Configuring SAML-based SSO

Enterprise

Single-tenant AI Hub environments can use security assertion markup language (SAML)-based authentication to manage AI Hub access. Using SAML-based single sign-on (SSO) lets you leverage your organization’s existing SSO identity provider (IdP) to automatically create new AI Hub user accounts upon initial login.

Single tenant AI Hub uses service provider-initiated SSO authentication and supports IdPs that use SAML 2.0. Supported IdPs include:

  • Active Directory Federation Services (AD FS)

  • Auth0

  • JumpCloud

  • Microsoft Entra ID

  • Okta

  • OneLogin

  • PingFederate

Customer requirements

Enabling SSO for your single tenant AI Hub environment involves working closely with your AI Hub support team. Your support team performs the configuration steps on the AI Hub side, but it’s your responsibility to review this documentation and ensure the following customer requirements are met:

  • You’ve created an app registration in your IdP according to the IdP configuration requirements. As part of this requirement, ensure that:

    • You’ve followed the app registration requirements and can provide the SP entity ID, SP name, and ACS URL values used in your app registration.

    • You’ve met the attribute mapping requirements and all user accounts have an email address set under the email attribute.

    • You’ve reviewed optional attributes. If intending to use SAML group mapping, you’ve included a groups attribute. If intending to define organization admins at the IdP level, you’ve included an is_admin attribute.

  • You can provide the IdP metadata XML for your app registration, either as a file or metadata-server endpoint.

IdP configuration requirements

The SSO integration flow begins with registering your single tenant AI Hub environment as a service provider in your IdP. When creating your app registration, there are requirements that must be met, including required values and attribute mappings.

The term app registration refers to registering your single tenant AI Hub environment as a service provider in your IdP. The same concept has a different name in various IdPs, such as an application, a relying party trust, an app integration, an SP connection, and so on.

App registration requirements

When creating your app registration, there are suggested and required values for some fields, such as the redirect URL after a user authenticates. The table outlines any required or suggested values, and the name of the corresponding field in select IdPs.

The accuracy of the Corresponding IdP field column is not guaranteed as external product UIs are not closely monitored.
FieldValueCorresponding IdP field
SP entity IDThe suggested value is your AI Hub base URL, such as https://customer.aihub.com.The SP entity ID value is set in the following IdP fields:

- AD FS: Relying Party Trust Identifier

- Auth0: The audience attribute within the SAML assertion
When using Auth0 as your IdP, the SP entity ID value in AI Hub corresponds to the audience attribute in the SAML assertion. By default the audience value is the same as the Auth0 issuer. You must edit the audience value to match your AI Hub base URL (or whatever value you’re using as the SP entity ID). See the Auth0 customize SAML assertions documentation for details.
- JumpCloud: Audience/Entity ID

- Microsoft Entra ID: Identifier (Entity ID)

- Okta: Audience URI (SP Entity ID)/Audience Restriction

- OneLogin: Audience (EntityID)

- PingFederate: Partner’s Entity ID (Connection ID)
SP nameThe suggested value is AIHubSP, though any alphanumeric value is supported.The SP name value is set in the following IdP fields:

- AD FS: Display name

- Auth0: Name (Application name)

- JumpCloud: Display label

- Microsoft Entra ID: Application name

- Okta: Application label

- OneLogin: Display name

- PingFederate: Connection name
Assertion consumer service (ACS) URLThe required value is https://{YOUR-AI-HUB-BASE-URL}/account/sso/saml2.
For example, https://customer.aihub.com/account/sso/saml2.
The ACS URL value is set in the following IdP fields:

- AD FS: Relying Party SAML 2.0 SSO service URL

- Auth0: Application Callback URL

- JumpCloud: ACS URLs

- Microsoft Entra ID: Reply URL (Assertion Consumer Service URL)

- Okta: Single Sign On URL

- OneLogin: ACS (Consumer) URL

- PingFederate: Assertion Consumer Service URL

Attribute requirements

Your app registration can include the following attributes (also called claims), with the attribute’s name exactly matching. For example, the attribute email can’t be substituted with a similar attribute, such as emailAddress.

AI Hub supports mapping group membership between SAML groups and AI Hub groups. If using mapping, you must include a groups attribute. When your environment is available, see Managing groups for details on creating mappings.

When configuring claims in Microsoft Entra ID, do not define a Namespace value for the claim.
Attribute nameRequiredDescriptionSample valid valuesNotes
emailRequiredA unique email address that maps to the user’s corporate email address. The email value must be unique among all users.jane.doe@company.com, john_doe@company.co.ukIf a user’s email address changes, their AI Hub account from the previous address must be manually migrated to the new address.
groupsOptionalA group ID defined in the IdP.The group ID as defined in the IdP.Each AI Hub group can map to at most one IdP-defined group. However, the same IdP-defined group can be mapped to multiple AI Hub groups.

Upstream changes in your IdP aren’t immediately applied and instead take effect with the member’s next AI Hub login. For example, if a member is removed from a SAML group in your IdP, upon next login that change of status syncs and the member is removed from the mapped AI Hub group.
is_adminOptionalA Boolean value defining the user as an admin, typically set in the user profile.true, false

If set to true, the member is assigned the AI Hub Admin role upon next login. If set to false, the organization-level role is set to Member. If absent or undefined, the member’s organization-level role isn’t changed.
The is_admin attribute value takes precedence over any changes made using the AI Hub interface. You can still manually assign the Admin role to a member, but their role resets on next login based on the is_admin value.

Because organization admins have such wide-ranging permissions, minimize the number of admins. You can use workspace-level and group-level roles to grant more limited administrative permissions.

IdP metadata XML requirements

To complete the SSO configuration on the AI Hub side, AI Hub support requires the IdP metadata XML for your app registration. AI Hub supports two methods of referencing the IdP metadata XML:

  • Local: Referencing a static metadata.xml file. This file is stored as a Kubernetes secret.

  • Remote: Referencing a metadata-server endpoint where the XML file is hosted on the SAML provider metadata server.

This table outlines where you can find the local or remote access value in select IdPs.

The accuracy of this table is not guaranteed as external product UIs are not closely monitored.
IdPLocal access valueRemote access value
AD FSDownload the federation metadata as an XML file from the federation metadata URL.

Typically found at AD FS > Service > Endpoints > Metadata URL path. For example: {Your host name}/FederationMetadata/2007-06/FederationMetadata.xml.
Auth0Download the Identity Provider metadata file.

Found on the application details page under Addons > SAML 2 Web App > Usage.
Share the SAML metadata URL link.

Found on the application details page under Advanced Settings > Endpoints.
Microsoft Entra IDDownload the Federation metadata XML file.

Found on the application’s Single sign-on page.
Share the App Federation Metadata Url link.

Found on the application’s Single sign-on page.
OktaDownload the Identity Provider metadata file.

Found on the application details page under Sign on > Settings.
Share the Identity Provider metadata link.

Found on the application details page under Sign on > Settings.
PingFederateDownload the metadata as an Identity Provider from the Metadata Export tab.
JumpCloudDownload with the Export Metadata button.

Found on the application details page under SSO.
Click Copy Metadata URL.

Found on the application details page under SSO.
OneLoginDownload the SAML Metadata file.

Found at Applications > SSO > More Actions > SAML Metadata.
Was this page helpful?