Instructions for configuring Tonic for SSO with Okta

Okta Configuration

The following configuration steps need to be completed within Okta:
1. Create a new application and choose the "OIDC - OpenId Connect" method with "Single-Page Application" option.
2. Click next and fill out the fields with the values below:
  1. 1.
    App integration name: Tonic, Tonic-Prod, Tonic-Dev, etc.
  2. 2.
    Logo (optional): Download and use the this image.
  3. 3.
    Grant type: Implicit (hybrid)
  4. 4.
    Sign-in redirect URIs: <base-url>/sso/callback
  5. 5.
    Sign-out redirect URIs: <base-url>/sso/logout
  6. 6.
    Base URIs: The URL to your tonic instance
  7. 7.
    Controlled access: Configure as-needed to limit Tonic access to the appropriate users
3. After saving the above, navigate to the "General Settings" page for the app and make the following changes:
  1. 1.
    Grant type: Uncheck "Allow Access Token with implicit grant type".
  2. 2.
    Login initiated by: Either Okta or App
  3. 3.
    Application visibility: Check "Display application icon to users"
  4. 4.
    Initiate login URI: <base-url>
4. Navigate to Sign On settings and assign a groups claim filter in the OpenID Connect ID Token section.
5. Next we will need to add a new scope/claim to allow Tonic to access groups. You may already have this added to your default authorization server. If you do not and are not comfortable adding this scope/claim to your default authorization server, you can create a new authorization server just for Tonic.
6. On your authorization server, navigate to the Scopes and add a scope called "groups".
7. Next, navigate to the Claims and add a claim called "groups" with the following settings:
  1. 1.
    Include in token type: ID Token and Always
  2. 2.
    Value type: Groups
  3. 3.
    Filter: Matches Regex .* This can be used to filter just to Tonic groups if this is not your default authorization server. Otherwise, Tonic has its own method of filtering unwanted groups.
  4. 4.
    Included in: The following scopes: groups
8. If this is a new authorization server just for Tonic, don’t forget to assign a new access policy to Tonic.
9. Make a note of the following values which will need to be provided to Tonic:
  1. 1.
    Client ID of the application:
  2. 2.
    Your Okta domain (e.g.
  3. 3.
    Custom authorization server Id (if you made one):
  4. 4.
    IdP ID (If you are using an outside identity provider):

Tonic Configuration

Add these values as the following environment variables in the tonic_web_server container:
  • TONIC_SSO_DOMAIN: <Your Okta domain>
  • TONIC_SSO_CLIENT_ID: <The Okta application Client ID>
  • TONIC_SSO_GROUP_FILTER_REGEX: An expression that matches the groups you wish tonic to be aware of. This can be changed later. For example, .Tonic. would allow all groups that contain the word ‘Tonic’
    • Omit if not used
    • Omit if not used
Last modified 2mo ago