# Single sign-on (SSO)

{% hint style="info" %}
**Required license:** Professional or Enterprise
{% endhint %}

Tonic Structural supports integrations with several external single sign-on (SSO) providers to allow users to use SSO to create accounts and log in to Structural.

You first complete the configuration in your SSO provider, then configure the connection in Structural

* For self-hosted instances, the SSO configuration takes the form of environment settings.
* On Structural Cloud, the SSO configuration is on the **Access Management** tab of **Structural Settings** view.

To only allow SSO authentication:

* On self-hosted instances, set the [environment setting](/app/admin/environment-variables-setting.md) `REQUIRE_SSO_AUTH` to `true`.
* On Structural Cloud, under **Login methods**, check the **Require SSO for login** checkbox.

When you require SSO authentication, Structural disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA.

## How SSO works in Structural

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>User authentication</strong></td><td>How SSO users create Structural accounts and log in to Structural.</td><td></td><td><a href="/pages/BMF6enPvCJHmBBggbnkW#user-authentication">/pages/BMF6enPvCJHmBBggbnkW#user-authentication</a></td></tr><tr><td><strong>Limit groups for Structural</strong></td><td>Identify SSO groups that are displayed in Structural.</td><td></td><td><a href="/pages/oCHdrVI0gf3XJwX2BuGn">/pages/oCHdrVI0gf3XJwX2BuGn</a></td></tr><tr><td><strong>View the list of groups</strong></td><td>View the list of SSO groups for which users have logged in to Structural.</td><td></td><td><a href="/pages/U1ExDibB0wuvhgKwWsKP">/pages/U1ExDibB0wuvhgKwWsKP</a></td></tr></tbody></table>

## Required configuration for each SSO provider

To use SSO in Structural, you must have a valid license for the SSO functionality. You must also configure Structural environment variables. The required variables differ by provider.

<table data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>AWS IAM Identity Center</strong></td><td>Integrate with AWS IAM Identity Center to manage Structural users.</td><td></td><td><a href="/pages/GYFnMDXkgsLggUDNZk8L">/pages/GYFnMDXkgsLggUDNZk8L</a></td></tr><tr><td><strong>Duo</strong></td><td>Integrate with Duo to manage Structural users.</td><td></td><td><a href="/pages/ZHDdjP1Ye8gT0h9sCpDJ">/pages/ZHDdjP1Ye8gT0h9sCpDJ</a></td></tr><tr><td><strong>GitHub</strong></td><td>Integrate with GitHub to manage Structural users.</td><td></td><td><a href="/pages/LPQOfyXuPOsgexebqPXV">/pages/LPQOfyXuPOsgexebqPXV</a></td></tr><tr><td><strong>Google Account SSO</strong></td><td>Integration with Google Account SSO to manage Structural users.</td><td></td><td><a href="/pages/QrFexHfEwp2tfIWTYDOv">/pages/QrFexHfEwp2tfIWTYDOv</a></td></tr><tr><td><strong>Keycloak</strong></td><td>Integrate with Keycloak to manage Structural users.</td><td></td><td><a href="/pages/7he7QHAzi7YHds4VYSw5">/pages/7he7QHAzi7YHds4VYSw5</a></td></tr><tr><td><strong>Microsoft Entra ID</strong></td><td>Integrate with Microsoft Entra ID (previously Azure Active Directory) to manage Structural users.</td><td></td><td><a href="/pages/kM51ynQVCHh1PB8uIpx6">/pages/kM51ynQVCHh1PB8uIpx6</a></td></tr><tr><td><strong>Okta</strong></td><td>Integrate with Okta to manage Structural users.</td><td></td><td><a href="/pages/GbqVMiijmlL3PzZ1f3CL">/pages/GbqVMiijmlL3PzZ1f3CL</a></td></tr><tr><td><strong>OpenID Connect (OIDC)</strong></td><td>Integrate with OpenID Connect to manage Structural users.</td><td></td><td><a href="/pages/MMqNrn0ymzshvHMtpERa">/pages/MMqNrn0ymzshvHMtpERa</a></td></tr><tr><td><strong>SAML</strong></td><td>Integrate with a SAML-based provider to manage Structural users.</td><td></td><td><a href="/pages/c8HzPdkXfDgJlROaLc8R">/pages/c8HzPdkXfDgJlROaLc8R</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.