Configuring OIDC SSO for multi-tenant AI Hub

Enterprise

Multi-tenant AI Hub customers can use OpenID Connect (OIDC)-based authentication to manage AI Hub access. Configuring OIDC-based single sign-on (SSO) allows members to authenticate using your organization’s existing identity provider (IdP) without requiring separate AI Hub passwords. Organization members must be added to your organization before they can sign in using SSO.

You can add multiple SSO configurations for your organization, including both OIDC and security assertion markup language (SAML) configurations. Organization admins can add and manage SSO configurations.

Configuration overview

Adding an SSO configuration involves both creating an app registration in your IdP with AI Hub-provided details, and adding information from your IdP to the configuration in AI Hub.

IdP configuration requirements

Review the following requirements for your app registration.

  • Redirect URI — Sometimes called the callback URL, you must use the AI Hub-provided value. The redirect URI is provided on the first screen of the Add OIDC configuration dialog.

  • Required scopes — AI Hub requires the openid, email, and profile scopes.

  • Authentication type — If prompted to select a client authentication type, select client secret basic, or similar. Client secrets are sent using the HTTP BASIC authentication scheme.

  • Application type — If prompted to select an application type, select web application, or similar. AI Hub isn’t a native app, single-page app, or server app.

Claim configuration and mapping

Beyond these technical requirements, you can configure your IdP to send user information via claims to automatically populate member profiles and manage select permissions in AI Hub.

If claims are passed using the default claim names listed below, their values automatically populate member profiles. To use custom claim names, map them to the corresponding claim during configuration. Claim values override any existing values in AI Hub.

ClaimDescriptionExpected formatNotes
emailDefines the user’s login email. The email value must be unique among all users.Valid email address stringIf a user’s email address changes, their AI Hub account from the previous address must be manually migrated to the new address.
is_adminAssigns the member the organization role of admin.Boolean (true or false)

When set to true, the member’s organization role is set to admin upon next login. When set to false, the organization role is set to member. If absent or undefined, the member’s organization role isn’t changed.
The is_admin value takes precedence over any changes made using the AI Hub interface. You can still manually assign the admin role to a member, but their role resets on next login based on the is_admin value.

Admins have wide-ranging permissions and access, so minimize the number of admins.

AI Hub configuration requirements

When adding your SSO configuration in AI Hub, you must provide the client ID, client secret, and discovery URL values from your app registration.

The following table outlines where you can find these values in select IdPs. The accuracy of this table isn’t guaranteed, as external product user interfaces aren’t closely monitored.

IdPClient ID and client secret valueDiscovery URL value
Auth0Client ID and client secret.

Found under Application > Settings.
https://<YOUR-AUTH0-DOMAIN>/.well-known/openid-configuration
Google WorkspaceClient ID and client secret.

Found under Credentials > OAuth 2.0 Client IDs > Your application > Additional information.
https:<span>//accounts</span>.google.com/.well-known/openid-configuration
JumpCloudClient ID and client secret.

Make note of your client ID and client secret when creating your app registration.
https:<span>//oauth</span>.id.jumpcloud.com/.well-known/openid-configuration
Microsoft Entra IDApplication (client) ID and client secret (value).

Found under App registration > Overview (application ID) and App registration > Certificates & Secrets (client secret).
OpenID Connect Metadata Document.

Found under App registration > Overview > Endpoints
OktaClient ID and client secret.

Found under Applications > General > Client Credentials + General Settings.
https://<YOUR-OKTA-DOMAIN>/oauth2/default/.well-known/openid-configuration
OneLoginClient ID and client secret.

Found under Applications > OIDC > SSO.
https://<YOUR-ONELOGIN-DOMAIN>/oidc/2/.well-known/openid-configuration
PingFederateClient ID and client secret.

Make note of your client ID and client secret when creating your app registration.
https://<YOUR-PINGFEDERATE-DOMAIN>/.well-known/openid-configuration

Adding OIDC configurations

Before you begin

Self-service SSO configuration must be enabled for your organization. Connect with Instabase Support.

  1. In the header, click the initials icon and select Settings.

  2. Select the Security tab.

  3. Click Add configuration > OIDC configuration.

  4. Copy the provided redirect URI, then click Next. In your IdP, add the redirect URI to your app registration.

  5. Add a display name to identify the configuration.

  6. Select your identity provider.

  7. Enter the client ID, client secret, and discovery URL.

  8. (Optional) Configure claim mappings.

  9. Click Save.

You can now test your configuration.

Testing OIDC configurations

Your configuration doesn’t undergo validation, so it must be tested. At minimum test with your own account and optionally engage other organization members to test that they can successfully sign in using SSO.

Don’t turn off the Allow sign-in with email and password toggle until you’ve successfully tested your configuration. When disabled, SSO is enforced. If your SSO configuration doesn’t work, you can’t log back in and must contact Instabase Support for help.
  1. Log out of your AI Hub account.

  2. Log back in to AI Hub, and, when presented with sign-in options, click Continue with SSO.

  3. Complete sign in with your identity provider.

If you encounter any issues, review all configuration settings.

After successfully testing your configuration, you can optionally turn off the Allow sign-in with email and password toggle to enforce SSO for all organization members.

What's next

Members must be added to your organization before they can sign in using SSO. Members can’t sign up for AI Hub using SSO and access your organization.

Updating OIDC configurations

Select configuration changes are supported.

Before making any changes, ensure the Allow sign-in with email and password toggle is turned on. If your configuration changes introduce access issues, you can still sign in with email and password credentials.
  1. In the header, click the initials icon and select Settings.

  2. Select the Security tab.

  3. In the configurations list, hover over the configuration, then click the edit iconPencil icon..

  4. Make any changes, then click Save

  5. Test your updated configuration.

Disabling and deleting OIDC configurations

You can disable or delete your configuration. Disabling a configuration removes it as a supported sign-in option, but the configuration is preserved and can later be re-enabled.

  1. In the header, click the initials icon and select Settings.

  2. Select the Security tab.

  3. In the configurations list, hover over the configuration, then click the overflow iconIcon with three stacked vertical dots..

  4. Select Disable configuration or Delete.

  5. Click Disable or Delete to confirm.