Okta
Use the following instructions to set up Okta as your SSO provider for Tonic.
You complete the following configuration steps within Okta:
- 1.Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.

Create a new app integration
- 2.Click Next, then fill out the fields with the values below:
- 1.App integration name: Tonic, Tonic-Prod, Tonic-Dev, etc.
- 2.Logo (optional): Download and use the this image.
- 3.Grant type: Implicit (hybrid)
- 4.Sign-in redirect URIs: <base-url>/sso/callback
- 5.Sign-out redirect URIs: <base-url>/sso/logout
- 6.Base URIs: The URL to your Tonic instance
- 7.Controlled access: Configure as needed to limit Tonic access to the appropriate users

App integration settings
- 3.After saving the above, navigate to the General Settings page for the application and make the following changes:
- 1.Grant type: Uncheck Allow Access Token with implicit grant type.
- 2.Login initiated by: Either Okta or App
- 3.Application visibility: Check Display application icon to users
- 4.Initiate login URI: <base-url>


Application and login settings
- 4.Navigate to Sign On settings. In the OpenID Connect ID Token section, assign a groups claim filter.

OpinID Connect ID Token settings
- 5.Next, add a new scope/claim to allow Tonic to access groups. You might already have added this to your default authorization server. If not, and you are not comfortable adding this scope/claim to your default authorization server, you can create a new authorization server just for Tonic.
- 6.On your authorization server, navigate to the Scopes. Add a scope called groups.

Add Scope panel
- 7.Next, navigate to Claims and add a claim called groups that has the following settings:
- 1.Include in token type: ID Token and Always
- 2.Value type: Groups
- 3.Filter: Matches Regex .* This can be used to filter just to Tonic groups if this is not your default authorization server. Otherwise, Tonic has its own method of filtering unwanted groups.
- 4.Included in: The following scopes: groups

Add Claim panel
- 8.If this is a new authorization server just for Tonic, make sure to assign a new access policy to Tonic.
- 9.Make a note of the following values that must be provided to Tonic:
- 1.Client ID of the application:
- 2.Your Okta domain (for example,
tonic.okta.com
) - 3.Custom authorization server ID (if you made one):
- 4.IdP ID (If you use an outside identity provider):
In the Tonic web server container, set the following environment variables:
TONIC_SSO_PROVIDER
:Okta
TONIC_SSO_DOMAIN
: <Your Okta domain>TONIC_SSO_CLIENT_ID
: <Okta application client ID>TONIC_SSO_GROUP_FILTER_REGEX:
<Group regular expression> The regular expression matches the groups that Tonic needs to be aware of. You can change this later. For example, the expression.*Tonic.*
allows all groups that contain the word "Tonic".TONIC_SSO_AUTHORIZATION_SERVER_ID
: <auth server id> Omit if not used.TONIC_SSO_IDENTITY_PROVIDER_ID
: <IdP Id> Omit if not used.
Last modified 2mo ago