Single sign-on (SSO)

Tonic supports a variety of integrations for authenticating users.
Tonic supports the following integrations for users to create accounts and log in to Tonic using external single sign-on providers:
  • AWS SSO (and other SAML-based authentication)
  • Azure Active Directory
  • Duo Security SSO
  • Google Account SSO
  • Keycloak
  • Okta
  • PingID (cloud-based, adaptive multi-factor authentication - MFA)
SSO is a licensed feature that is available to customers on Tonic's Enterprise tier.


SSO within Tonic requires a valid license for the SSO functionality, and the configuration of several environment variables within the Tonic deployment.
These variables differ by provider and are covered in the following topics:
You can also set the environment variable REQUIRE_SSO_AUTH to true to enable SSO only authentication. This disables standard email/password authentication so that all account creation and login is handled through your SSO provider. If MFA is set up with your SSO, enabling this feature requires all authentication to go through your provider's MFA.

User authentication

Tonic respects the access control policy of your SSO provider. To access Tonic, users must be granted access to the Tonic application within your SSO provider.
After SSO is enabled, users can use SSO to create an account in Tonic.
Account creation with Google SSO enabled
On future logins, users are prompted to use SSO to authenticate.
Login with Google SSO enabled

Groups and collaboration

Tonic's workspace sharing feature supports sharing of workspaces with groups configured in your SSO system, when appropriately configured and with permission to read groups.
Share Workspace dialog
You use the TONIC_SSO_GROUP_FILTER_REGEX environment variable to set a regex to filter the groups that Tonic displays and allows sharing with. For example, .*Tonic.* allows all groups that contain the word "Tonic".