Release notesAPI docs
Information portal
Structural CloudTonic.ai

OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic Structural.

SSO setup

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the client_id. You must provide the client ID when you complete the configuration for Structural.

Redirect URIs

In your SSO provider, configure the following redirect URIs:

  • Sign-in redirect URIs: <tonic-base-url>/sso/callback

  • Sign-out redirect URIs: <tonic-base-url>/sso/logout

Structural configuration

Required environment settings

In the Structural web server container, set the following Structural environment settings:

  • TONIC_SSO_PROVIDER: OIDC

  • TONIC_SSO_CLIENT_ID: <application client ID>

  • TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.

  • TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of /.well-known/openid-configuration

  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Tonic Structural.

Optional environment settings

Setting
Default value
Description

TONIC_SSO_OIDC_SCOPES

openid profile email

The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured.

TONIC_SSO_OIDC_FIRST_NAME_CLAIM_NAME

given_name

The name of the claim that contains the user's first name.

TONIC_SSO_OIDC_LAST_NAME_CLAIM_NAME

family_name

The name of the claim that contains the user's last name.

TONIC_SSO_OIDC_EMAIL_CLAIM_NAME

email

The name of the claim that contains the user's email/username.

TONIC_SSO_OIDC_GROUPS_CLAIM_NAME

groups

The name of the claim that contains the user's group membership.

Last updated