Use these instructions to set up Google as your SSO provider for Tonic Ephemeral.
Click Create credentials, located near the top.
Select OAuth client ID.
Select Web application as the application type.
Choose a name.
Under Authorized redirect URIs, add the URL of the Ephemeral server with the endpoint /sso/callback
.
For example, for a local Ephemeral server at http://localhost:3000, you would need to set the redirect URL tohttp://localhost:3000/sso/callback
.
Also note that internal URLs might not work.
On the confirmation page, note the client ID and client secret. You will need to provide them to Ephemeral.
After you complete the configuration in Google, you uncomment and configure the following values in the Ephemeral Helm chart.
The client ID
The client secret
In values.yaml:
Use these instructions to set up Okta as your SSO provider for Tonic Structural.
You complete the following configuration steps within Okta:
Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.
Click Next, then fill out the fields with the values below:
App integration name: The name to use for the Ephemeral application. For example, Ephemeral
, Ephemeral-Prod
, Ephemeral-Dev
.
Grant type: Implicit (hybrid)
Sign-in redirect URIs: <base-url>/sso/callback/okta
Sign-out redirect URIs: <base-url>/sso/logout
Base URIs: The URL to your Ephemeral instance
Controlled access: Configure as needed to limit Ephemeral access to the appropriate users
After saving the above, navigate to the General Settings page for the application and make the following changes:
Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.
Login initiated by: Either Okta or App
Application visibility: Check Display application icon to users
Initiate login URI: <base-url>
After you complete the configuration in Okta, uncomment and configure the following values in the Ephemeral helm chart.
In values.yaml:
On Ephemeral Cloud, users who have a corporate Google email address can use the built-in Google single sign-on (SSO) configuration to sign up for and log into Ephemeral.
You can also enable SSO on a self-hosted instance. Tonic Ephemeral respects the access control policy of your single sign-on (SSO) provider. To access Ephemeral, users must be granted access to the Ephemeral application within your SSO provider.
To enable SSO on your self-hosted instance, you first complete the required configuration in the SSO provider. You then configure Ephemeral to connect to it.
After you enable SSO, users can use SSO to create an account in Ephemeral.
To only allow SSO authentication, in your Helm chart, set sso.isRequired
to true
.
For self-hosted instances, Ephemeral supports the following SSO providers:
Configure Google SSO for access to Ephemeral
Okta
Configure Okta for access to Ephemeral