search
Tonic.ai

Okta

Use these instructions to set up Okta as your SSO provider for Tonic Structural.

hashtag
Okta configuration

You complete the following configuration steps within Okta.

hashtag
Create an application

  1. Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.

Create a new app integration

  1. Click Next, then fill out the fields with the values below:

    1. App integration name: Typical names are Tonic, Tonic-Prod, Tonic-Dev

    2. Logo (optional): Download and use this image -

    3. Grant type: Implicit (hybrid)

    4. Sign-in redirect URIs: For self-hosted customers, <base-url>/sso/callback.

      For Structural Cloud, the value is https://app.tonic.ai/sso/callback/<your organization identifier>. You organization identifier is displayed on your User Settings view.

    5. Sign-out redirect URIs: <base-url>/sso/logout

    6. Base URIs: The URL to your Structural instance

    7. Controlled access: Configure as needed to limit Structural access to the appropriate users

App integration settings

hashtag
Configure application settings

After you save the above, navigate to the General Settings page for the application and make the following changes:

  1. Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.

  2. Login initiated by: Either Okta or App

  3. Application visibility: Check Display application icon to users

  4. Initiate login URI: To allow users to log in to Structural directly from Okta, provide an initiate login URI. For self-hosted, the value is your base URI. For Structural Cloud, the value is https://app.tonic.ai/sso/login/<your organization identifier>. Your organization identifier is displayed on your User Settings view.

Application and login settings

hashtag
Configure sign-on settings

Navigate to Sign On settings. In the OpenID Connect ID Token section, assign a groups claim filter.

OpenID Connect ID Token settings

hashtag
Add a scope and claim to your authorization server

On your authorization server, Structural requires a scope and claim to allow Structural to have access to your groups.

You can add these to your default authorization server. If you are not comfortable adding the scope and claim to your default authorization server, you can create a new authorization server just for Structural. If you create a new authorization server, assign a new access policy to Structural.

To display the details for an authorization server:

  1. Under Security, click API.

  2. On the API page, click Authorization Servers.

  3. Click the edit icon for the server to add the scope and claim to. To instead create a new authorization server, click Add Authorization Server.

Authorization Servers list

hashtag
Adding the scope

On the authorization server details, click the Scopes tab.

Scopes list for the authorization server

Add a scope called groups.

Add Scope panel

hashtag
Adding the claim

Next, click the Claims tab. Add a claim called groups that has the following settings:

  1. Include in token type: ID Token and Always

  2. Value type: Groups

  3. Filter: Matches Regex .* If this is not your default authorization server, you can use this to filter to only Structural groups. Otherwise, Structural has its own method to filter unwanted groups.

  4. Included in: The following scopes: groups

Add Claim panel

hashtag
Values to provide to Structural

Make a note of the following values that must be provided to Structural:

  1. Client ID of the application:

  2. Your Okta domain (for example, tonic.okta.com)

  3. Custom authorization server ID (if you made one):

  4. IdP ID (If you use an outside identity provider):

hashtag
Structural configuration - self-hosted instance

On a self-hosted instance, to configure the connection to Okta, you configure environment settings.

In the Structural web server container, set the following environment settings:

  • TONIC_SSO_PROVIDER: Okta

  • TONIC_SSO_DOMAIN: <Your Okta domain>

  • TONIC_SSO_CLIENT_ID: <Okta application client ID>

  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.

  • TONIC_SSO_AUTHORIZATION_SERVER_ID: <auth server id> Omit if not used.

  • TONIC_SSO_IDENTITY_PROVIDER_ID: <IdP Id> Omit if not used.

hashtag
Structural configuration - Structural Cloud

circle-info

Required global permission: Manage user access to Tonic Structural and to any workspace

On Structural Cloud, after you enable SSO, to configure the connection to Okta:

Configuration settings for Okta SSO on Structural Cloud

  1. Click Okta.

  2. In the SSO Client ID field, provide the client identifier of the SSO application.

  3. In the SSO Domain field, provide your Okta domain.

  4. If you use an outside identity provider (IdP), then in the Identity Provider ID field, provide the IdP ID. If you do not use an outside IdP, then you can leave this blank.

  5. If you use a custom authorization server, then in the Authorization Server field, provide the authorization server identifier. If you do not use a custom authorization server, then you can leave this blank.

Last updated

Was this helpful?