Every user belongs to an Ephemeral organization.
Users who belong to the same organization can see all of the databases for that organization.
By default, when you create an Ephemeral Cloud account, Ephemeral also creates an organization for your account.
You might want all of the users that have your company email domain to be added to the same organization. To enable this behavior, contact Ephemeral support.
When Ephemeral Cloud ties an email domain to a specific organization, then when a user with that email creates an Ephemeral account, Ephemeral adds them to that organization.
On a self-hosted instance of Ephemeral, all users belong to a single organization.
When a user creates an account, they are automatically added to that organization.
Use these instructions to set up Google as your SSO provider for Tonic Ephemeral.
Click Create credentials, located near the top.
Select OAuth client ID.
Select Web application as the application type.
Choose a name.
Under Authorized redirect URIs, add the URL of the Ephemeral server with the endpoint /sso/callback.
For example, for a local Ephemeral server at http://localhost:3000, you would need to set the redirect URL tohttp://localhost:3000/sso/callback.
Also note that internal URLs might not work.
On the confirmation page, note the client ID and client secret. You will need to provide them to Ephemeral.
After you complete the configuration in Google, you uncomment and configure the following values in the Ephemeral Helm chart.
The client ID
The client secret
In values.yaml:
Use these instructions to set up Okta as your SSO provider for Tonic Structural.
You complete the following configuration steps within Okta:
Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.
Click Next, then fill out the fields with the values below:
App integration name: The name to use for the Ephemeral application. For example, Ephemeral, Ephemeral-Prod, Ephemeral-Dev.
Grant type: Implicit (hybrid)
Sign-in redirect URIs: <base-url>/sso/callback/okta
Sign-out redirect URIs: <base-url>/sso/logout
Base URIs: The URL to your Ephemeral instance
Controlled access: Configure as needed to limit Ephemeral access to the appropriate users
After saving the above, navigate to the General Settings page for the application and make the following changes:
Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.
Login initiated by: Either Okta or App
Application visibility: Check Display application icon to users
Initiate login URI: <base-url>
After you complete the configuration in Okta, uncomment and configure the following values in the Ephemeral helm chart.
In values.yaml:
On Ephemeral Cloud, users who have a corporate Google email address can use the built-in Google single sign-on (SSO) configuration to sign up for and log into Ephemeral.
You can also enable SSO on a self-hosted instance. Tonic Ephemeral respects the access control policy of your single sign-on (SSO) provider. To access Ephemeral, users must be granted access to the Ephemeral application within your SSO provider.
To enable SSO on your self-hosted instance, you first complete the required configuration in the SSO provider. You then configure Ephemeral to connect to it.
After you enable SSO, users can use SSO to create an account in Ephemeral.
To only allow SSO authentication, in your Helm chart, set sso.isRequired to true.
For self-hosted instances, Ephemeral supports the following SSO providers:
Users on both Ephemeral Cloud and self-hosted instances belong to an Ephemeral organization.
On Ephemeral Cloud, users who have a corporate Google email address can use our built-in Google single sign-on (SSO) configuration to sign up for and log into Ephemeral.
Self-hosted instances can also set up SSO to manage access to Ephemeral.
Configure Google SSO for access to Ephemeral
Okta
Configure Okta for access to Ephemeral
Manage Ephemeral users
How Ephemeral users are assigned to organizations
Enable SSO
Use SSO to manage Ephemeral access on a self-hosted instance