Keycloak
Set up Keycloak as your SSO provider for Tonic
Within Keycloak, select the realm to use for your Tonic client. Under Clients, click Create client.
Create client option for Keycloak
On the Create client page, under General Settings:
- 1.From the Client type dropdown list, select OpenID Connect.
- 2.Enter a Client ID and Name.
- 3.Click Next.
Create client fields for a Keycloak client
On the Capability Config tab, click Save. The details page for the new client displays.
On the Settings tab, under Access settings, enter your Tonic URL information.
Access settings for a Keycloak client
Click Client scopes. Each client has a dedicated scope named
<client-id>-dedicated. To configure the scope, click the scope name.
Client scopes tab for a Keycloak client
On the Mappers tab, to add a property mapper to the scope, click Configure a new mapper.
Options to add a property mapper to a Keycloak client scope
In the list of mapper types, click Group Membership.
Available mapper types for a Keycloak client scope property mapper
Under Add mapper, set both Name and Token Claim Name to
groups.
Configuration options for a Keycloak property mapper
The Full group path toggle affects how child groups appear in Tonic:
- When on, child groups display as
parent group/child group. - When off, child groups display as
child group.
To save the new group membership mapper, click Save.
TONIC_SSO_PROVIDER:KeycloakTONIC_SSO_DOMAIN:https://my-keycloak-instanceTONIC_SSO_CLIENT_ID: <Keycloak client ID>TONIC_SSO_REALM_ID: <Keycloak realm ID>TONIC_SSO_GROUP_FILTER_REGEX:<Group regular expression> Optional. If not set, Tonic does not synchronize or load groups from your SSO provider. To synchronize groups, this must be set. The setting is used to limit the groups that are imported to Tonic. Set this to a regular expression that matches the groups that Tonic should be aware of. For example, the expression.*Tonic.*allows all groups that contain the word "Tonic". To not limit the groups, set the value to.*.
Last modified 18d ago