Use the following instructions to set up a SAML SSO provider for Tonic.

SAML provider configuration

You must configure the following assertions to be sent to Tonic from your SAML provider:
  • Email
  • GivenName
  • FamilyName
  • Groups
The Assertion Consumer Service (ACS) URL is https://your-tonic-url/api/sso/samllogin.
The Audience is Tonic.

Tonic configuration

Export your IDP Metadata XML file from your provider.
In the Tonic web server container, set the following Tonic environment variables:
  • TONIC_SSO_SAML_IDP_METADATA_XML_URL- Set to the URL of your IDP Metadata XML file. If your SSO solution does not offer a URL, you can set TONIC_SSO_SAML_IDP_METADATA_XML_BASE64 to the Base 64 encoded contents of the IDP Metadata XML file. To encode the contents, run the following command: cat /path/to/xml/file | base64 -w 0
  • TONIC_SSO_SAML_ENTITY_ID: The entity ID to use to send SAML requests from Tonic. If this is not set, the entity ID is determined from the IDP metadata.
  • TONIC_SSO_GROUP_FILTER_REGEX: <Group regular expression> The regular expression matches the groups that Tonic needs to be aware of. You can change this later. For example, the expression .*Tonic.* allows all groups that contain the word "Tonic".