Okta

Use these instructions to set up Okta as your SSO provider for Tonic Structural.

Okta configuration

You complete the following configuration steps within Okta:

  1. Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.

Create a new app integration
  1. Click Next, then fill out the fields with the values below:

    1. App integration name: A typical names are Tonic, Tonic-Prod, Tonic-Dev

    2. Logo (optional): Download and use this image -

    3. Grant type: Implicit (hybrid)

    4. Sign-in redirect URIs: <base-url>/sso/callback

    5. Sign-out redirect URIs: <base-url>/sso/logout

    6. Base URIs: The URL to your Structural instance

    7. Controlled access: Configure as needed to limit Structural access to the appropriate users

App integration settings
  1. After saving the above, navigate to the General Settings page for the application and make the following changes:

    1. Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.

    2. Login initiated by: Either Okta or App

    3. Application visibility: Check Display application icon to users

    4. Initiate login URI: <base-url>

Application and login settings
  1. Navigate to Sign On settings. In the OpenID Connect ID Token section, assign a groups claim filter.

OpinID Connect ID Token settings
  1. Next, add a new scope/claim to allow Structural to access groups. You might already have added this to your default authorization server. If not, and you are not comfortable adding this scope/claim to your default authorization server, you can create a new authorization server just for Structural.

  2. On your authorization server, navigate to the Scopes. Add a scope called groups.

Add Scope panel
  1. Next, navigate to Claims and add a claim called groups that has the following settings:

    1. Include in token type: ID Token and Always

    2. Value type: Groups

    3. Filter: Matches Regex .* This can be used to filter to only Structural groups if this is not your default authorization server. Otherwise, Structural has its own method to filter unwanted groups.

    4. Included in: The following scopes: groups

Add Claim panel
  1. If this is a new authorization server just for Structural, assign a new access policy to Structural.

  2. Make a note of the following values that must be provided to Structural:

    1. Client ID of the application:

    2. Your Okta domain (for example, tonic.okta.com)

    3. Custom authorization server ID (if you made one):

    4. IdP ID (If you use an outside identity provider):

Structural configuration

In Structural, you use the Okta configuration information to configure the connection.

On a self-hosted instance, you configure environment settings.

On Structural Cloud, you configure the connection from Structural Settings view.

Self-hosted instance

In the Structural web server container, set the following environment settings:

  • TONIC_SSO_PROVIDER: Okta

  • TONIC_SSO_DOMAIN: <Your Okta domain>

  • TONIC_SSO_CLIENT_ID: <Okta application client ID>

  • TONIC_SSO_GROUP_FILTER_REGEX: Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.

  • TONIC_SSO_AUTHORIZATION_SERVER_ID: <auth server id> Omit if not used.

  • TONIC_SSO_IDENTITY_PROVIDER_ID: <IdP Id> Omit if not used.

Structural Cloud

Required global permission: Manage user access to Tonic Structural and to any workspace

On Structural Cloud, to configure the connection to Okta:

  1. On Structural Settings view, click Access Management.

  2. On the Access Management tab, click Single Sign-On.

  3. If Okta is not enabled, check the Enable Okta SSO checkbox. If Okta is enabled, to update the settings, click Edit Settings.

  4. In the SSO Client ID field, provide the client identifier of the SSO application.

  5. In the SSO Domain field, provide your Okta domain.

  6. If you use an outside identity provider (IdP), then in the Identity Provider ID field, provide the IdP ID. If you do not use an outside IdP, then you can leave this blank.

  7. If you use a custom authorization server, then in the Authorization Server field, provide the authorization server identifier. If you do not use a custom authorization server, then you can leave this blank.

  8. To require SSO for login, check the Require SSO for login checkbox.

  9. Click Save.

Last updated

Was this helpful?