Single sign-on
Tonic supports a variety of integrations for authenticating users.
Tonic supports the following integrations for users to create accounts and log in to Tonic using external Single Sign-On providers:
  • AWS SSO (and other SAML-based authentication)
  • Azure Active Directory
  • Duo Security SSO
  • Google Account SSO
  • Okta
  • PingID (cloud-based, adaptive multi-factor authentication - MFA)
SSO is a licensed feature available to customers on Tonic's Enterprise tier.


SSO within Tonic requires a valid license including the SSO functionality as well as the configuration of several environment variables within the Tonic deployment. These variables differ by provider and are covered on the following pages:
Additionally, the environment variable, REQUIRE_SSO_AUTH, can be set to true to enable SSO only authentication. This disables standard email/password authentication so that all account creation and login is handled through your SSO provider. If MFA is setup with your SSO, enabling this feature will require all authentication to go through your provider's MFA.

User authentication

Tonic respects the access control policy of your SSO provider. Users must be granted access to the Tonic app within your SSO provider in order to access Tonic.
Once SSO is enabled, users will have the opportunity to create an account within Tonic using SSO.
Screenshot of account creation with Google SSO enabled
Users will be prompted to authenticate via SSO on future log ins.
Screenshot of log in with Google SSO enabled

Groups and collaboration

Tonic's Workspace Sharing functionality supports sharing of workspaces with groups configured in your SSO system when appropriately configured and with permission to read groups.
Screenshot of the Share Workspace screen
The TONIC_SSO_GROUP_FILTER_REGEX environment variable can be used to set a Regex to filter the groups Tonic will display and allow sharing with. For example, .*Tonic.* would allow all groups that contain the word "Tonic".