C3 AI Documentation Home

Google Cloud Platform (GCP) and SAML

You can set up a custom Security Assertion Markup Language (SAML) application for C3 AI using Google Cloud Platform (GCP) so users can sign into C3 AI applications with single sign-on (SSO) authentication. SAML apps enable SSO, allowing users to access multiple services with one set of login credentials.

Use the Google Admin console to manage your Google services. To learn more about the Google Admin console, See Admin console map in the GCP documentation.

Requirements

Have the following credentials:

  • The C3.ClusterAdmin role.
  • Administrator access to Google Admin console for your GCP deployment.

Set up a custom SAML application for C3 AI

Follow the steps at Set up your own custom SAML app using SAML-based SSO in the GCP documentation. See the "Add the custom SAML app" section.

Configure service provider details

Note the following when you configure the service provider details:

  • Assertion Consumer Service (ACS) URL: The ACS URL where the SAML assertion is sent.
    • To configure a cluster URL, set as https://<CLUSTERURL>/c3/c3/saml/login.
    • To configure a C3 AI application URL, set as https://<CLUSTERURL>/saml/login.
  • Entity ID: A unique identifier for the service provider.
    • Set as the cluster URL.
  • Name ID: User identifier that the IdP sends to the service provider.
    • Leave as is.

The other fields are optional. See the GCP documentation to learn more about these service provider details.

Add attribute mapping

Add a mapping too map user attributes to the service provider in the SAML assertion.

Note the following when you add a mapping:

  • Google Directory attributes: Set to Primary email.
  • App attributes: Set to to email.

Note the following when you configure the attribute mapping:

  • Group membership (optional): Define which Google Groups to include in the SAML assertion. Select groups that correspond to C3.ClusterAdmin, C3.StudioAdmin, C3.StudioUser, or your own IDP group names.
  • App attribute: Set to groups with lowercase g. This attribute mapping ensures that the SAML assertion includes the Google Groups to which the user belongs under an attribute named groups.

This attribute maps the specified Google Directory group memberships to the service provider's expected groups attribute in the SAML response and enables the service provider to make authorization decisions based on group membership.

Turn on the SAML application

Follow the steps at Set up your own custom SAML app using SAML-based SSO in the GCP documentation. See the "Turn on your SAML app" section.

For each IDP group name, search for the group name and select On to turn the SAML application on for that group.

Manage user access

To learn how to configure which groups have access to the SAML application, see Customize service access using access groups in the GCP documentation. See the "Step 4: Turn on the service for the group" section.

Configure access for each additional group that needs application access, such as C3.ClusterAdmin, C3.StudioAdmin, C3.StudioUser or other IDP groups.

Configure a SAML application with the C3 Agentic AI Platform

Follow the guidelines in the Authenticate Using SAML topic.

Step 1: Upload metadata to file system

  1. From c3/c3 C3 AI Console, select Tools > Load File.
  2. Choose the SAML metadata file, select the default mount /, and set the destination to the File System.

Step 2: Set the SAML configuration variables, substituting CLUSTERURL

JavaScript
var samlFile = FileSystem.listFiles(FileSystem.mountUrl('/')).files[0];
var acsUrl = "https://CLUSTERURL/c3/c3/saml/login";
var fqdn = "CLUSTERURL";
var env = "c3";
var app = "c3";
var compressRequest = false;
var hasExternalDns = true;

Step 3: Register SAML provider metadata with the C3 Agentic AI Platform

JavaScript
var resp = Saml.generateSpSsoArtifacts(samlFile, acsUrl, fqdn, env, app, compressRequest, hasExternalDns, ConfigOverride.CLUSTER);

Step 4: Update the SAML configurations

JavaScript
SamlIdpConfig.make(fqdn).setConfigValue('settings.compressRequest', false, ConfigOverride.CLUSTER);
SamlIdpConfig.make(fqdn).setConfigValue('settings.forcePostBinding', true, ConfigOverride.CLUSTER);
SamlIdpConfig.make(fqdn).setConfigValue('settings.spPostBinding', true, ConfigOverride.CLUSTER);

Step 5: Set user groups, substituting CLUSTERURL and IDPGroupName

JavaScript
UserGroup.forId("C3.ClusterAdmin").addIdpGroupForIdp(SamlIdpConfig.forId("CLUSTERURL"), "IDPGroupName");

App.forId("CLUSTER-c3-studio").call(() => {
    UserGroup.forId("C3.StudioAdmin").addIdpGroupForIdp(SamlIdpConfig.forId("CLUSTERURL"), "IDPGroupName");
    UserGroup.forId("C3.StudioUser").addIdpGroupForIdp(SamlIdpConfig.forId("CLUSTERURL"), "IDPGroupName");
});
Was this page helpful?