Configuring SAML-based SSO

Enterprise

Single tenant AI Hub environments can use security assertion markup language (SAML)-based authentication to manage AI Hub access. Using SAML-based single sign-on (SSO) lets you leverage your organization’s existing SSO identity provider (IdP) to automatically create new AI Hub user accounts upon initial login.

Single tenant AI Hub uses service provider-initiated SSO authentication and supports IdPs that use SAML 2.0. Supported IdPs include:

Active Directory Federation Services (AD FS)
Auth0
JumpCloud
Microsoft Entra ID
Okta
OneLogin
PingFederate

Customer requirements

Enabling SSO for your single tenant AI Hub environment involves working closely with your AI Hub support team. Your support team performs the configuration steps on the AI Hub side, but it’s your responsibility to review this documentation and ensure the following customer requirements are met:

You’ve created an app registration in your IdP according to the IdP configuration requirements. As part of this requirement, ensure that:
- You’ve followed the app registration requirements and can provide the SP entity ID, SP name, and ACS URL values used in your app registration.
- You’ve met the attribute mapping requirements and all user accounts have an email address set under the email attribute.
You can provide the IdP metadata XML for your app registration, either as a file or metadata-server endpoint.

IdP configuration requirements

The SSO integration flow begins with registering your single tenant AI Hub environment as a service provider in your IdP. When creating your app registration, there are requirements that must be met, including required values and attribute mappings.

The term app registration refers to registering your single tenant AI Hub environment as a service provider in your IdP. The same concept has a different name in various IdPs, such as an application, a relying party trust, an app integration, an SP connection, and so on.

App registration requirements

When creating your app registration, there are suggested and required values for some fields, such as the redirect URL after a user authenticates. The table outlines any required or suggested values, and the name of the corresponding field in select IdPs.

The accuracy of the Corresponding IdP field column is not guaranteed as external product UIs are not closely monitored.

Field	Value	Corresponding IdP field
SP entity ID	The suggested value is your AI Hub base URL, such as `https://customer.aihub.com`.	The SP entity ID value is set in the following IdP fields: - AD FS: Relying Party Trust Identifier - Auth0: The `audience` attribute within the SAML assertion When using Auth0 as your IdP, the SP entity ID value in AI Hub corresponds to the `audience` attribute in the SAML assertion. By default the `audience` value is the same as the Auth0 `issuer`. You must edit the `audience` value to match your AI Hub base URL (or whatever value you’re using as the SP entity ID). See the Auth0 customize SAML assertions documentation for details. - JumpCloud: Audience/Entity ID - Microsoft Entra ID: Identifier (Entity ID) - Okta: Audience URI (SP Entity ID)/Audience Restriction - OneLogin: Audience (EntityID) - PingFederate: Partner’s Entity ID (Connection ID)
SP name	The suggested value is `AIHubSP`, though any alphanumeric value is supported.	The SP name value is set in the following IdP fields: - AD FS: Display name - Auth0: Name (Application name) - JumpCloud: Display label - Microsoft Entra ID: Application name - Okta: Application label - OneLogin: Display name - PingFederate: Connection name
Assertion consumer service (ACS) URL	The required value is `https://{YOUR-AI-HUB-BASE-URL}/account/sso/saml2`. For example, `https://customer.aihub.com/account/sso/saml2`.	The ACS URL value is set in the following IdP fields: - AD FS: Relying Party SAML 2.0 SSO service URL - Auth0: Application Callback URL - JumpCloud: ACS URLs - Microsoft Entra ID: Reply URL (Assertion Consumer Service URL) - Okta: Single Sign On URL - OneLogin: ACS (Consumer) URL - PingFederate: Assertion Consumer Service URL

Attribute requirements

Your app registration must include the following attributes (also called claims), with the attribute’s name exactly matching. For example, the attribute email can’t be substituted with a similar attribute, such as emailAddress.

- AI Hub doesn’t support user groups, so group attribute mapping isn’t required.
- When configuring claims in Microsoft Entra ID, do not define a Namespace value for the claim.

Attribute name	Description	Sample valid values	Notes
email	A unique email address that maps to the user’s corporate email address. The `email` value must be unique among all users.	`jane.doe@company.com`, `john_doe@company.co.uk`	If a user’s email address changes, their AI Hub account from the previous address must be manually migrated to the new address.

IdP metadata XML requirements

To complete the SSO configuration on the AI Hub side, AI Hub support requires the IdP metadata XML for your app registration. AI Hub supports two methods of referencing the IdP metadata XML:

Local: Referencing a static metadata.xml file. This file is stored as a Kubernetes secret.
Remote: Referencing a metadata-server endpoint where the XML file is hosted on the SAML provider metadata server.

This table outlines where you can find the local or remote access value in select IdPs.

The accuracy of this table is not guaranteed as external product UIs are not closely monitored.

IdP	Local access value	Remote access value
AD FS	Download the federation metadata as an XML file from the federation metadata URL. Typically found at AD FS > Service > Endpoints > Metadata URL path. For example: `{Your host name}/FederationMetadata/2007-06/FederationMetadata.xml`.
Auth0	Download the Identity Provider metadata file. Found on the application details page under Addons > SAML 2 Web App > Usage.	Share the SAML metadata URL link. Found on the application details page under Advanced Settings > Endpoints.
Microsoft Entra ID	Download the Federation metadata XML file. Found on the application’s Single sign-on page.	Share the App Federation Metadata Url link. Found on the application’s Single sign-on page.
Okta	Download the Identity Provider metadata file. Found on the application details page under Sign on > Settings.	Share the Identity Provider metadata link. Found on the application details page under Sign on > Settings.
PingFederate	Download the metadata as an Identity Provider from the Metadata Export tab.
JumpCloud	Download with the Export Metadata button. Found on the application details page under SSO.	Click Copy Metadata URL. Found on the application details page under SSO.
OneLogin	Download the SAML Metadata file. Found at Applications > SSO > More Actions > SAML Metadata.