SAML

Use the following instructions to set up a SAML SSO provider for Tonic.

SAML provider configuration
You must configure the following assertions to be sent to Tonic from your SAML provider:
Email
GivenName
FamilyName
Groups
The Assertion Consumer Service (ACS) URL is https://your-tonic-url/api/sso/samllogin.
The Audience is Tonic.
Tonic configuration
Export your IDP Metadata XML file from your provider.
In the Tonic web server container, set the following Tonic environment variables:
TONIC_SSO_PROVIDER: SAML
TONIC_SSO_SAML_IDP_METADATA_XML_URL- Set to the URL of your IDP Metadata XML file.

If your SSO solution does not offer a URL, you can set TONIC_SSO_SAML_IDP_METADATA_XML_BASE64 to the Base 64 encoded contents of the IDP Metadata XML file.

To encode the contents, run the following command:

cat /path/to/xml/file | base64 -w 0
TONIC_SSO_SAML_ENTITY_ID: The entity ID to use to send SAML requests from Tonic. If this is not set, the entity ID is determined from the IDP metadata.
TONIC_SSO_GROUP_FILTER_REGEX: <Group regular expression>

The regular expression matches the groups that Tonic needs to be aware of. You can change this later.

For example, the expression .*Tonic.* allows all groups that contain the word "Tonic".

Okta

Managing admin users

Last modified 7d ago