Last updated
Was this helpful?
Last updated
Was this helpful?
Use these instructions to set up Google as your SSO provider for Tonic Structural.
To configure Google SSO:
- Requires GCP project permissions to create credentials.
- In addition to the above, requires the Google workspace administrator.
The OAuth client ID is sufficient to enable logging in with your Google account, but no groups are parsed. If the service account is misconfigured, the login succeeds without the groups being parsed, and a warning is logged to the server with more details.
For the provided links, it is assumed that the user is logged into their administrative account and using the same project.
Go to
Click Create credentials, located near the top.
Select OAuth client ID.
Select Web application as the application type.
Choose a name.
Under Authorized redirect URIs, add the URL of the Structural server with the endpoint /sso/callback.
Also note that internal URLs might not work:
Note the client ID and client secret. You will need to provide them to Structural.
TONIC_SSO_CLIENT_ID: <client id of oauth credentials>
TONIC_SSO_CLIENT_SECRET: <client secret of oauth credentials>
TONIC_SSO_PROVIDER: google
To set up the service account:
Click Create service account, located near the top.
Skip all of the subsequent optional steps.
After you create the service account, select it, then click the Keys tab.
Select Add Key -> Create new key. Select JSON as the key type. The browser automatically downloads a JSON file.
The JSON file must be base64 encoded to set it as a variable in your Docker Compose file. An example command to do this is:
cat /path/to/json/file | base64 -w 0
The long output of this command is set as the value of TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64 in the Docker Compose file.
Take note of the service account email. You will need this later.
If it is not yet enabled, click Enable.
Select Groups Reader from the list of predefined roles.
Click Assign Roles -> Assign service accounts.
Copy the service account email into the box, then click Add.
To save these changes, click Assign Role.
TONIC_SSO_SERVICE_ACCOUNT_JSON_BASE64: <base64 encoded json key>
TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.
For example, a local Structural server at would need to be set as the redirect URI.
Configure the following in the Structural web server container:
For official documentation, see and .
Go to
Go to
Go to and select Admin Roles.
In the Structural web server container, set the following :
TONIC_SSO_DOMAIN: <domain name> - The domain name is the workspace domain. For example, for , the domain is tonic.ai. On a self-hosted instance, only users with this domain can log into Structural.
