OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic Structural.

SSO setup

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the client_id. You must provide the client ID when you complete the configuration for Structural.

Redirect URIs

In your SSO provider, configure the following redirect URIs:

  • Sign-in redirect URIs: <tonic-base-url>/sso/callback

  • Sign-out redirect URIs: <tonic-base-url>/sso/logout

Structural configuration

Required environment settings

In the Structural web server container, set the following Structural environment settings:


  • TONIC_SSO_CLIENT_ID: <application client ID>

  • TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.

  • TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of /.well-known/openid-configuration

  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Tonic Structural.

Optional environment settings

SettingDefault valueDescription


openid profile email

The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured.



The name of the claim that contains the user's first name.



The name of the claim that contains the user's last name.



The name of the claim that contains the user's email/username.



The name of the claim that contains the user's group membership.

Last updated