Configuring OIDC-based SSO

Enterprise

Single tenant AI Hub customers can use OpenID Connect (OIDC)-based authentication to manage AI Hub access. Using OIDC-based single sign-on (SSO) lets you leverage your organization’s existing SSO identiy provider (IdP) to automatically create new AI Hub user accounts upon initial login.

Single tenant AI Hub uses relying party-initiated SSO authentication. Supported IdPs include:

  • Auth0

  • Google Workspace

  • JumpCloud

  • Microsoft Entra ID

  • Okta

  • OneLogin

  • PingIdentity

Customer requirements

Enabling SSO for your single tenant AI Hub environment involves working closely with your AI Hub support team. Your support team performs the configuration steps on the AI Hub side, but it’s your responsibility to review this documentation and ensure the following customer requirements are met:

IdP configuration requirements

The SSO integration flow begins with registering your single tenant AI Hub environment as a relying party in your IdP. There are requirements that must be met when creating your app registration.

The term app registration refers to registering your single tenant AI Hub environment as a relying party in your IdP. The same concept is also commonly called an application.

  • If prompted to select a client authentication type, select client secret basic, or similar. Client secrets are sent using the HTTP BASIC authentication scheme.

  • If prompted to select an application type, select web application, or similar. AI Hub is not a native app, single-page app, or server app.

  • The redirect URI format is https://{YOUR-AI-HUB-BASE-URL}/account/sso/oidc/callback. For example, https://customer.aihub.com/account/sso/oidc/callback.

    The redirect URI is sometimes called the callback URL.

  • AI Hub requires the openid, email, and profile scopes. If supplied, the family_name and given_name claims are used to populate user profiles.

    AI Hub doesn’t support user groups, so group mapping isn’t required.

  • There are no requirements for the name or label of the app registration.

App registration information requirements

To complete the SSO configuration on the AI Hub side, AI Hub support requires the following information about your app registration:

  • Discovery URL: Also called the .well-known endpoint or well known configuration endpoint, this is a lookup location for information about your app registration.

  • Client ID and client secret: These values are used as your app registration’s identifier and password.

This table outlines where you can find the these values in select IdPs.

The accuracy of this table is not guaranteed as external product UIs are not closely monitored.
IdPDiscovery URL valueClient ID and client secret value
Auth0https://{Your Auth0 domain}/.well-known/openid-configurationClient ID and client secret.

Found under Application > Settings.
Google Workspacehttps:<span>//accounts</span>.google.com/.well-known/openid-configurationClient ID and client secret.

Found under Credentials > OAuth 2.0 Client IDs > Your application > Additional information.
JumpCloudhttps:<span>//oauth</span>.id.jumpcloud.com/.well-known/openid-configurationClient ID and client secret.

Make note of your client ID and client secret when creating your app registration.
Microsoft Entra IDOpenID Connect Metadata Document.

Found under App registration > Overview > Endpoints		Application (slient) ID and client secret (value).

Found under App registration > Overview (application ID) and App registration > Certificates & Secrets (client secret).
Oktahttps://{Your Okta domain}/oauth2/default/.well-known/openid-configurationClient ID and client secret.

Found under Applications > General > Client Credentials + General Settings.
OneLoginhttps://{Your OneLogin domain}/oidc/2/.well-known/openid-configurationClient ID and client secret.

Found under Applications > OIDC > SSO.
PingIdentityDiscovery URL.

Found under Applications > OIDC > Details.		Client ID and client secrets.

Found under Applications > OIDC > Details.
Was this page helpful?