# OpenID Connect (OIDC) Use these instructions to set up an OpenID Connect (OIDC) SSO provider for Tonic Structural. ## SSO setup ### Configuration requirements When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow. You must also make note of the `client_id`. You must provide the client ID when you complete the configuration for Structural. ### Redirect URIs In your SSO provider, configure the following redirect URIs: * **Sign-in redirect URIs:** For self-hosted instances, the value is `/sso/callback` . \ For Structural Cloud, the value is `https://app.tonic.ai/sso/callback/`. Your organization identifier is displayed on your [**User Settings** view](https://docs.tonic.ai/app/managing-your-tonic-account#user-view-copy-org-id). * **Sign-out redirect URIs:** `/sso/logout` ### Initiate login URI To allow users to log in to Structural directly from the OIDC provider, provide an initiate login URI. For self-hosted instances, the initiate login URI is their base URL for Structural. For Structural Cloud, the value is `https://app.tonic.ai/sso/login/`. Your organization identifier is displayed on your [**User Settings** view](https://docs.tonic.ai/app/managing-your-tonic-account#user-view-copy-org-id). ## Structural configuration - self-hosted On a self-hosted instance, you use environment settings to configure the connection to OIDC ### Required environment settings In the Structural web server container, set the following [Structural environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting): * `TONIC_SSO_PROVIDER`: `OIDC` * `TONIC_SSO_CLIENT_ID`: \ * `TONIC_SSO_CLIENT_SECRET`: Only required for HTTP basic authentication (`client_secret_basic`). The client secret. * `TONIC_SSO_OIDC_AUTHORITY`: The base URL of the provider. This is the location of `/.well-known/openid-configuration` * `TONIC_SSO_GROUP_FILTER_REGEX`: Identifies the allowed SSO groups for Structural. For details, go to [sso-limit-groups](https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups "mention"). ### **Optional environment settings**

Setting	Default value	Description
`TONIC_SSO_OIDC_SCOPES`	`openid profile email`	The space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured.
`TONIC_SSO_OIDC_FIRST_NAME_CLAIM_NAME`	`given_name`	The name of the claim that contains the user's first name.
`TONIC_SSO_OIDC_LAST_NAME_CLAIM_NAME`	`family_name`	The name of the claim that contains the user's last name.
`TONIC_SSO_OIDC_EMAIL_CLAIM_NAME`	`email`	The name of the claim that contains the user's email/username.
`TONIC_SSO_OIDC_GROUPS_CLAIM_NAME`	`groups`	The name of the claim that contains the user's group membership.
`TONIC_SSO_OIDC_ADDITIONAL_ENDPOINT_BASE_ADDRESSES`		The space-delimited list of approved secondary domains where your identity provider is allowed to host its login and token services.

## Structural configuration - Structural Cloud {% hint style="info" %} **Required global permission:** Manage user access to Tonic Structural and to any workspace {% endhint %} ### Configuring the general connection information On Structural Cloud, after you [enable SSO](https://docs.tonic.ai/app/admin/tonic-user-access/sso-cloud#enabling-sso), to configure the connection to OIDC:

Configuration settings for OIDC SSO on Structural Cloud

1. Click **OIDC**. 2. In the **Authority URL** field, provide the base URL of the provider. This is the location of `/.well-known/openid-configuration`. 3. In the **Client ID** field, provide the identifier of the client application. 4. In the **Client Secret** field, for HTTP basic authentication (`client_secret_basic`), provide the client secret. 5. Optionally, in the **Scopes** field, provide a space-delimited list of scopes to request from the OIDC SSO provider.\ \ Note that because group information is not part of the standard OIDC specification, for Structural to capture group information, a custom scope must be configured. ### Configuring claims If you use claims to store user information, then to identify the claims:

Advanced Claim Configuration for OIDC SSO on Structural Cloud

1. Expand the **Advanced Claim Configuration** section. 2. In the **Email Claim Name** field, provide the name of the claim that contains the user's email/username. 3. In the **First Name Claim Name** field, provide the name of the claim that contains the user's first name. 4. In the **Last Name Claim Name** field, provide the name of the claim that contains the user's last name. 5. In the **Groups Claim Name** field, provide the name of the claim that contains the user's group membership. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/oidc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.