Set up a SAML SSO provider for Tonic

SAML provider configuration

You must configure the following assertions to be sent to Tonic from your SAML provider:
  • Email
  • GivenName
  • FamilyName
  • Groups
The Assertion Consumer Service (ACS) URL is https://your-tonic-url/api/sso/samllogin.
The Audience is Tonic.

Tonic configuration

In the Tonic web server container, set the following Tonic environment variables:
  • TONIC_SSO_SAML_IDP_METADATA_XML_URL- Set to the URL of your IDP Metadata XML file. If your SSO solution does not offer a URL, you can set TONIC_SSO_SAML_IDP_METADATA_XML_BASE64 to the Base 64 encoded contents of the IDP Metadata XML file. To encode the contents, run the following command: cat /path/to/xml/file | base64 -w 0
  • TONIC_SSO_SAML_ENTITY_ID: The entity ID to use to send SAML requests from Tonic. If this is not set, the entity ID is determined from the IDP metadata.
  • TONIC_SSO_GROUP_FILTER_REGEX: <Group regular expression> Optional. If not set, Tonic does not synchronize or load groups from your SSO provider. To synchronize groups, this must be set. The setting is used to limit the groups that are imported to Tonic. Set this to a regular expression that matches the groups that Tonic should be aware of. For example, the expression .*Tonic.* allows all groups that contain the word "Tonic". To not limit the groups, set the value to .*.