OpenID Connect (OIDC)¶

OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0 that provides simple identity verification and enables applications to obtain basic profile information about users. This configuration allows seamless integration with popular identity providers like Google and Microsoft Azure.

Getting Started¶

Setting up OpenID Connect authentication is straightforward and takes just a few configuration steps. Follow this quick setup process to enable secure access for your organization.

Navigate to Admin Console > Security > Single Sign-On.
Turn on the toggle Enable SSO.
In the Select a suitable Sign-On Protocol section, select OpenID Connect.
In the Configure section, select your identity provider and configure the settings.

Identity Provider Configurations¶

Choose from the supported identity providers. Each provider offers specific features and integration capabilities to match your security requirements.

Google Configuration¶

Google's OpenID Connect implementation provides enterprise-grade authentication with seamless integration for G Suite domains. Configure these essential fields to establish secure communication between Google and AI for Work.

Configuration Steps¶

Select Identity Provider:
- In the Configure section, select Sign in with Google.
Enable Service Account:
- Turn on the toggle Configure service account for your G-Suite domain.
Configure Required Fields:

Field	Description	Required
Client Email	The service account email address from your Google Cloud project is used for authentication	Yes
Admin Email	The G Suite administrator email address that has permissions to manage user access.	Yes
Private Key	The private key from your Google service account credentials is used to sign authentication requests.	Yes

Save Configuration:
- Click Save.
- The Identity Provider information successfully updated message is displayed at the top of the page.

Setting up Google for AI for Work SSO¶

To set up the AI for Work application in your Google Workspace environment, you need to create a service account and configure domain-wide delegation.

Prerequisites: You must have Google Workspace administrator privileges and have already selected Google as an OpenID Connect provider in the AI for Work Admin Console.

Steps to configure Google:

Create Service Account:
- Log in to Google Cloud Console.
- Navigate to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Provide a service account name and description.
- Click Create and Continue.
Generate Private Key:
- In the service accounts list, click on the newly created service account.
- Go to the Keys tab.
- Click Add Key > Create new key.
- Select JSON format.
- Click Create to download the key file.
Enable Domain-Wide Delegation:
- In the service account details, check Enable Google Workspace Domain-wide Delegation.
- Click Save.
- Note the Client ID for the next steps.
Configure G Suite Admin Console:
- Log in to Google Admin Console.
- Go to Security > API Controls > Domain-wide Delegation.
- Click Add new.
- Enter the Client ID from the service account.
- Add required OAuth scopes (e.g., https://www.googleapis.com/auth/admin.directory.user.readonly).
- Click Authorize.
Copy Configuration Details:
- From the downloaded JSON key file, copy the following to AI for Work:
  - client_email → Client Email field
  - private_key → Private Key field
- Enter your G Suite admin email in the Admin Email field.
Save the configuration in AI for Work.

Microsoft Azure Configuration¶

Microsoft Azure Active Directory (now Microsoft Entra ID) provides comprehensive identity and access management with robust security features. This configuration enables secure authentication for your organization's users.

Configuration Steps¶

Select Identity Provider:
- In the Configure section, select Microsoft Azure.
Configure Custom Application:
- Use Your Microsoft Entra ID App for SSO Login: Instead of approving the default system-provided app in Microsoft Admin, you can create and configure your own app. Once set up, this app will be used for SSO login for users in your account.
Save Configuration:
- Click Save.
- The Identity Provider information successfully updated message is displayed at the top of the page.

Setting up Microsoft Azure for AI for Work SSO¶

To set up the AI for Work application in your Microsoft Entra ID (formerly Azure AD) environment, you need to register an application and configure authentication settings.

Prerequisites: You must have Microsoft Entra ID administrator privileges and have already selected Microsoft Azure as an OpenID Connect provider in the AI for Work Admin Console.

Steps to configure Microsoft Azure:

Register Application in Microsoft Entra ID:
- Log in to Azure Portal.
- Navigate to Microsoft Entra ID > App registrations.
- Click New registration.
- Provide an application name (e.g., "AI for Work SSO").
- Select the appropriate supported account types.
- Configure the redirect URI (this will be provided by AI for Work).
- Click Register.
Configure Authentication:
- In the registered app, go to Authentication.
- Add the redirect URI provided by AI for Work.
- Configure token configuration settings as required.
- Enable ID tokens under the Implicit grant and hybrid flows.
- Click Save.
Create Client Secret:
- Go to Certificates & secrets.
- Click New client secret.
- Add a description and select an expiration period.
- Click Add.
- Copy the secret value immediately (it will only be shown once).
Configure API Permissions:
- Go to API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Add required permissions (e.g., User. Read, email, openid, profile).
- Click Grant admin consent for your organization.
Copy Configuration Details:
- From the app overview page, note the following:
  - Application (client) ID
  - Directory (tenant) ID
- Copy these values along with the client secret to configure in AI for Work.
Complete Configuration in AI for Work:
- Follow the detailed steps in the official guide: Create and Register App in Microsoft Entra ID
Save the configuration in AI for Work.

Send Feedback