Set up NotebookLM Enterprise

This page describes the start-up tasks that you must complete to set up NotebookLM Enterprise.

After you have performed the tasks on this page, your users can start creating and using notebooks in NotebookLM Enterprise.

About identity setup

To complete the setup, you must have your organization's identity provider configured in Google Cloud. Correct setup for identity is important for two reasons:

  • It lets your users use their current corporate credentials to access the NotebookLM Enterprise user interface.

  • It ensures that users see only the notebooks which they own or which have been shared with them.

Supported frameworks

The following authentication frameworks are supported:

  • Google Identity:

    • Case 1: If you use Google Identity, then all user identities and user groups are present and managed through Google Cloud. For more information about Google Identity, see the Google Identity documentation.

    • Case 2: You use a third-party identity provider, and you have synced identities with Google Identity. Your end users use Google Identity to authenticate before accessing Google resources or Google Workspace.

    • Case 3: You use a third-party identity provider, and you have synced identities with Google Identity. However, you are still using your existing third-party identity provider to perform the authentication. You have configured SSO with Google Identity such that your users begin their sign in using Google Identity and then get directed to your third-party identity provider. (You might have already done this sync when setting up other Google Cloud resources or Google Workspace.)

  • Third-party identity provider federation: If you use an external identity provider—for example, Azure AD, Okta, or Ping, but don't want to sync your identities into Google Cloud Identity, then you must set up Workforce Identity Federation in Google Cloud before you can turn on data source access control for Agentspace Enterprise.

    The google.subject attribute must map to the email address field in the external identity provider. The following are example google.subject and google.groups attribute mappings for commonly used identity providers:

    • Azure AD with OIDC protocol 

      google.subject=assertion.email
google.groups=assertion.groups

    • Azure AD with SAML protocol 

      google.subject=assertion.attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'][0]
google.groups=assertion.attributes['http://schemas.microsoft.com/ws/2008/06/identity/claims/groups']

    • Okta with OIDC protocol 

      google.subject=assertion.email
google.groups=assertion.groups

    • Okta with SAML protocol 

      google.subject=assertion.subject
google.groups=assertion.attributes['groups']

You can select only one identity provider per Google Cloud project.

Before you begin

Before starting the procedures on this page, make sure that one of the following is true:

  • You use Google Identity as your identity provider, or

  • You use a third-party identity provider and have configured SSO with Google Identity, or

  • You use a third-party identity provider, have set up Workforce Identity Federation and know the name of your workforce pool.

Create a project and enable the API

If you already have a Google Cloud project that you want to use, start at step 2.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Vertex AI Agent Builder (Discovery Engine API).

    Enable the API

    5.

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Vertex AI Agent Builder (Discovery Engine API).

    Enable the API

    8.

Grant the Cloud NotebookLM Owner role

As the project owner, you need to assign the Cloud NotebookLM Owner role to any users who you want to be able to administer NotebookLM Enterprise in this project:

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the project.
  3. Click Grant access.

  4. In the New principals field, enter the user identifier. This is typically the email address for a Google Account or a user group.

  5. In the Select a role list, select Cloud NotebookLM Owner. For more information, see User roles.
  6. Click Save.

Set the identity provider for NotebookLM Enterprise

The project owner or a user who has the Cloud NotebookLM Owner role can set up the identity provider.

  1. In the Google Cloud console, go to the Agentspace page.

    Google Agentspace Enterprise

  2. Under NotebookLM Enterprise, click Manage.

  3. Set Identity setting to Google Identity Provider or Third-party identity.

    For more information, see About identity setup above.

  4. If you are using a third-party identity provider and decided to set up Workforce Identity Federation, then specify the name of your workforce pool and your Workforce pool provider.

  5. Copy the Link.

    You will send out this link to all the end-users of NotebookLM Enterprise. This is the link to the user interface that they'll use to create, edit, and share notebooks.

Grant NotebookLM Enterprise roles to users

This section describes how to give your users the IAM roles that they need to access, manage, and share notebooks.

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM
  2. Select the project.
  3. Click Grant access.

  4. In the New principals field, enter the user identifier. This is typically the email address for a Google Account, a user group or the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies, or contact your administrator.

  5. In the Select a role list, select Cloud NotebookLM User role.
  6. Click Save.

What's next

  • Send your users the sign-in link for NotebookLM Enterprise.

  • If your users need instructions on how to share notebooks or revoke sharing on notebooks, see Share notebooks. Sharing is one feature of NotebookLM that is different between the personal NotebookLM product and NotebookLM Enterprise.

  • If your users need general guidance on how to use NotebookLM Enterprise, see the user documentation for NotebookLM. Keep in mind that there are some differences between NotebookLM and NotebookLM Enterprise. See What is NotebookLM Enterprise.