Configuring OIDC-based SSO
Single tenant AI Hub customers can use OpenID Connect (OIDC)-based authentication to manage AI Hub access. Using OIDC-based single sign-on (SSO) lets you leverage your organization’s existing SSO identity provider (IdP) to automatically create new AI Hub user accounts upon initial login.
Single tenant AI Hub uses relying party-initiated SSO authentication. Supported IdPs include:
-
Auth0
-
Google Workspace
-
JumpCloud
-
Microsoft Entra ID
-
Okta
-
OneLogin
-
PingFederate
Customer requirements
Enabling SSO for your single tenant AI Hub environment involves working closely with your support team. Your support team performs the configuration steps on the AI Hub side, but it’s your responsibility to review this documentation and ensure the following customer requirements are met:
-
You’ve created an app registration in your IdP according to the IdP configuration requirements.
-
You can provide the discovery URL, client ID, and client secret values for your app registration.
IdP configuration requirements
The SSO integration flow begins with registering your single tenant AI Hub environment as a relying party in your IdP. Review the following requirements for your app registration.
-
App registration name: No AI Hub-specific requirements for label or name.
-
Authentication type: If prompted to select a client authentication type, select client secret basic, or similar. Client secrets are sent using the
HTTP BASIC
authentication scheme. -
Application type: If prompted to select an application type, select web application, or similar. AI Hub isn’t a native app, single-page app, or server app.
-
Redirect URI format: The redirect URI format is
https://<YOUR-AI-HUB-BASE-URL>/account/sso/oidc/callback
. For example,https://customer.aihub.com/account/sso/oidc/callback
.The redirect URI is sometimes called the callback URL. -
Scopes and claims: AI Hub requires the
openid
,email
, andprofile
scopes. Additional claims are optional but can provide enhanced functionality. See the following table for a list of supported but optional claims.
App registration information requirements
To complete the SSO configuration on the AI Hub side, your support team requires the following information about your app registration:
-
Discovery URL: Also called the .well-known endpoint or well known configuration endpoint, this is a lookup location for information about your app registration.
-
Client ID and client secret: These values are used as your app registration’s identifier and password.
This table outlines where you can find the these values in select IdPs.