Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
If your company has a self-hosted Tonic Structural instance that is installed on-premises, then you navigate to the Structural URL for that instance.
Your self-hosted instance might be configured to use single sign-on for Structural access. If so, then from the Structural login page, to create your Structural user account, click the single sign-on option.
Otherwise, to create your Structural user account, click Create Account.
Your administrator can provide the URL for your Structural instance and confirm the instructions for creating your user account.
When you create the account, the Structural application opens to the New Workspace view so that you can create your first workspace.
If your Structural license is on Structural Cloud, then new users that have a matching email domain are automatically added to your Structural Cloud organization.
For a Structural Cloud license other than a pay-as-you-go license, the license agreement specifies the included email domains. When a user with a matching email domain signs up for a Structural account, they are added to that Structural Cloud organization.
For more information about Structural Cloud organizations, go to Structural organizations.
For a pay-as-you-go Structural Cloud license, when a user with the same corporate email domain as the subscribed user signs up for a Structural account, they are added to that Structural Cloud organization.
To sign up for a Structural Cloud account:
Go to https://app.tonic.ai.
Click Create Account.
In the Email field, provide your email address.
In the Password field, enter the password to use for Structural.
In the Repeat Password field, enter the password again.
Click Create Account.
Structural Cloud opens to the New Workspace view so that you can create your first workspace.
In Tonic Structural, each user belongs to an organization. Organizations are used to determine the company or customer that a Structural user belongs to. The User Settings view displays the organization identifier for the user.
A self-hosted instance of Structural contains a single organization. All users belong to that organization.
Structural Cloud hosts multiple organizations. The organizations are kept completely separate. Users from one Structural Cloud organization do not have any access to the users or workspaces that belong to a different Structural Cloud organization.
A Structural organization is created:
For a standard Structural license, both self-hosted and Structural Cloud, when the first user signs up for a Structural account.
For a pay-as-you-go Structural Cloud license, when the user subscribes to Structural.
When a user signs up for a free trial on Structural Cloud. Each free trial user is in a separate Structural Cloud organization.
A self-hosted instance has a single organization. Every user who signs up for an account on that instance is added to the organization.
For companies with an annual Structural Cloud license, the license includes the email domains that are included in the license.
When a user with one of the included email domains signs up for a Structural account, they are automatically added to that organization.
For a pay-as-you-go license, when a user with the same corporate email domain signs up for a Structural account, they are automatically added to that organization.
During a free trial, a user can invite users with the same corporate email domain to have access to their free trial workspace.
When those users sign up for a Structural free trial in response to that invitation, they are automatically added to the Structural Cloud organization for the free trial user.
By default, the Tonic Structural login page provides an option to create a new Structural account.
Any user who has access to the Structural URL can create an account.
On a self-hosted instance, to prevent any new accounts, set the environment setting TONIC_DISABLE_ACCOUNT_CREATION
to true.
You can configure this setting from Structural Settings. So you can set it to false
whenever a user needs to create an account, and then set it to true
to once again prevent account creation.
Required license: Professional or Enterprise
Required global permission: Manage user access to Tonic Structural and to any workspace
If you use SSO to manage Tonic Structural groups, then Structural displays the list of groups for which at least one user has logged in to Structural.
To display the SSO group list:
In the Structural heading, click Structural Settings.
On Structural Settings view, click Access Management.
On the Access Management tab, click Groups.
If no users from a group have logged in to Structural, then the group does not display in the list.
The list only displays the group names. To manage the group permissions:
To assign global permission sets, go to the Global Permission Sets tab.
To assign workspace permission sets, go to Workspaces view.
Tonic Structural respects the access control policy of your SSO provider. To access Structural, users must be granted access to the Structural application within your SSO provider.
After SSO is enabled, users can use SSO to create an account in Structural.
On future logins, users are prompted to use SSO to authenticate.
Required license: Professional or Enterprise
Tonic Structural supports integrations with several external single sign-on (SSO) providers to allow users to use SSO to create accounts and log in to Structural.
To only allow SSO authentication, set the environment setting REQUIRE_SSO_AUTH
to true
. This disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA.
To use SSO in Structural, you must have a valid license for the SSO functionality. You must also configure Structural environment variables. The required variables differ by provider.
Use these instructions to set up GitHub as your SSO provider for Tonic Structural.
The Structural GitHub SSO integration does not support GitHub group membership.
In GitHub, navigate to Settings -> Developer Settings -> OAuth Apps, then create a new application.
For Application Name, enter Tonic
.
For Homepage URL, enter https://tonic.ai
.
For Authorization callback URL, enter https://your-tonic-url/sso/callback
.
Replace your-tonic-url
with the URL of your Structural instance.
After you create the application, to create a new secret, click Generate a new client secret.
You use the Client ID and the Client secret in the Structural configuration.
TONIC_SSO_PROVIDER
: GitHub
TONIC_SSO_CLIENT_ID
: <GitHub Client ID>
TONIC_SSO_CLIENT_SECRET
: <GitHub Client Secret>
Use these instructions to set up Keycloak as your SSO provider for Tonic Structural.
Within Keycloak, select the realm to use for your Structural client. Under Clients, click Create client.
On the Create client page, under General Settings:
From the Client type dropdown list, select OpenID Connect.
Enter a Client ID and Name.
Click Next.
On the Capability Config tab, click Save. The details page for the new client displays.
On the Settings tab, under Access settings, enter your Structural URL information.
Click Client scopes. Each client has a dedicated scope named <client-id>-dedicated
. To configure the scope, click the scope name.
On the Mappers tab, to add a property mapper to the scope, click Configure a new mapper.
In the list of mapper types, click Group Membership.
Under Add mapper, set both Name and Token Claim Name to groups
.
The Full group path toggle affects how child groups appear in Tonic:
When on, child groups display as parent group/child group
.
When off, child groups display as child group
.
To save the new group membership mapper, click Save.
TONIC_SSO_PROVIDER
: Keycloak
TONIC_SSO_DOMAIN
: https://my-keycloak-instance
TONIC_SSO_CLIENT_ID
: <Keycloak client ID>
TONIC_SSO_REALM_ID
: <Keycloak realm ID>
Use these instructions to set up a SAML SSO provider for Tonic Structural.
You must configure the following assertions to be sent to Structural from your SAML provider:
Email
GivenName
FamilyName
Groups
The Assertion Consumer Service (ACS) URL is https://your-tonic-url/api/sso/samllogin
.
Set Audience
to the value of the Structural environment setting TONIC_SSO_SAML_ENTITY_ID
.
In the Structural web server container, set the following :
TONIC_SSO_PROVIDER
: SAML
TONIC_SSO_SAML_IDP_METADATA_XML_URL
- Set to the URL of your IDP Metadata XML file.
If your SSO solution does not offer a URL, you can set TONIC_SSO_SAML_IDP_METADATA_XML_BASE64
to the Base 64 encoded contents of the IDP Metadata XML file.
To encode the contents, run the following command:
cat /path/to/xml/file | base64 -w 0
TONIC_SSO_SAML_ENTITY_ID
: The entity ID to use to send SAML requests from Structural. If this is not set, the entity ID is determined from the IDP metadata. You also use this as the value of Audience in the SAML provider configuration.
TONIC_SSO_GROUP_FILTER_REGEX
: Identifies the allowed SSO groups for Structural. For details, go to .
In the Structural web server container, set the following :
In the Structural web server container, set the following :
TONIC_SSO_GROUP_FILTER_REGEX:
Identifies the allowed SSO groups for Structural. For details, go to .