# Single sign-on (SSO)

{% hint style="info" %}
**Required license:** Professional or Enterprise
{% endhint %}

Tonic Structural supports integrations with several external single sign-on (SSO) providers to allow users to use SSO to create accounts and log in to Structural.

You first complete the configuration in your SSO provider, then configure the connection in Structural

* For self-hosted instances, the SSO configuration takes the form of environment settings.
* On Structural Cloud, the SSO configuration is on the **Access Management** tab of **Structural Settings** view.

To only allow SSO authentication:

* On self-hosted instances, set the [environment setting](https://docs.tonic.ai/app/admin/environment-variables-setting) `REQUIRE_SSO_AUTH` to `true`.
* On Structural Cloud, under **Login methods**, check the **Require SSO for login** checkbox.

When you require SSO authentication, Structural disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA.

## How SSO works in Structural

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>User authentication</strong></td><td>How SSO users create Structural accounts and log in to Structural.</td><td></td><td><a href="user-authentication-and-groups#user-authentication">#user-authentication</a></td></tr><tr><td><strong>Limit groups for Structural</strong></td><td>Identify SSO groups that are displayed in Structural.</td><td></td><td><a href="single-sign-on/sso-limit-groups">sso-limit-groups</a></td></tr><tr><td><strong>View the list of groups</strong></td><td>View the list of SSO groups for which users have logged in to Structural.</td><td></td><td><a href="single-sign-on/sso-view-groups-list">sso-view-groups-list</a></td></tr></tbody></table>

## Required configuration for each SSO provider

To use SSO in Structural, you must have a valid license for the SSO functionality. You must also configure Structural environment variables. The required variables differ by provider.

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>AWS IAM Identity Center</strong></td><td>Integrate with AWS IAM Identity Center to manage Structural users.</td><td></td><td><a href="single-sign-on/aws">aws</a></td></tr><tr><td><strong>Duo</strong></td><td>Integrate with Duo to manage Structural users.</td><td></td><td><a href="single-sign-on/sso-duo">sso-duo</a></td></tr><tr><td><strong>GitHub</strong></td><td>Integrate with GitHub to manage Structural users.</td><td></td><td><a href="single-sign-on/github">github</a></td></tr><tr><td><strong>Google Account SSO</strong></td><td>Integration with Google Account SSO to manage Structural users.</td><td></td><td><a href="single-sign-on/google">google</a></td></tr><tr><td><strong>Keycloak</strong></td><td>Integrate with Keycloak to manage Structural users.</td><td></td><td><a href="single-sign-on/keycloak">keycloak</a></td></tr><tr><td><strong>Microsoft Entra ID</strong></td><td>Integrate with Microsoft Entra ID (previously Azure Active Directory) to manage Structural users.</td><td></td><td><a href="single-sign-on/azure">azure</a></td></tr><tr><td><strong>Okta</strong></td><td>Integrate with Okta to manage Structural users.</td><td></td><td><a href="single-sign-on/okta">okta</a></td></tr><tr><td><strong>OpenID Connect (OIDC)</strong></td><td>Integrate with OpenID Connect to manage Structural users.</td><td></td><td><a href="single-sign-on/oidc">oidc</a></td></tr><tr><td><strong>SAML</strong></td><td>Integrate with a SAML-based provider to manage Structural users.</td><td></td><td><a href="single-sign-on/saml">saml</a></td></tr></tbody></table>