Use these instructions to set up AWS as your SSO provider for Tonic.

AWS configuration

You complete the following configuration steps within AWS SSO.

Create the SAML application

In the Applications section, click Add a new application.
Applications page in AWS SSO
Next, on the Add New Application page, click Add a custom SAML 2.0 application.
Add a custom SAML 2.0 application on the Add New Application page
From IAM Identity Center metadata, download your AWS SSO SAML metadata file URL. You will set this as the value of a Tonic environment setting.
IAM Identity Center metadata
Under Application properties, set Application start URL to your Tonic URL.
Application properties for the SAML application
Under Application metadata:
  1. 1.
    Click Manually type your metadata values.
  2. 2.
    Set Application ACS URL to your Tonic URL followed by /api/sso/samllogin.
  3. 3.
    Set Application SAML audience to Tonic.
Application metadata for the SAML application
To create the application, click Submit.

Configure attribute mappings for Tonic

Next, you need to configure the attribute mappings that Tonic requires.
For your new Tonic application, click Actions, then select Edit attribute mappings
Actions menu for the Tonic application
On the Attribute mappings tab, set up the following mappings:
  • Map Subject to ${user:subject}
  • Map GivenName to ${user:givenName}
  • Map Email to ${user:email}
  • Map FamilyName to ${user:familyName}
  • Map Groups to ${user:groups}
Tonic attribute mappings

Tonic configuration

In the Tonic web server container, set the following Tonic environment settings:
  • TONIC_SSO_IDENTITY_PROVIDER_ID - Set to the value of Identity store ID from the Settings page in AWS SSO.
Getting the Identify store ID from AWS SSO
  • TONIC_SSO_SAML_IDP_METADATA_XML_URL- Set to the IAM Identity Center SAML metadata file URL that you saved earlier.
  • TONIC_SSO_GROUP_FILTER_REGEX - Identifies the allowed groups for Tonic. For details, go to Synchronizing SSO groups with Tonic.
Last modified 4mo ago