Use these instructions to set up Azure Active Directory as your SSO provider for Tonic Textual.

Azure configuration

Register Textual as an application within the Azure Active Directory Portal:

1. In the portal, navigate to Azure Active Directory -> App registrations, then click New registration.

2. Register Textual and create a new web redirect URI that points to your Textual instance's address and the path /sso/callback/azure.

3. Take note of the values for client ID and tenant ID. You will need them later.

4. Click Add a certificate or secret, and then create a new client secret. Take note of the secret value. You will need this later.

5. Navigate to the API permissions page. Add the following permissions for the Microsoft Graph API:

   • OpenId permissions

   • email

   • openid

   • profile

   • GroupMember

   • GroupMember.Read.All

   • User

   • User.Read

6. Click Grant admin consent for Tonic AI. This allows the application to read the user and group information from your organization. When permissions have been granted, the status should change to Granted for Tonic AI.

7. Navigate to Enterprise applications and then select Textual. From here, you can assign the users or groups that should have access to Textual.

Textual configuration

After you complete the configuration in Azure, you uncomment and configure the required environment variables in Textual.

For Kubernetes, in values.yaml:

# Azure SSO Config
# -----------------
#azureClientId: <client-id>
#azureTenantId: <tenant-id>
#azureClientSecret: <client-secret>

For Docker, in .env:

#SOLAR_SSO_AZURE_CLIENT_ID=#<FILL IN>
#SOLAR_SSO_AZURE_TENANT_ID=#<FILL IN>
#SOLAR_SSO_AZURE_CLIENT_SECRET=#<FILL IN>

Use these instructions to set up Okta as your SSO provider for Tonic Structural.

Okta configuration

You complete the following configuration steps within Okta:

1. Create a new application. Choose the OIDC - OpenId Connect method with the Single-Page Application option.

2. Click Next, then fill out the fields with the values below:

   • App integration name: The name to use for the Textual application. For example, Textual, Textual-Prod, Textual-Dev.

   • Grant type: Implicit (hybrid)

   • Sign-in redirect URIs: <base-url>/sso/callback/okta

   • Sign-out redirect URIs: <base-url>/sso/logout

   • Base URIs: The URL to your Textual instance

   • Controlled access: Configure as needed to limit Textual access to the appropriate users

3. After saving the above, navigate to the General Settings page for the application and make the following changes:

   • Grant type: Check Implicit (Hybrid) and Allow ID Token with implicit grant type.

   • Login initiated by: Either Okta or App

   • Application visibility: Check Display application icon to users

   • Initiate login URI: <base-url>

Textual configuration

After you complete the configuration in Okta, uncomment and configure the following environment variables in Textual.

For Kubernetes, in values.yaml:

# Okta SSO Config
# -----------------
#oktaAuthServerId: <customer auth server if you have one>
#oktaClientId: <client-id>
#oktaDomain: <sso-domain>
#oktaIdentityProviderId: <identity-provider-id>

For Docker, in .env:

#SOLAR_SSO_OKTA_CLIENT_ID=#<FILL IN>
#SOLAR_SSO_OKTA_DOMAIN=#<FILL IN>
#SOLAR_SSO_OKTA_IDENTITY_PROVIDER_ID=#<FILL IN>

Use these instructions to set up Google as your SSO provider for Tonic Textual.

Create an OAuth 2.0 client ID in Google

1. Go to https://console.developers.google.com/apis/credentials

2. Click Create credentials, located near the top.

3. Select OAuth client ID.

4. Select Web application as the application type.

5. Choose a name.

6. Under Authorized redirect URIs, add the URL of the Textual server with the endpoint /sso/callback/google. For example, a local Textual server at http://localhost:3000 would need http://localhost:3000/sso/callback/google to be set as the redirect URI. Also note that internal URLs might not work.

7. On the confirmation page, note the client ID and client secret. You will need to provide them to Textual.

Textual configuration

After you complete the configuration in Google, you uncomment and configure the required environment variables in Textual.

• The client ID

• The client secret

For Kubernetes, in values.yaml:

# Google SSO Config
# -----------------
#googleClientId: <client-id>
#googleClientSecret: <client-secret>

For Docker, in .env:

#SOLAR_SSO_GOOGLE_CLIENT_ID=#<FILL IN>
#SOLAR_SSO_GOOGLE_CLIENT_SECRET=#<FILL IN>

Use these instructions to set up GitHub as your SSO provider for Tonic Textual.

Create an OAuth application

1. In GitHub, navigate to Settings -> Developer Settings -> OAuth Apps, then create a new application.

2. For Application Name, enter Textual.

3. For Homepage URL, enter https://textual.tonic.ai.

4. For Authorization callback URL, enter https://your-textual-url/sso/callback/github.

Replace your-textual-url with the URL of your Textual instance.

Create a client secret

After you create the application, to create a new secret, click Generate a new client secret.

You use the client ID and the client secret in the Textual configuration.

Textual configuration

After you complete the configuration in GitHub, you uncomment and configure the required environment variables in Textual.

For Kubernetes, in values.yaml:

# Github SSO Config
# -----------------
#githubClientId: <client-id>
#githubClientSecret: <client-secret>

For Docker, in .env:

#SOLAR_SSO_GITHUB_CLIENT_ID=#<FILL IN>
#SOLAR_SSO_GITHUB_CLIENT_SECRET=#<FILL IN>

Tonic Textual respects the access control policy of your single sign-on (SSO) provider. To access Textual, users must be granted access to the Textual application within your SSO provider.

To enable SSO, you first complete the required configuration in the SSO provider. You then configure Textual to connect to it.

After you enable SSO, users can use SSO to create an account in Textual.

To only allow SSO authentication, set the environment variable REQUIRE_SSO_AUTH to true. This disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA.

Tonic Textual supports the following SSO providers: