Release notesPython SDK docsTextual CloudTonic.ai

OpenID Connect (OIDC)

Use these instructions to set up an OpenID Connect SSO provider for Tonic Textual.

SSO setup

When you configure the application/client in your SSO system, you must configure it to use Authorization Code Flow.

You must also make note of the client_id. You must provide the client ID when you complete the configuration for Textual.

Redirect URI

In your SSO provider, configure the following redirect URI:

  • Sign-in redirect URI: <textual-base-url>/sso/callback/oidc

Textual configuration

Required environment variables

After you set up the SSO provider, you uncomment and configure the required environment variables in Textual.

  • The application client identifier

  • For HTTP basic authentication (client_secret_basic), the client secret

  • The base URL of the provider. This is the location of /.well-known/openid-configuration

  • A regular expression to identify groups that are permitted to use Textual.

For Kubernetes, in values. yaml:

# OIDC SSO Config
# -----------------
#oidcClientId: <application client ID>
#oidcClientSecret: <client secret for HTTP basic authentication>
#oidcAuthority: <base URL of the provider>
#oidcGroupFilterRegex: <regular expression to identify allowed groups>

For Docker, in .env:

#SOLAR_SSO_OIDC_CLIENT_ID=#<application client ID>
#SOLAR_SSO_OIDC_CLIENT_SECRET=#<client secret for HTTP basic authentication>
#SOLAR_SSO_OIDC_AUTHORITY=#<base URL of the provider>
#SOLAR_SSO_OIDC_GROUP_FILTER_REGEX=#<regular expression to identify allowed groups>

Optional environment variables

You can optionally uncomment and configure the following optional environment variables:

  • A space-delimited list of scopes to request from the OIDC SSO provider. Because group information is not part of the standard OIDC specification, for Textual to capture group information, a custom scope must be configured.

  • The name of the claim that contains the user's first name.

  • The name of the claim that contains the user's last name.

  • The name of the claim that contains the user's email address or username.

  • The name of the claim that contains the user's group membership.

Textual has default values for these settings:

For Kubernetes, in values.yaml:

#oidcScopes: openid profile email
#oidcFirstNameClaimName: given_name
#oidcLastNameClaimName: family_name
#oidcEmailClaimName: email
#oidcGroupsClaimName: groups

For Docker, in .env:

#SOLAR_SSO_OIDC_SCOPES=#openid profile email
#SOLAR_SSO_OIDC_FIRST_NAME_CLAIM_NAME=#given_name
#SOLAR_SSO_OIDC_LAST_NAME_CLAIM_NAME=#family_name
#SOLAR_SSO_OIDC_EMAIL_CLAIM_NAME=#email
#SOLAR_SSO_OIDC_GROUPS_CLAIM_NAME=#groups

Last updated

Was this helpful?