Configuring OIDC SSO for multi-tenant AI Hub
Multi-tenant AI Hub customers can use OpenID Connect (OIDC)-based authentication to manage AI Hub access. Configuring OIDC-based single sign-on (SSO) allows members to authenticate using your organization’s existing identity provider (IdP) without requiring separate AI Hub passwords. Organization members must be added to your organization before they can sign in using SSO.
You can add multiple SSO configurations for your organization, including both OIDC and security assertion markup language (SAML) configurations. Organization admins can add and manage SSO configurations.
Configuration overview
Adding an SSO configuration involves both creating an app registration in your IdP with AI Hub-provided details, and adding information from your IdP to the configuration in AI Hub.
IdP configuration requirements
Review the following requirements for your app registration.
-
Redirect URI — Sometimes called the callback URL, you must use the AI Hub-provided value. The redirect URI is provided on the first screen of the Add OIDC configuration dialog.
-
Required scopes — AI Hub requires the
openid
,email
, andprofile
scopes. -
Authentication type — If prompted to select a client authentication type, select client secret basic, or similar. Client secrets are sent using the
HTTP BASIC
authentication scheme. -
Application type — If prompted to select an application type, select web application, or similar. AI Hub isn’t a native app, single-page app, or server app.
Claim configuration and mapping
Beyond these technical requirements, you can configure your IdP to send user information via claims to automatically populate member profiles and manage select permissions in AI Hub.
If claims are passed using the default claim names listed below, their values automatically populate member profiles. To use custom claim names, map them to the corresponding claim during configuration. Claim values override any existing values in AI Hub.
AI Hub configuration requirements
When adding your SSO configuration in AI Hub, you must provide the client ID, client secret, and discovery URL values from your app registration.
The following table outlines where you can find these values in select IdPs. The accuracy of this table isn’t guaranteed, as external product user interfaces aren’t closely monitored.
Adding OIDC configurations
Before you begin
Self-service SSO configuration must be enabled for your organization. Connect with Instabase Support.
-
In the header, click the initials icon and select Settings.
-
Select the Security tab.
-
Click Add configuration > OIDC configuration.
-
Copy the provided redirect URI, then click Next. In your IdP, add the redirect URI to your app registration.
-
Add a display name to identify the configuration.
-
Select your identity provider.
-
Enter the client ID, client secret, and discovery URL.
-
(Optional) Configure claim mappings.
-
Click Save.
You can now test your configuration.
Testing OIDC configurations
Your configuration doesn’t undergo validation, so it must be tested. At minimum test with your own account and optionally engage other organization members to test that they can successfully sign in using SSO.
-
Log out of your AI Hub account.
-
Log back in to AI Hub, and, when presented with sign-in options, click Continue with SSO.
-
Complete sign in with your identity provider.
If you encounter any issues, review all configuration settings.
After successfully testing your configuration, you can optionally turn off the Allow sign-in with email and password toggle to enforce SSO for all organization members.
What's next
Members must be added to your organization before they can sign in using SSO. Members can’t sign up for AI Hub using SSO and access your organization.
Updating OIDC configurations
Select configuration changes are supported.
-
In the header, click the initials icon and select Settings.
-
Select the Security tab.
-
In the configurations list, hover over the configuration, then click the edit icon
. -
Make any changes, then click Save
Disabling and deleting OIDC configurations
You can disable or delete your configuration. Disabling a configuration removes it as a supported sign-in option, but the configuration is preserved and can later be re-enabled.
-
In the header, click the initials icon and select Settings.
-
Select the Security tab.
-
In the configurations list, hover over the configuration, then click the overflow icon
. -
Select Disable configuration or Delete.
-
Click Disable or Delete to confirm.