Settings
Single Sign-On
Single Sign-On subtab is used for configuring Single Sign-On (SSO) for your tenant. Once this is setup successfully, SSO type users can login into AI Studio.
We support the following Identity Providers (IDP),
- Okta
- Azure AD
- Keycloak
- Auth0
- OneLogin
- miniOrange.
Import
We have provided an option to import the SSO settings through OpenID Provider Configuration Document. This document is available in JSON format at {Issuer}/.well-known/openid-configuration endpoint.
- Click the Import option top right corner.
- Paste the copied JSON contents from OpenID Provider Configuration Document.
- Click Import. Once the JSON is imported, Configure dialog is opened and most of the fields are auto-filled. You would need to add other values like Client ID, Client Secret, Redirect URL, etc. manually.
Configure
The SSO configuration can be created manually using the Configure option.
- Click three dots in the top right corner.
- Click Configure.
If you want to edit the existing SSO settings,
- Click three dots in the top right corner.
- Click Edit.
The following details need to be added in the Configure Single Sign-On dialog:
- Protocol: We support only OpenID Connect protocol for now.
- Issuer: Base URL where IDP can find OpenID Provider Configuration Document(.well-known/openid-configuration).
- Redirect URL: URL to which the end user must be redirected after successful login.
- Scope: Set of user attributes (also called as claims), which would be returned by the IDP after successful authentication. The list of valid scopes is provided by IDP.
The for each scope added here relevant data is added to ID Token. If we add email scope the user’s email id is added to the ID token. Mandatory scopes are,
- profile: We will receive user’s first name and last name in the ID token.
- openid: Indicates that the applicant intends to use OIDC to verify the user's identity.
- Client ID and Client Secret: It is used to establish trust between IDP/Authorization Server and Service Provider (in our case AI Studio application itself)
- Verify PKCE (Proof Key for Code Exchange): This depends on the configuration on IDP. If Verify PKCE is configured in IDP, then this option must be selected. This will add additional security during authentication.
- Authorization Endpoint: URL to redirect the end user to the IDP login page.
- Token Endpoint: URL to get ID Token from IDP.
- User Info Endpoint: URL to get detailed user information.
- End Session Endpoint/Logout URL: URL to logout the user session at IDP end. This is invoked when logout is called in AI Studio.
- JSON Web Key Set URL: There is no need to change this URL by the administrator who is defining it if you have imported the setting. If you are defining it, use a value of jwks_uri key from {Issuer}/.well-known/openid-configuration endpoint JSON.)
- Logout URL Query Parameters: While logging out, we need to send few additional attributes as a query parameter(s).
Each IDP requires a different set of logout query parameters. For more details, refer to the IDP logout endpoint documentation.
| Parameters | Okta | Azure AD | Auth0 | OneLogin | Keycloak | MiniOrange |
|---|---|---|---|---|---|---|
| post_logout_redirect_url | required | required | - | required | required | required |
| redirectTo | - | - | required | - | - | - |
| id_token_hint | required | - | - | required | required | - |
| logout_hint | - | optional | - | - | - | - |
| client_id | - | - | optional | - | - | - |
- Additional Setting -> User Identity: We need to map a unique attribute from IDP to IDP Username in Create/Edit Users dialog. This username is used to login to AI Studio with SSO. Here we would specify from where this unique attribute is to be fetched.
- Object: After successful authentication with the IDP provider, attributes/claims are part of ID Token or User Info. The attribute name varies for different IDPs. Select the appropriate object from where the attribute is to be fetched.
- Attribute if required: The attribute/claim from which the unique IDP username should be fetched.
Consider IDP Username "john.doe" is available in the IDP as a unique attribute which is to be used for logging in AI Studio SSO. You would also need a User created in AI Studio with type SSO and IDP Username as "john.doe".
Assume that this value is part of ID Token and attribute/claim is preferred_username.
You will need to define user identity as,
Object: ID Token
Attribute: preferred_username
In most of the IDPs "ID Token" and preferred_username contains the user identity.
email is also a good candidate for this configuration if you login to IDP using your email id. Make sure that email is available in the IDP and added to the Scope field.
Access Token attributes are not supported by AIStudio.