OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect (OIDC) SSO provider for Tonic Structural.

SSO setup

Configuration requirements

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the client_id. You must provide the client ID when you complete the configuration for Structural.

Redirect URIs

In your SSO provider, configure the following redirect URIs:

• Sign-in redirect URIs: For self-hosted instances, the value is <tonic-base-url>/sso/callback .

  For Structural Cloud, the value is https://app.tonic.ai/sso/callback/<your organization identifier>. Your organization identifier is displayed on your User Settings view.

• Sign-out redirect URIs: <tonic-base-url>/sso/logout

Initiate login URI

To allow users to log in to Structural directly from the OIDC provider, provide an initiate login URI.

For self-hosted instances, the initiate login URI is their base URL for Structural.

For Structural Cloud, the value is https://app.tonic.ai/sso/login/<your organization identifier>. Your organization identifier is displayed on your User Settings view.

Structural configuration - self-hosted

On a self-hosted instance, you use environment settings to configure the connection to OIDC

Required environment settings

In the Structural web server container, set the following Structural environment settings:

• TONIC_SSO_PROVIDER: OIDC

• TONIC_SSO_CLIENT_ID: <application client ID>

• TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.

• TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of /.well-known/openid-configuration

• TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.

Optional environment settings

Structural configuration - Structural Cloud

Configuring the general connection information

On Structural Cloud, after you enable SSO, to configure the connection to OIDC:

1. Click OIDC.

2. In the Authority URL field, provide the base URL of the provider. This is the location of /.well-known/openid-configuration.

3. In the Client ID field, provide the identifier of the client application.

4. In the Client Secret field, for HTTP basic authentication (client_secret_basic), provide the client secret.

5. Optionally, in the Scopes field, provide a space-delimited list of scopes to request from the OIDC SSO provider. Note that because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured.

Configuring claims

If you use claims to store user information, then to identify the claims:

1. Expand the Advanced Claim Configuration section.

2. In the Email Claim Name field, provide the name of the claim that contains the user's email/username.

3. In the First Name Claim Name field, provide the name of the claim that contains the user's first name.

4. In the Last Name Claim Name field, provide the name of the claim that contains the user's last name.

5. In the Groups Claim Name field, provide the name of the claim that contains the user's group membership.