OpenID Connect (OIDC)
Last updated
Was this helpful?
Last updated
Was this helpful?
Use these instructions to set up an OpenID Connect SSO provider for Tonic Structural.
When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.
You must also make note of the client_id. You must provide the client ID when you complete the configuration for Structural.
In your SSO provider, configure the following redirect URIs:
Sign-in redirect URIs: <tonic-base-url>/sso/callback
Sign-out redirect URIs: <tonic-base-url>/sso/logout
In the Structural web server container, set the following :
TONIC_SSO_PROVIDER: OIDC
TONIC_SSO_CLIENT_ID: <application client ID>
TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.
TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of /.well-known/openid-configuration
TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.
TONIC_SSO_OIDC_SCOPES
openid profile email
The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured.
TONIC_SSO_OIDC_FIRST_NAME_CLAIM_NAME
given_name
The name of the claim that contains the user's first name.
TONIC_SSO_OIDC_LAST_NAME_CLAIM_NAME
family_name
The name of the claim that contains the user's last name.
TONIC_SSO_OIDC_EMAIL_CLAIM_NAME
email
The name of the claim that contains the user's email/username.
TONIC_SSO_OIDC_GROUPS_CLAIM_NAME
groups
The name of the claim that contains the user's group membership.