Links

OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic.

SSO setup

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.
You must also make note of the client_id. You must provide the client ID when you complete the configuration for Tonic.

Redirect URIs

In your SSO provider, configure the following redirect URIs:
  • Sign-in redirect URIs: <tonic-base-url>/sso/callback
  • Sign-out redirect URIs: <tonic-base-url>/sso/logout

Tonic configuration

Required environment settings

In the Tonic web server container, set the following Tonic environment settings:
  • TONIC_SSO_PROVIDER: OIDC
  • TONIC_SSO_CLIENT_ID: <application client ID>
  • TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.
  • TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of /.well-known/openid-configuration
  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Tonic. For details, go to Synchronizing SSO groups with Tonic.

Optional environment settings

Setting
Default value
Description
TONIC_SSO_OIDC_SCOPES
openid profile email
The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Tonic to capture group information, a custom scope must be configured.
TONIC_SSO_OIDC_FIRST_NAME_CLAIM_NAME
given_name
The name of the claim that contains the user's first name.
TONIC_SSO_OIDC_LAST_NAME_CLAIM_NAME
family_name
The name of the claim that contains the user's last name.
TONIC_SSO_OIDC_EMAIL_CLAIM_NAME
email
The name of the claim that contains the user's email/username.
TONIC_SSO_OIDC_GROUPS_CLAIM_NAME
groups
The name of the claim that contains the user's group membership.
Last modified 2mo ago