dropdown that have a text match on multiple properties
     addUser() {
       if (this.userSearchSelection) {
@@ -247,11 +240,11 @@ export default {
         </v-card-title>
         <v-card-subtitle>
           <v-radio-group v-if="isDraft" v-model="selectedIdp" inline>
-            <v-radio label="IDIR" :value="ID_PROVIDERS.IDIR" />
-            <v-radio label="Basic BCeID" :value="ID_PROVIDERS.BCEIDBASIC" />
             <v-radio
-              label="Business BCeID"
-              :value="ID_PROVIDERS.BCEIDBUSINESS"
+              v-for="button in loginButtons"
+              :key="button.type"
+              :value="button.type"
+              :label="button.display"
             />
           </v-radio-group>
         </v-card-subtitle>
diff --git a/app/frontend/src/main.js b/app/frontend/src/main.js
index fd75a2651..bd0d67ca1 100755
--- a/app/frontend/src/main.js
+++ b/app/frontend/src/main.js
@@ -17,6 +17,8 @@ import getRouter from '~/router';
 import { useAuthStore } from '~/store/auth';
 import { useAppStore } from '~/store/app';
 import { assertOptions, getConfig, sanitizeConfig } from '~/utils/keycloak';
+import { rbacService } from './services';
+import { useIdpStore } from '~/store/identityProviders';
 
 let keycloak = null;
 const pinia = createPinia();
@@ -86,6 +88,25 @@ function initializeApp(kcSuccess = false, basePath = '/') {
   NProgress.done();
 }
 
+/**
+ * @function loadIdentityProviders
+ * Load Identity Provider configuration from API Server/database - NOT from Keycloak.
+ */
+async function loadIdentityProviders() {
+  const idpStore = useIdpStore();
+  try {
+    // Get data if it isn't already in session storage
+    if (!idpStore.providers) {
+      const { data } = await rbacService.getIdentityProviders({ active: true });
+      idpStore.providers = Object.freeze(data);
+    }
+    return true;
+  } catch (err) {
+    idpStore.providers = undefined;
+    return false;
+  }
+}
+
 /**
  * @function loadConfig
  * Acquires the configuration state from the backend server
@@ -109,6 +130,11 @@ async function loadConfig() {
     const appStore = useAppStore();
     appStore.config = Object.freeze(config);
 
+    const idpsLoaded = await loadIdentityProviders();
+    if (!idpsLoaded) {
+      throw new Error('Could not load Identity Provider configuration.');
+    }
+
     if (
       !config ||
       !config.keycloak ||
diff --git a/app/frontend/src/router.js b/app/frontend/src/router.js
index ff28501c6..cf11046c7 100644
--- a/app/frontend/src/router.js
+++ b/app/frontend/src/router.js
@@ -3,7 +3,7 @@ import { createRouter, createWebHistory } from 'vue-router';
 
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
-import { IdentityProviders } from '~/utils/constants';
+import { useIdpStore } from '~/store/identityProviders';
 import { preFlightAuth } from '~/utils/permissionUtils';
 
 let isFirstTransition = true;
@@ -81,7 +81,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Create.vue'),
             meta: {
               breadcrumbTitle: 'Form Designer',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
           },
@@ -91,7 +91,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/PublishForm.vue'),
             meta: {
               breadcrumbTitle: 'Publish Form',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: (route) => {
@@ -110,7 +110,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Design.vue'),
             meta: {
               breadcrumbTitle: 'Form Designer',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: (route) => {
@@ -143,7 +143,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Manage.vue'),
             meta: {
               breadcrumbTitle: 'Manage Form',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: createProps,
@@ -155,7 +155,7 @@ export default function getRouter(basePath = '/') {
             meta: {
               breadcrumbTitle: 'Preview Form',
               formSubmitMode: true,
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: createProps,
@@ -166,7 +166,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Submissions.vue'),
             meta: {
               breadcrumbTitle: 'Submissions',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: createProps,
@@ -203,7 +203,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Emails.vue'),
             meta: {
               breadcrumbTitle: 'Email Management',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: createProps,
@@ -214,7 +214,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/form/Teams.vue'),
             meta: {
               breadcrumbTitle: 'Team Management',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
               hasLogin: true,
             },
             props: createProps,
@@ -288,7 +288,7 @@ export default function getRouter(basePath = '/') {
             component: () => import('~/views/user/Forms.vue'),
             meta: {
               breadcrumbTitle: 'My Forms',
-              requiresAuth: IdentityProviders.IDIR,
+              requiresAuth: 'primary',
             },
           },
           {
@@ -395,6 +395,7 @@ export default function getRouter(basePath = '/') {
     NProgress.start();
 
     const authStore = useAuthStore();
+    const idpStore = useIdpStore();
 
     if (isFirstTransition) {
       // Always call rbac/current if authenticated and on first page load
@@ -426,8 +427,11 @@ export default function getRouter(basePath = '/') {
 
       // Determine what kind of redirect behavior is needed
       let idpHint = undefined;
-      if (typeof to.meta.requiresAuth === 'string') {
-        idpHint = to.meta.requiresAuth;
+      if (
+        typeof to.meta.requiresAuth === 'string' &&
+        to.meta.requiresAuth === 'primary'
+      ) {
+        idpHint = idpStore.primaryIdp ? idpStore.primaryIdp.code : null;
       }
       authStore.login(idpHint);
     }
diff --git a/app/frontend/src/services/rbacService.js b/app/frontend/src/services/rbacService.js
index 1c886d042..31a7dde8e 100644
--- a/app/frontend/src/services/rbacService.js
+++ b/app/frontend/src/services/rbacService.js
@@ -2,6 +2,14 @@ import { appAxios } from '~/services/interceptors';
 import { ApiRoutes } from '~/utils/constants';
 
 export default {
+  /**
+   * @function getIdentityProviders
+   * Get the Identity Provider details from the rbac endpoint
+   * @returns {Promise} An axios response
+   */
+  getIdentityProviders(params = {}) {
+    return appAxios().get(`${ApiRoutes.RBAC}/idps`, { params });
+  },
   /**
    * @function getCurrentUser
    * Get the current user details from the rbac endpoint
diff --git a/app/frontend/src/store/auth.js b/app/frontend/src/store/auth.js
index ca2d1b25e..374cc7765 100644
--- a/app/frontend/src/store/auth.js
+++ b/app/frontend/src/store/auth.js
@@ -1,5 +1,6 @@
 import { defineStore } from 'pinia';
 import getRouter from '~/router';
+import { useIdpStore } from '~/store/identityProviders';
 
 /**
  * @function hasRoles
@@ -106,9 +107,10 @@ export const useAuthStore = defineStore('auth', {
         } else {
           // Navigate to internal login page if no idpHint specified
           const router = getRouter();
+          const idpStore = useIdpStore();
           router.replace({
             name: 'Login',
-            query: { idpHint: ['idir', 'bceid-business', 'bceid-basic'] },
+            query: { idpHint: idpStore.loginIdpHints },
           });
         }
       }
diff --git a/app/frontend/src/store/identityProviders.js b/app/frontend/src/store/identityProviders.js
new file mode 100644
index 000000000..d6b6b5cd0
--- /dev/null
+++ b/app/frontend/src/store/identityProviders.js
@@ -0,0 +1,114 @@
+import { defineStore } from 'pinia';
+
+export const useIdpStore = defineStore('idps', {
+  state: () => ({
+    providers: null,
+  }),
+  getters: {
+    loginButtons: (state) => {
+      const result = [];
+      if (state.providers) {
+        for (const p of state.providers) {
+          if (p.login) {
+            result.push({
+              label: p.display,
+              type: p.code,
+            });
+          }
+        }
+      }
+      return result;
+    },
+    loginIdpHints: (state) => {
+      const result = [];
+      if (state.providers) {
+        for (const p of state.providers) {
+          if (p.login) {
+            result.push(p.code);
+          }
+        }
+      }
+      return result;
+    },
+    primaryIdp: (state) => {
+      let result = null;
+      if (state.providers) {
+        result = state.providers.find((x) => x.primary);
+      }
+      return result;
+    },
+  },
+  actions: {
+    isPrimary(code) {
+      if (code && this.providers) {
+        return (
+          this.providers.findIndex((x) => x.code === code && x.primary) > -1
+        );
+      }
+      return false;
+    },
+    isValidIdp(code) {
+      if (code && this.providers) {
+        return this.providers.findIndex((x) => x.code === code) > -1;
+      }
+      return false;
+    },
+    hasFormAccessSettings(code, accessSettingsType) {
+      let result = false;
+      if (code && accessSettingsType && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          result = idp.extra?.formAccessSettings === accessSettingsType;
+        }
+      }
+      return result;
+    },
+    teamMembershipSearch(code) {
+      if (code && this.providers) {
+        const idp = this.providers.find(
+          (x) => x.code === code && idp.extra?.addTeamMemberSearch
+        );
+        return idp ? idp.extra?.addTeamMemberSearch : null;
+      }
+      return null;
+    },
+    hasPermission(code, permission) {
+      let result = false;
+      if (code && permission && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          result = idp.permissions.includes(permission);
+        }
+      }
+      return result;
+    },
+    listPermissions(code) {
+      if (code && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          return idp.permissions;
+        }
+      }
+      return undefined;
+    },
+    hasRole(code, role) {
+      let result = false;
+      if (code && role && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          result = idp.roles.includes(role);
+        }
+      }
+      return result;
+    },
+    listRoles(code) {
+      if (code && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          return idp.roles;
+        }
+      }
+      return undefined;
+    },
+  },
+});
diff --git a/app/frontend/src/utils/constants.js b/app/frontend/src/utils/constants.js
index fbc12e476..a55cae016 100755
--- a/app/frontend/src/utils/constants.js
+++ b/app/frontend/src/utils/constants.js
@@ -62,6 +62,21 @@ export const FormManagePermissions = Object.freeze([
   FormPermissions.TEAM_UPDATE,
 ]);
 
+/** Chefs/Application flow permissions via User's Identity Provider */
+export const AppPermissions = Object.freeze({
+  VIEWS_FORM_STEPPER: 'views_form_stepper',
+  VIEWS_ADMIN: 'views_admin',
+  VIEWS_FILE_DOWNLOAD: 'views_file_download',
+  VIEWS_FORM_EMAILS: 'views_form_emails',
+  VIEWS_FORM_EXPORT: 'views_form_export',
+  VIEWS_FORM_MANAGE: 'views_form_manage',
+  VIEWS_FORM_PREVIEW: 'views_form_preview',
+  VIEWS_FORM_SUBMISSIONS: 'views_form_submissions',
+  VIEWS_FORM_TEAMS: 'views_form_teamS',
+  VIEWS_FORM_VIEW: 'views_form_view',
+  VIEWS_USER_SUBMISSIONS: 'views_user_submissions',
+});
+
 /** Identity modes that a form can operate in regards to user identification */
 export const IdentityMode = Object.freeze({
   LOGIN: 'login', // Requires Login
@@ -69,13 +84,6 @@ export const IdentityMode = Object.freeze({
   TEAM: 'team', // Specific People
 });
 
-/** Identitiy Providers a user can log in as and a form can be allowed for */
-export const IdentityProviders = Object.freeze({
-  BCEIDBASIC: 'bceid-basic', // Basic BCeID
-  BCEIDBUSINESS: 'bceid-business', // Business BCeID
-  IDIR: 'idir', // IDIR
-});
-
 /** List of Ministries within BC Public Service */
 export const Ministries = Object.freeze([
   { id: 'AF', text: 'trans.ministries.AF' },
diff --git a/app/frontend/src/utils/permissionUtils.js b/app/frontend/src/utils/permissionUtils.js
index 83035d613..e521377c8 100644
--- a/app/frontend/src/utils/permissionUtils.js
+++ b/app/frontend/src/utils/permissionUtils.js
@@ -1,11 +1,11 @@
 import { formService } from '~/services';
 import { useAuthStore } from '~/store/auth';
 import { useNotificationStore } from '~/store/notification';
+import { useIdpStore } from '~/store/identityProviders';
 import {
   FormPermissions,
   FormManagePermissions,
   IdentityMode,
-  IdentityProviders,
   NotificationTypes,
 } from '~/utils/constants';
 
@@ -22,9 +22,8 @@ import {
 export function checkFormSubmit(userForm) {
   return (
     userForm &&
-    ((userForm.idps && userForm.idps.includes(IdentityProviders.PUBLIC)) ||
-      (userForm.permissions &&
-        userForm.permissions.includes(FormPermissions.SUBMISSION_CREATE)))
+    userForm.permissions &&
+    userForm.permissions.includes(FormPermissions.SUBMISSION_CREATE)
   );
 }
 
@@ -83,12 +82,12 @@ function getErrorMessage(options, error) {
  */
 export async function preFlightAuth(options = {}, next) {
   const notificationStore = useNotificationStore();
+  const idpStore = useIdpStore();
   // Support lambda functions (Consider making them util functions?)
   const getIdpHint = (values) => {
     return Array.isArray(values) && values.length ? values[0] : undefined;
   };
-  const isValidIdp = (value) =>
-    Object.values(IdentityProviders).includes(value);
+  const isValidIdp = (value) => idpStore.isValidIdp(value);
 
   // Determine current form or submission idpHint if available
   let idpHint = undefined;
diff --git a/app/frontend/src/views/Admin.vue b/app/frontend/src/views/Admin.vue
index c73f78f1a..f67f727a7 100644
--- a/app/frontend/src/views/Admin.vue
+++ b/app/frontend/src/views/Admin.vue
@@ -2,7 +2,7 @@
 import { mapState } from 'pinia';
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import { useAuthStore } from '~/store/auth';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -10,13 +10,13 @@ export default {
   },
   computed: {
     ...mapState(useAuthStore, ['isAdmin']),
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :admin="isAdmin" :idp="[IDP.IDIR]">
+  <BaseSecure :admin="isAdmin" :permission="APP_PERMS.VIEWS_ADMIN">
     <v-container>
       <router-view v-slot="{ Component }">
         <transition name="component-fade" mode="out-in">
diff --git a/app/frontend/src/views/Login.vue b/app/frontend/src/views/Login.vue
index 701c15737..4f2598a69 100644
--- a/app/frontend/src/views/Login.vue
+++ b/app/frontend/src/views/Login.vue
@@ -3,49 +3,29 @@ import { mapActions, mapState } from 'pinia';
 
 import { useAuthStore } from '~/store/auth';
 import { useFormStore } from '~/store/form';
-import { IdentityProviders } from '~/utils/constants';
+import { useIdpStore } from '~/store/identityProviders';
 
 export default {
   props: {
     idpHint: {
       type: Array,
-      default: () => [
-        IdentityProviders.IDIR,
-        IdentityProviders.BCEIDBUSINESS,
-        IdentityProviders.BCEIDBASIC,
-      ],
+      default: () => [],
     },
   },
   computed: {
     ...mapState(useAuthStore, ['authenticated', 'createLoginUrl', 'ready']),
     ...mapState(useFormStore, ['lang']),
-    buttons: () => [
-      {
-        label: 'IDIR',
-        type: IdentityProviders.IDIR,
-      },
-      {
-        label: 'Basic BCeID',
-        type: IdentityProviders.BCEIDBASIC,
-      },
-      {
-        label: 'Business BCeID',
-        type: IdentityProviders.BCEIDBUSINESS,
-      },
-    ],
-    IDPS() {
-      return IdentityProviders;
-    },
+    ...mapState(useIdpStore, ['loginButtons', 'loginIdpHints']),
   },
   created() {
     // If component gets idpHint, invoke login flow via vuex
-    if (this.idpHint && this.idpHint.length === 1) this.login(this.idpHint[0]);
+    if (this.idpHint && this.idpHint.length === 1) {
+      const hint = this.idpHint[0];
+      if (this.loginIdpHints.includes(hint)) this.login(hint);
+    }
   },
   methods: {
     ...mapActions(useAuthStore, ['login']),
-    buttonEnabled(type) {
-      return this.idpHint ? this.idpHint.includes(type) : false;
-    },
   },
 };
 </script>
@@ -56,8 +36,8 @@ export default {
       <h1 class="my-6" :lang="lang">
         {{ $t('trans.login.authenticateWith') }}
       </h1>
-      <v-row v-for="button in buttons" :key="button.type" justify="center">
-        <v-col v-if="buttonEnabled(button.type)" sm="3">
+      <v-row v-for="button in loginButtons" :key="button.type" justify="center">
+        <v-col sm="3">
           <v-btn
             block
             color="primary"
diff --git a/app/frontend/src/views/file/Download.vue b/app/frontend/src/views/file/Download.vue
index bf61b9182..b0d8b718d 100644
--- a/app/frontend/src/views/file/Download.vue
+++ b/app/frontend/src/views/file/Download.vue
@@ -4,7 +4,7 @@ import { mapActions, mapState } from 'pinia';
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import { useFormStore } from '~/store/form';
 import { useNotificationStore } from '~/store/notification';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -23,7 +23,7 @@ export default {
   },
   computed: {
     ...mapState(useFormStore, ['downloadedFile', 'lang', 'isRTL']),
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
   async mounted() {
     await this.getFile(this.id);
@@ -77,7 +77,7 @@ export default {
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FILE_DOWNLOAD">
     <v-container fluid class="center_vertical_content">
       <h1 :lang="lang">{{ $t('trans.download.chefsDataExport') }}</h1>
       <v-progress-circular
diff --git a/app/frontend/src/views/form/Create.vue b/app/frontend/src/views/form/Create.vue
index 266ea1dfa..9e260934c 100644
--- a/app/frontend/src/views/form/Create.vue
+++ b/app/frontend/src/views/form/Create.vue
@@ -9,7 +9,7 @@ import FormSettings from '~/components/designer/FormSettings.vue';
 import FormProfile from '~/components/designer/FormProfile.vue';
 import { i18n } from '~/internationalization';
 import { useFormStore } from '~/store/form';
-import { IdentityMode, IdentityProviders } from '~/utils/constants';
+import { IdentityMode } from '~/utils/constants';
 
 export default {
   components: {
@@ -35,7 +35,6 @@ export default {
   },
   computed: {
     ...mapState(useFormStore, ['form', 'isRTL', 'lang']),
-    IDP: () => IdentityProviders,
     stepper() {
       return this.step;
     },
diff --git a/app/frontend/src/views/form/Emails.vue b/app/frontend/src/views/form/Emails.vue
index 783b65978..5f8a0eadb 100644
--- a/app/frontend/src/views/form/Emails.vue
+++ b/app/frontend/src/views/form/Emails.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import EmailManagement from '~/components/forms/manage/EmailManagement.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   name: 'FormEmails',
@@ -19,13 +19,13 @@ export default {
   },
 
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_EMAILS">
     <EmailManagement :form-id="f" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/form/Export.vue b/app/frontend/src/views/form/Export.vue
index f9111decf..ea7842c23 100644
--- a/app/frontend/src/views/form/Export.vue
+++ b/app/frontend/src/views/form/Export.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import ExportSubmissions from '~/components/forms/ExportSubmissions.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -15,13 +15,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_EXPORT">
     <ExportSubmissions :form-id="f" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/form/Manage.vue b/app/frontend/src/views/form/Manage.vue
index 3b1562d62..020e8f701 100644
--- a/app/frontend/src/views/form/Manage.vue
+++ b/app/frontend/src/views/form/Manage.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import ManageLayout from '~/components/forms/manage/ManageLayout.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: { BaseSecure, ManageLayout },
@@ -27,13 +27,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_MANAGE">
     <ManageLayout :f="f" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/form/Preview.vue b/app/frontend/src/views/form/Preview.vue
index bdf04abb2..bbe0fb327 100644
--- a/app/frontend/src/views/form/Preview.vue
+++ b/app/frontend/src/views/form/Preview.vue
@@ -4,7 +4,7 @@ import BaseSecure from '~/components/base/BaseSecure.vue';
 import FormViewer from '~/components/designer/FormViewer.vue';
 
 import { useFormStore } from '~/store/form';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -27,13 +27,13 @@ export default {
   },
   computed: {
     ...mapState(useFormStore, ['isRTL', 'lang']),
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_PREVIEW">
     <h1
       :class="{ 'dir-rtl': isRTL }"
       :lang="lang"
diff --git a/app/frontend/src/views/form/Submissions.vue b/app/frontend/src/views/form/Submissions.vue
index 451147b12..4a3198299 100644
--- a/app/frontend/src/views/form/Submissions.vue
+++ b/app/frontend/src/views/form/Submissions.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import SubmissionsTable from '~/components/forms/SubmissionsTable.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -15,13 +15,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_SUBMISSIONS">
     <SubmissionsTable :form-id="f" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/form/Teams.vue b/app/frontend/src/views/form/Teams.vue
index b35d933f5..9d4bd2bc0 100644
--- a/app/frontend/src/views/form/Teams.vue
+++ b/app/frontend/src/views/form/Teams.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import TeamManagement from '~/components/forms/manage/TeamManagement.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -15,13 +15,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_TEAMS">
     <TeamManagement :form-id="f" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/form/View.vue b/app/frontend/src/views/form/View.vue
index 90b738cb1..bbfdc2416 100644
--- a/app/frontend/src/views/form/View.vue
+++ b/app/frontend/src/views/form/View.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import FormSubmission from '~/components/forms/FormSubmission.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -15,13 +15,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_FORM_VIEW">
     <FormSubmission :submission-id="s" />
   </BaseSecure>
 </template>
diff --git a/app/frontend/src/views/user/Submissions.vue b/app/frontend/src/views/user/Submissions.vue
index bb0177c10..8205d81de 100644
--- a/app/frontend/src/views/user/Submissions.vue
+++ b/app/frontend/src/views/user/Submissions.vue
@@ -1,7 +1,7 @@
 <script>
 import BaseSecure from '~/components/base/BaseSecure.vue';
 import MySubmissionsTable from '~/components/forms/submission/MySubmissionsTable.vue';
-import { IdentityProviders } from '~/utils/constants';
+import { AppPermissions } from '~/utils/constants';
 
 export default {
   components: {
@@ -15,13 +15,13 @@ export default {
     },
   },
   computed: {
-    IDP: () => IdentityProviders,
+    APP_PERMS: () => AppPermissions,
   },
 };
 </script>
 
 <template>
-  <BaseSecure :idp="[IDP.IDIR, IDP.BCEIDBASIC, IDP.BCEIDBUSINESS]">
+  <BaseSecure :permission="APP_PERMS.VIEWS_USER_SUBMISSIONS">
     <MySubmissionsTable :form-id="f" />
   </BaseSecure>
 </template>
diff --git a/app/src/db/migrations/20240119172630_identity_provider_permissions.js b/app/src/db/migrations/20240119172630_identity_provider_permissions.js
new file mode 100644
index 000000000..f7aef6bd0
--- /dev/null
+++ b/app/src/db/migrations/20240119172630_identity_provider_permissions.js
@@ -0,0 +1,118 @@
+const { APP_PERMISSIONS, Roles } = require('../../forms/common/constants');
+
+const BCEID_EXTRAS = {
+  formAccessSettings: 'idim',
+  addTeamMemberSearch: {
+    text: {
+      minLength: 6,
+      message: 'trans.manageSubmissionUsers.searchInputLength',
+    },
+    email: {
+      exact: true,
+      message: 'trans.manageSubmissionUsers.exactBCEIDSearch',
+    },
+  },
+};
+
+exports.up = function (knex) {
+  return Promise.resolve().then(() =>
+    knex.schema
+      .alterTable('identity_provider', (table) => {
+        table.boolean('primary').notNullable().defaultTo(false);
+        table
+          .boolean('login')
+          .notNullable()
+          .defaultTo(false)
+          .comment('When true, supply buttons to launch login process');
+        table
+          .specificType('permissions', 'text ARRAY')
+          .comment('Map app permissions to the idp');
+        table
+          .specificType('roles', 'text ARRAY')
+          .comment('Map Form role codes to the idp');
+        table
+          .jsonb('extra')
+          .comment(
+            'Allow customization of the IDP though extra (json) config object.'
+          );
+      })
+      .then(() =>
+        knex('identity_provider')
+          .where({ code: 'public' })
+          .update({ permissions: [], extra: {} })
+      )
+      .then(() =>
+        knex('identity_provider')
+          .where({ code: 'idir' })
+          .update({ primary: true, login: true })
+      )
+      .then(() =>
+        knex('identity_provider')
+          .where({ code: 'idir' })
+          .update({
+            permissions: [
+              APP_PERMISSIONS.VIEWS_FORM_STEPPER,
+              APP_PERMISSIONS.VIEWS_ADMIN,
+              APP_PERMISSIONS.VIEWS_FILE_DOWNLOAD,
+              APP_PERMISSIONS.VIEWS_FORM_EMAILS,
+              APP_PERMISSIONS.VIEWS_FORM_EXPORT,
+              APP_PERMISSIONS.VIEWS_FORM_MANAGE,
+              APP_PERMISSIONS.VIEWS_FORM_PREVIEW,
+              APP_PERMISSIONS.VIEWS_FORM_SUBMISSIONS,
+              APP_PERMISSIONS.VIEWS_FORM_TEAMS,
+              APP_PERMISSIONS.VIEWS_FORM_VIEW,
+              APP_PERMISSIONS.VIEWS_USER_SUBMISSIONS,
+            ],
+            roles: [
+              Roles.OWNER,
+              Roles.TEAM_MANAGER,
+              Roles.FORM_DESIGNER,
+              Roles.SUBMISSION_REVIEWER,
+              Roles.FORM_SUBMITTER,
+            ],
+            extra: {},
+          })
+      )
+      .then(() =>
+        knex('identity_provider')
+          .where({ code: 'bceid-business' })
+          .update({
+            login: true,
+            permissions: [
+              APP_PERMISSIONS.VIEWS_FORM_EXPORT,
+              APP_PERMISSIONS.VIEWS_FORM_MANAGE,
+              APP_PERMISSIONS.VIEWS_FORM_SUBMISSIONS,
+              APP_PERMISSIONS.VIEWS_FORM_TEAMS,
+              APP_PERMISSIONS.VIEWS_FORM_VIEW,
+              APP_PERMISSIONS.VIEWS_USER_SUBMISSIONS,
+            ],
+            roles: [
+              Roles.TEAM_MANAGER,
+              Roles.SUBMISSION_REVIEWER,
+              Roles.FORM_SUBMITTER,
+            ],
+            extra: BCEID_EXTRAS,
+          })
+      )
+      .then(() =>
+        knex('identity_provider')
+          .where({ code: 'bceid-basic' })
+          .update({
+            login: true,
+            permissions: [APP_PERMISSIONS.VIEWS_USER_SUBMISSIONS],
+            roles: [Roles.FORM_SUBMITTER],
+            extra: BCEID_EXTRAS,
+          })
+      )
+  );
+};
+
+exports.down = function (knex) {
+  return Promise.resolve().then(() =>
+    knex.schema.alterTable('identity_provider', (table) => {
+      table.dropColumn('primary');
+      table.dropColumn('permissions');
+      table.dropColumn('extra');
+    })
+  );
+};
diff --git a/app/src/forms/common/constants.js b/app/src/forms/common/constants.js
index 278df008a..4224db129 100644
--- a/app/src/forms/common/constants.js
+++ b/app/src/forms/common/constants.js
@@ -90,4 +90,21 @@ module.exports = Object.freeze({
     json: 'json',
     default: 'csv',
   },
+  // app permissions are not assigned on the form
+  // they are for flow within the UX, what views one can navigate
+  // what buttons one can have.
+  // these will be assigned via the user's IDP.
+  APP_PERMISSIONS: {
+    VIEWS_FORM_STEPPER: 'views_form_stepper',
+    VIEWS_ADMIN: 'views_admin',
+    VIEWS_FILE_DOWNLOAD: 'views_file_download',
+    VIEWS_FORM_EMAILS: 'views_form_emails',
+    VIEWS_FORM_EXPORT: 'views_form_export',
+    VIEWS_FORM_MANAGE: 'views_form_manage',
+    VIEWS_FORM_PREVIEW: 'views_form_preview',
+    VIEWS_FORM_SUBMISSIONS: 'views_form_submissions',
+    VIEWS_FORM_TEAMS: 'views_form_teamS',
+    VIEWS_FORM_VIEW: 'views_form_view',
+    VIEWS_USER_SUBMISSIONS: 'views_user_submissions',
+  },
 });
diff --git a/app/src/forms/common/models/tables/identityProvider.js b/app/src/forms/common/models/tables/identityProvider.js
index cebd48143..d340e4c3c 100644
--- a/app/src/forms/common/models/tables/identityProvider.js
+++ b/app/src/forms/common/models/tables/identityProvider.js
@@ -19,7 +19,7 @@ class IdentityProvider extends Timestamps(Model) {
         }
       },
       orderDefault(builder) {
-        builder.orderByRaw('lower("identity_provider"."code")');
+        builder.orderByRaw('"identity_provider"."primary" DESC NULLS LAST, lower("identity_provider"."code")');
       },
     };
   }
@@ -33,6 +33,11 @@ class IdentityProvider extends Timestamps(Model) {
         display: { type: 'string', minLength: 1, maxLength: 255 },
         idp: { type: 'string', minLength: 1, maxLength: 255 },
         active: { type: 'boolean' },
+        primary: { type: 'boolean' },
+        login: { type: 'boolean' },
+        permissions: { type: ['array', 'null'], items: { type: 'string' } },
+        roles: { type: ['array', 'null'], items: { type: 'string' } },
+        extra: { type: 'object' },
         ...stamps,
       },
       additionalProperties: false,