Configuring OIDC-based SSO | Instabase AI Hub Documentation

Enterprise

Single tenant AI Hub customers can use OpenID Connect (OIDC)-based authentication to manage AI Hub access. Using OIDC-based single sign-on (SSO) lets you leverage your organization’s existing SSO identity provider (IdP) to automatically create new AI Hub user accounts upon initial login.

Single tenant AI Hub uses relying party-initiated SSO authentication. Supported IdPs include:

Auth0
Google Workspace
JumpCloud
Microsoft Entra ID
Okta
OneLogin
PingFederate

Customer requirements

Enabling SSO for your single tenant AI Hub environment involves working closely with your support team. Your support team performs the configuration steps on the AI Hub side, but it’s your responsibility to review this documentation and ensure the following customer requirements are met:

You’ve created an app registration in your IdP according to the IdP configuration requirements.
You can provide the discovery URL, client ID, and client secret values for your app registration.

IdP configuration requirements

The SSO integration flow begins with registering your single tenant AI Hub environment as a relying party in your IdP. Review the following requirements for your app registration.

The term app registration refers to registering your single tenant AI Hub environment as a relying party in your IdP. The same concept is also commonly called an application.

App registration name — No AI Hub-specific requirements for label or name.
Authentication type — If prompted to select a client authentication type, select client secret basic, or similar. Client secrets are sent using the HTTP BASIC authentication scheme.
Application type — If prompted to select an application type, select web application, or similar. AI Hub isn’t a native app, single-page app, or server app.
Redirect URI format — The redirect URI format is https://<YOUR-AI-HUB-BASE-URL>/account/sso/oidc/callback. For example, https://customer.aihub.com/account/sso/oidc/callback.
The redirect URI is sometimes called the callback URL.

Scopes and claims — AI Hub requires the openid, email, and profile scopes. Additional claims are optional but can provide enhanced functionality. See the following table for a list of supported but optional claims.

Claim	Description and usage	Notes
`family_name`	Member’s family name, used to populate the member’s profile.
`given_name`	Member’s given name, used to populate the member’s profile.
Custom claim	A custom claim used to gate access to AI Hub. AI Hub uses the passed `true`/`false` value to permit the associated user to create or log in to their AI Hub account. The custom claim has no naming requirements but must pass a Boolean value, where `true` permits access.	To use the custom claim feature, connect with Instabase Support to ensure your environment has the `OIDC_ALLOW_USER_CLAIM_NAME` environment variable enabled.
`groups`	The group ID of an IdP-defined group to which the user belongs. When your environment is available, an admin can create group mappings to manage AI Hub group membership at the IdP level. If adding the member to multiple groups, use a comma-delimited list to define all groups.	Each AI Hub group can map to at most one IdP-defined group. However, the same IdP-defined group can be mapped to multiple AI Hub groups. Upstream changes in your IdP aren’t immediately applied and instead take effect with the member’s next AI Hub login. For example, if a member is removed from a group in your IdP, upon next login that change of status syncs and the member is removed from the mapped AI Hub group.

App registration information requirements

To complete the SSO configuration on the AI Hub side, your support team requires the following information about your app registration:

Discovery URL — Also called the .well-known endpoint or well known configuration endpoint, this is a lookup location for information about your app registration.
Client ID and client secret — These values are used as your app registration’s identifier and password.

This table outlines where you can find the these values in select IdPs.

The accuracy of this table isn’t guaranteed as external product user interfaces aren’t closely monitored.

IdP	Discovery URL value	Client ID and client secret value
Auth0	`https://<Your Auth0 domain>/.well-known/openid-configuration`	Client ID and client secret. Found under Application > Settings.
Google Workspace	`https:<span>//accounts</span>.google.com/.well-known/openid-configuration`	Client ID and client secret. Found under Credentials > OAuth 2.0 Client IDs > Your application > Additional information.
JumpCloud	`https:<span>//oauth</span>.id.jumpcloud.com/.well-known/openid-configuration`	Client ID and client secret. Make note of your client ID and client secret when creating your app registration.
Microsoft Entra ID	OpenID Connect Metadata Document. Found under App registration > Overview > Endpoints	Application (client) ID and client secret (value). Found under App registration > Overview (application ID) and App registration > Certificates & Secrets (client secret).
Okta	`https://<Your Okta domain>/oauth2/default/.well-known/openid-configuration`	Client ID and client secret. Found under Applications > General > Client Credentials + General Settings.
OneLogin	`https://<Your OneLogin domain>/oidc/2/.well-known/openid-configuration`	Client ID and client secret. Found under Applications > OIDC > SSO.
PingFederate	`https://<Your PingFederate domain>/.well-known/openid-configuration`	Client ID and client secret. Make note of your client ID and client secret when creating your app registration.