OpenID Connect (OIDC)
Use these instructions to set up an OpenID Connect SSO provider for Tonic Structural.
SSO setup
When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.
You must also make note of the client_id. You must provide the client ID when you complete the configuration for Structural.
Redirect URIs
In your SSO provider, configure the following redirect URIs:
Sign-in redirect URIs: <tonic-base-url>/sso/callback
Sign-out redirect URIs: <tonic-base-url>/sso/logout
Structural configuration
Required environment settings
In the Structural web server container, set the following Structural environment settings:
TONIC_SSO_PROVIDER:OIDCTONIC_SSO_CLIENT_ID: <application client ID>TONIC_SSO_CLIENT_SECRET: Only required for HTTP basic authentication (client_secret_basic). The client secret.TONIC_SSO_OIDC_AUTHORITY: The base URL of the provider. This is the location of/.well-known/openid-configurationTONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Tonic Structural.
Optional environment settings
| Setting | Default value | Description |
|---|---|---|
|
| The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured. |
|
| The name of the claim that contains the user's first name. |
|
| The name of the claim that contains the user's last name. |
|
| The name of the claim that contains the user's email/username. |
|
| The name of the claim that contains the user's group membership. |
Last updated