Set up NotebookLM Enterprise

This page describes the start-up tasks that you must complete to set up NotebookLM Enterprise.

After you have performed the tasks on this page, your users can start creating and using notebooks in NotebookLM Enterprise.

About identity setup

To complete the setup, you must have your organization's identity provider (IdP) configured in Google Cloud. Correct setup for identity is important for two reasons:

• It lets your users use their current corporate credentials to access the NotebookLM Enterprise user interface.

• It ensures that users see only the notebooks which they own or which have been shared with them.

Supported frameworks

The following authentication frameworks are supported:

• Cloud Identity:

  • Case 1: If you use Cloud Identity or Google Workspace, then all user identities and user groups are present and managed through Google Cloud. For more information about Cloud Identity, see the Cloud Identity documentation.

  • Case 2: You use a third-party IdP, and you have synced identities with Cloud Identity. Your end users use Cloud Identity to authenticate before accessing Google resources or Google Workspace.

  • Case 3: You use a third-party IdP, and you have synced identities with Cloud Identity. However, you are still using your existing third-party IdP to perform the authentication. You have configured SSO with Cloud Identity such that your users begin their sign in using Cloud Identity and then get directed to your third-party IdP. (You might have already done this sync when setting up other Google Cloud resources or Google Workspace.)

• Workforce Identity Federation: If you use an external identity provider (Microsoft Entra ID, Okta, Ping, PingFederate, or another OIDC or SAML 2.0 IdP), but don't want to sync your identities into Cloud Identity, then you must set up Workforce Identity Federation in Google Cloud before you can turn on data source access control for Agentspace.

  The google.subject attribute must map to the email address field in the external IdP. The following are example google.subject and google.groups attribute mappings for commonly used IdPs:

  • Microsoft Entra ID

    • Microsoft Entra ID with OIDC protocol

       google.subject=assertion.email
      google.groups=assertion.groups 
      

    • Microsoft Entra ID with SAML protocol

        google.subject=assertion.attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0] 
       google.groups=assertion.attributes['http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'] 
       
      

    • Microsoft Entra ID with large groups

    If you use Microsoft Entra ID and have more than 150 groups, then you should set up a System for Cross-domain Identity Management (SCIM) to manage identities with Google Cloud or Microsoft Entra ID with extended attributes which uses Microsoft Graph to retrieve group names. Setting up SCIM lets you (and your end users) type group names instead of group IDs when sharing notebooks. See step 2 in the Procedure for sharing a notebook with a group . If you use SCIM or extended attributes, the google.groups attribute mapping is ignored.

  • Okta

    • Okta with OIDC protocol

       google.subject=assertion.email
      google.groups=assertion.groups 
      

    • Okta with SAML protocol

       google.subject=assertion.subject
      google.groups=assertion.attributes['groups'] 
      

You can select only one IdP per Google Cloud project.

Before you begin

Before starting the procedures on this page, make sure that one of the following is true:

• You use Cloud Identity as your IdP, or

• You use a third-party IdP and have configured SSO with Cloud Identity, or

• You use a third-party IdP, have set up Workforce Identity Federation and know the name of your workforce pool.

Create a project and enable the API

If you already have a Google Cloud project that you want to use, start at step 2.

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the AI Applications (Discovery Engine API).

Enable the API

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Verify that billing is enabled for your Google Cloud project .

Enable the AI Applications (Discovery Engine API).

Enable the API

Grant the Cloud NotebookLM Admin role

As the project owner, you need to assign the Cloud NotebookLM Admin role to any users who you want to be able to administer NotebookLM Enterprise in this project:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.
3. Click person_add Grant access .

4. In the New principals field, enter the user identifier. This is typically the email address for a Google Account or a user group.

5. In the Select a role list, select Cloud NotebookLM Admin . For more information, see User roles .
6. Click Save .

Set the IdP for NotebookLM Enterprise

The project owner or a user who has the Cloud NotebookLM Admin role can set up the IdP.

1. In the Google Cloud console, go to the Agentspacepage.

   Google Agentspace

2. Under NotebookLM Enterprise, click Manage.

3. Set Identity settingto Google Identity Provideror Third-party identity.

   For more information, see About identity setup above.

4. If you are using a third-party IdP and decided to set up Workforce Identity Federation, then specify the name of your workforce pool and your Workforce pool provider.

5. Copy the Link.

   You will send out this link to all the end-users of NotebookLM Enterprise. This is the link to the user interface that they'll use to create, edit, and share notebooks.

Optional: Register customer-managed encryption keys

If you want to use customer-managed encryption keys (CMEK) instead of Google default encryption, then follow the instructions to register a key for NotebookLM Enterprise in Customer-managed encryption keys .

Typically, you only need to use CMEK if your organization has strict regulatory requirements or internal policies that stipulate control over encryption keys. In most situations, Google default encryption is sufficient. For general information about CMEK, see the Cloud Key Management Service documentation .

Grant NotebookLM Enterprise roles to users

This section describes how to give your users the IAM roles that they need to access, manage, and share notebooks.

1. In the Google Cloud console, go to the IAM page.

   Go to IAM
2. Select the project.
3. Click person_add Grant access .

4. In the New principals field, enter the user identifier. This is typically the email address for a Google Account, a user group or the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies , or contact your administrator.

5. In the Select a role list, select Cloud NotebookLM User role.
6. Click Save .

In addition to the Cloud NotebookLM User role, users need a license for NotebookLM Enterprise. See Get licenses for NotebookLM Enterprise .

What's next

• Get licenses for NotebookLM Enterprise .