Identity Provider Setup
The Swiss AI Hub does not manage user credentials itself. It uses Keycloak as an identity broker that federates to your organization's identity provider (IdP). Users sign in with their existing corporate account; Keycloak validates the login and issues the platform a token.
Keycloak can broker providers over three protocols, plus a range of built-in social providers — see the Keycloak identity brokering documentation for the full list:
The platform places no restriction on the protocol — any enabled, visible provider configured in the aihub realm appears on the login page. The one practical requirement for role-based access is that the provider emits the AI-Hub role values in a claim that Keycloak maps to realm roles (see User and Role Management).
The pages below walk through the IdPs we configure and support out of the box. Each one explains how to set up the provider so it matches what the Keycloak aihub realm expects.
Supported providers
- Microsoft Entra ID (Azure AD) — create the app registration and manage its users and roles.
TIP
This section is operational. For the conceptual model — how Keycloak validates tokens, maps claims, and enforces roles — see Authentication and Authorization.