Use these instructions to set up Okta as your SSO provider for Tonic Structural.
You complete the following configuration steps within Okta:
Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.
Click Next, then fill out the fields with the values below:
App integration name: A typical names are Tonic, Tonic-Prod, Tonic-Dev
Grant type: Implicit (hybrid)
redirect URIs: <base-url>/sso/callback
Sign-out redirect URIs: <base-url>/sso/logout
Base URIs: The URL to your Structural instance
Controlled access: Configure as needed to limit Structural access to the appropriate users
After saving the above, navigate to the General Settings page for the application and make the following changes:
Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.
Login initiated by: Either Okta or App
Application visibility: Check Display application icon to users
Initiate login URI: <base-url>
Navigate to Sign On settings. In the OpenID Connect ID Token section, assign a groups claim filter.
Next, add a new scope/claim to allow Structural to access groups. You might already have added this to your default authorization server. If not, and you are not comfortable adding this scope/claim to your default authorization server, you can create a new authorization server just for Structural.
On your authorization server, navigate to the Scopes. Add a scope called groups.
Next, navigate to Claims and add a claim called groups that has the following settings:
Include in token type: ID Token
and Always
Value type: Groups
Filter: Matches Regex .*
This can be used to filter to only Structural groups if this is not your default authorization server. Otherwise, Structural has its own method to filter unwanted groups.
Included in: The following scopes: groups
If this is a new authorization server just for Structural, assign a new access policy to Structural.
Make a note of the following values that must be provided to Structural:
Client ID of the application:
Your Okta domain (for example,
Custom authorization server ID (if you made one):
IdP ID (If you use an outside identity provider):
In the Structural web server container, set the following environment settings:
: Okta
: <Your Okta domain>
: <Okta application client ID>
Identifies the allowed SSO groups for Structural. For details, go to Synchronizing SSO groups with Structural.
: <auth server id>
Omit if not used.
: <IdP Id>
Omit if not used.
Logo (optional): Download and use this image -