Configuring SAML SSO for multi-tenant AI Hub | Instabase AI Hub Documentation

Enterprise

Multi-tenant AI Hub customers can use security assertion markup language (SAML)-based authentication to manage AI Hub access. Configuring OIDC-based single sign-on (SSO) allows members to authenticate using your organization’s existing identity provider (IdP) without requiring separate AI Hub passwords. Organization members must be added to your organization before they can sign in using SSO.

AI Hub supports IdPs that use SAML 2.0. You can add multiple SSO configurations for your organization, including both SAML and OpenID Connect (OIDC) configurations. Admins can add and manage SSO configurations.

Configuration overview

Adding an SSO configuration involves both creating an app registration in your IdP with AI Hub-provided details, and adding information from your IdP to the configuration in AI Hub.

IdP configuration requirements

When creating your app registration, there are required values for the service provider entity ID, application label, and assertion consumer service (ACS) URL.

For each required value, the following table provides the names of corresponding fields in select IdPs. The accuracy of the Corresponding IdP field column isn’t guaranteed as external product user interfaces aren’t closely monitored.

Field	Where to find in AI Hub	Corresponding IdP field
Service provider entity ID	Provided on the first screen of the Add SAML configuration dialog.	The service provider entity ID value is set in the following IdP fields: • AD FS — Relying Party Trust Identifier • Auth0 — The `audience` attribute within the SAML assertion When using Auth0 as your IdP, the SP entity ID value in AI Hub corresponds to the `audience` attribute in the SAML assertion. By default the `audience` value is the same as the Auth0 `issuer`. You must edit the `audience` value to match your AI Hub base URL (or whatever value you’re using as the SP entity ID). See the Auth0 customize SAML assertions documentation for details. • JumpCloud — Audience/Entity ID • Microsoft Entra ID — Identifier (Entity ID) • Okta — Audience URI (SP Entity ID)/Audience Restriction • OneLogin — Audience (EntityID) • PingFederate — Partner’s Entity ID (Connection ID)
Application label	Provided on the first screen of the Add SAML configuration dialog.	The application label value is set in the following IdP fields: • AD FS — Display name • Auth0 — Name (Application name) • JumpCloud — Display label • Microsoft Entra ID — Application name • Okta — Application label • OneLogin — Display name • PingFederate — Connection name
Assertion consumer service (ACS) URL	Provided on the last screen of the Add SAML configuration dialog. Also accessible after adding a configuration from the configurations list. Click the overflow icon > Show ACS URL.	The ACS URL value is set in the following IdP fields: • AD FS — Relying Party SAML 2.0 SSO service URL • Auth0 — Application Callback URL • JumpCloud — ACS URLs • Microsoft Entra ID — Reply URL (Assertion Consumer Service URL) • Okta — Single Sign On URL • OneLogin — ACS (Consumer) URL • PingFederate — Assertion Consumer Service URL

Attribute configuration and mapping

Beyond these technical requirements, you can configure your IdP to send user information via attributes to automatically populate member profiles and manage select permissions in AI Hub.

If attributes are passed using the default attribute names listed below, their values automatically populate member profiles. To use custom attribute names, map them to the corresponding attribute during configuration. Attribute values override any existing values in AI Hub.

Attribute	Description	Expected format	Notes
`first_name`	Populates the member’s first name.	String value
`last_name`	Populates the member’s last or family name.	String value
`groups`	Defines groups of which the user is a member. Use group mappings to map IdP-defined groups to AI Hub groups and manage group membership at the IdP level.	Comma-delimited list of group name strings, such as `team1, team2` A comma is the default delimiter for listing multiple groups. If using a different character, define it under Advanced settings > Groups delimiter.	Each AI Hub group can map to at most one IdP-defined group. However, the same IdP-defined group can be mapped to multiple AI Hub groups. Upstream changes in your IdP take effect with the member’s next AI Hub login. For example, if a member is removed from a group in your IdP, that change syncs upon next login and the member is removed from the mapped AI Hub group.
`email`	Defines the user’s login email. The `email` value must be unique among all users.	Valid email address string	If a user’s email address changes, their AI Hub account from the previous address must be manually migrated to the new address.
`is_admin`	Assigns the member the organization role of admin.	Boolean value (`true` or `false`) When set to `true`, the member’s organization role is set to admin upon next login. When set to `false`, the organization role is set to member. If absent or undefined, the member’s organization role isn’t changed.	The `is_admin` value takes precedence over any changes made using the AI Hub interface. You can still manually assign the admin role to a member, but their role resets on next login based on the `is_admin` value. Admins have wide-ranging permissions and access, so minimize the number of admins.

AI Hub configuration requirements

When adding your SSO configuration in AI Hub, you must provide the IdP metadata XML from your app registration. You can upload the XML file, paste its contents, or provide the remote access value. If uploading or pasting the XML, use the local access value to view or download the XML document.

The following table outlines where you can find the local or remote access value for the metadata XML in select IdPs. The accuracy of this table isn’t guaranteed as external product user interfaces aren’t closely monitored.

IdP	Local access value	Remote access value
AD FS	Download the federation metadata as an XML file from the federation metadata URL. Typically found at AD FS > Service > Endpoints > Metadata URL path. For example: `{Your host name}/FederationMetadata/2007-06/FederationMetadata.xml`.
Auth0	Download the Identity Provider metadata file. Found on the application details page under Addons > SAML 2 Web App > Usage.	Share the SAML metadata URL link. Found on the application details page under Advanced Settings > Endpoints.
Microsoft Entra ID	Download the Federation metadata XML file. Found on the application’s Single sign-on page.	Share the App Federation Metadata Url link. Found on the application’s Single sign-on page.
Okta	Download the Identity Provider metadata file. Found on the application details page under Sign on > Settings.	Share the Identity Provider metadata link. Found on the application details page under Sign on > Settings.
PingFederate	Download the metadata as an Identity Provider from the Metadata Export tab.
JumpCloud	Download by clicking Export Metadata. Found on the application details page under SSO.	Click Copy Metadata URL. Found on the application details page under SSO.
OneLogin	Download the SAML Metadata file. Found at Applications > SSO > More Actions > SAML Metadata.

Adding SAML configurations

Before you begin

Self-service SSO configuration must be enabled for your organization. Connect with Instabase Support.

In the header, click the initials icon and select Settings.
Select the Security tab.
Click Add configuration > SAML configuration.
Copy the provided application label and service provider entity ID values, then click Next. In your IdP, add the values to your app registration.
Add a display name to identify the configuration.
Select your identity provider.
Select a configuration method for how you’re providing the metadata XML.
- Remote metadata URL — Provide the remote access URL.
- Metadata XML file — Upload the .xml file.
- Metadata XML — Paste the metadata XML directly.
(Optional) Configure attribute mappings.
(Optional) Expand Advanced settings to configure advanced security settings.
- Response signed — Requires the entire SAML response message to be digitally signed by the identity provider. This provides message integrity protection for the complete response structure containing the assertion. Defaults to not required (not selected).
- Assertion signed — Requires the SAML assertion within the response to be digitally signed by the identity provider. The SAML 2.0 specification requires IdPs to digitally sign assertions as the minimum security requirement. Defaults to required (selected).
- Authentication requests signed — Requires authentication requests sent from AI Hub to the identity provider to be digitally signed. This prevents tampering with authentication requests and ensures request integrity. Defaults to not required (not selected).
- Logout requests signed — Requires SAML logout requests to be digitally signed when users sign out. This ensures the integrity of logout operations between AI Hub and the identity provider. Defaults to required (selected).
- Allow unsolicited — Allows the identity provider to initiate authentication flows without a prior request from AI Hub. When enabled, users can start the login process directly from the IdP (IdP-initiated SSO) rather than from AI Hub. Defaults to enabled (selected).
Click Save.
Copy the provided ACS URL, then click Close. In your IdP, add the ACS URL to your app registration, and save your changes.

You can now test your configuration.

Testing SAML configurations

Your configuration doesn’t undergo validation, so it must be tested. At minimum test with your own account and optionally engage other organization members to test that they can successfully sign in using SSO.

Don’t turn off the Allow sign-in with email and password toggle until you’ve successfully tested your configuration. When disabled, SSO is enforced. If your SSO configuration doesn’t work, you can’t log back in and must contact Instabase Support for help.

Log out of your AI Hub account.
Log back in to AI Hub, and, when presented with sign-in options, click Continue with SSO.
Complete sign in with your identity provider.

If you encounter any issues, review all configuration settings.

After successfully testing your configuration, you can optionally turn off the Allow sign-in with email and password toggle to enforce SSO for all organization members.

What's next

Members must be added to your organization before they can sign in using SSO. Members can’t sign up for AI Hub using SSO and access your organization.

Updating SAML configurations

Select configuration changes are supported.

Before making any changes, ensure the Allow sign-in with email and password toggle is turned on. If your configuration changes introduce access issues, you can still sign in with email and password credentials.

In the header, click the initials icon and select Settings.
Select the Security tab.
In the configurations list, hover over the configuration, then click the edit icon.
Make any changes, then click Save
Test your updated configuration.

Disabling and deleting SAML configurations

You can disable or delete your configuration. Disabling a configuration removes it as a supported sign-in option, but the configuration is preserved and can later be re-enabled.

In the header, click the initials icon and select Settings.
Select the Security tab.
In the configurations list, hover over the configuration, then click the overflow icon.
Select Disable configuration or Delete.
Click Disable or Delete to confirm.