Use these instructions to set up Okta as your SSO provider for Tonic.

Okta configuration

You complete the following configuration steps within Okta:
  1. 1.
    Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.
Create a new app integration
  1. 2.
    Click Next, then fill out the fields with the values below:
    1. 1.
      App integration name: Tonic, Tonic-Prod, Tonic-Dev, etc.
    2. 2.
      Logo (optional): Download and use the this image.
    3. 3.
      Grant type: Implicit (hybrid)
    4. 4.
      Sign-in redirect URIs: <base-url>/sso/callback
    5. 5.
      Sign-out redirect URIs: <base-url>/sso/logout
    6. 6.
      Base URIs: The URL to your Tonic instance
    7. 7.
      Controlled access: Configure as needed to limit Tonic access to the appropriate users
App integration settings
  1. 3.
    After saving the above, navigate to the General Settings page for the application and make the following changes:
    1. 1.
      Grant type: Uncheck Allow Access Token with implicit grant type.
    2. 2.
      Login initiated by: Either Okta or App
    3. 3.
      Application visibility: Check Display application icon to users
    4. 4.
      Initiate login URI: <base-url>
Application and login settings
  1. 4.
    Navigate to Sign On settings. In the OpenID Connect ID Token section, assign a groups claim filter.
OpinID Connect ID Token settings
  1. 5.
    Next, add a new scope/claim to allow Tonic to access groups. You might already have added this to your default authorization server. If not, and you are not comfortable adding this scope/claim to your default authorization server, you can create a new authorization server just for Tonic.
  2. 6.
    On your authorization server, navigate to the Scopes. Add a scope called groups.
Add Scope panel
  1. 7.
    Next, navigate to Claims and add a claim called groups that has the following settings:
    1. 1.
      Include in token type: ID Token and Always
    2. 2.
      Value type: Groups
    3. 3.
      Filter: Matches Regex .* This can be used to filter just to Tonic groups if this is not your default authorization server. Otherwise, Tonic has its own method of filtering unwanted groups.
    4. 4.
      Included in: The following scopes: groups
Add Claim panel
  1. 8.
    If this is a new authorization server just for Tonic, make sure to assign a new access policy to Tonic.
  2. 9.
    Make a note of the following values that must be provided to Tonic:
    1. 1.
      Client ID of the application:
    2. 2.
      Your Okta domain (for example,
    3. 3.
      Custom authorization server ID (if you made one):
    4. 4.
      IdP ID (If you use an outside identity provider):

Tonic configuration

In the Tonic web server container, set the following environment settings:
  • TONIC_SSO_DOMAIN: <Your Okta domain>
  • TONIC_SSO_CLIENT_ID: <Okta application client ID>
  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Tonic. For details, go to Synchronizing SSO groups with Tonic.
  • TONIC_SSO_AUTHORIZATION_SERVER_ID: <auth server id> Omit if not used.
  • TONIC_SSO_IDENTITY_PROVIDER_ID: <IdP Id> Omit if not used.
For information on how to configure Tonic environment settings, see Configuring environment settings.
Last modified 4mo ago