NGC User Guide

NGC User Guide

This document is a comprehensive guide to NVIDIA GPU Cloud (NGC), providing detailed instructions on setting up, managing, and optimizing your cloud environment, including creating accounts, managing users, accessing pre-trained models, and leveraging NGC's suite of AI and HPC tools.

NVIDIA NGC™ is a cloud platform providing fully managed services, including NVIDIA AI Enterprise, NVIDIA DGX™ Cloud, and NVIDIA Riva Studio for Natural Language Understanding (NLU) and speech AI solutions. AI practitioners can leverage DGX Cloud for model training, NVIDIA AI Enterprise to obtain the latest NVIDIA NIM™ models, and the NGC Private Registry for securely sharing proprietary AI software. NGC also hosts a catalog of GPU-optimized AI software, SDKs, and Jupyter Notebooks to accelerate AI workflows and offers support through NVIDIA AI Enterprise.

Enterprises access their AI cloud services via a dedicated virtual NVIDIA Cloud Account (NCA) linked to the NGC organization where their services are enabled.

NGC provides software to meet the needs of data scientists, developers, and researchers across various levels of AI expertise.

All software hosted on NGC undergoes thorough scans for common vulnerabilities and exposures (CVEs), crypto, and private keys.

In addition to security scanning, NGC software is tested against a wide range of GPU-enabled platforms, including public cloud instances, workstations, and OEM servers designed for data center or edge deployments. Supported GPUs include H100, V100, A100, T4, Jetson, and the RTX Quadro.

NGC software is tested and assured to scale across multiple GPUs and, in some cases, across multiple nodes, ensuring users can fully utilize their GPU-powered servers out of the box.

For select containers, NVIDIA offers NGC Support Services to run software on DGX platforms or certified OEM servers. The service gives enterprise IT direct access to NVIDIA subject matter experts to address software issues and minimize system downtime quickly.

An NGC organization (org) is linked to an NVIDIA Cloud Account (NCA) and shares the same account number. The dedicated account instance is used to enable and manage NVIDIA cloud services.

Users can access an NGC org in the following ways:

1) Sign-Up through the NGC Portal: A user can sign up for a free NGC org through the NGC sign-in portal and create a new NVIDIA cloud account that grants access to an NGC org enabled with NVIDIA Catalog access (public artifacts only).

2) Entitlement Message: NVIDIA sends a message to the company or person granted entitlement for a service delivered in NGC. This can happen through a purchase order, early trial program, or other commercially related offers. The recipient follows the entitlement steps to be granted an NVIDIA Cloud Account and gain access to their NGC service.

3) Account Owner Invitation: The account owner adds a user to an NCA account and grants the required permissions to access the NGC org. The account owner will invite the user through an NCA invitation email or add the user using a corporate AD group membership rule mapped to the NGC org. Note that only enterprise type orgs support the ability for account owners to manage additional users.

Users who sign up for an NGC org through the NGC sign-in portal get assigned an NCA account linked to an individual org that is automatically enabled with the NGC Catalog service and grants authenticated access to the catalog. An individual org is only accessible by a single user, the org owner. The NCA account linked to the org supports additional users, but these users cannot be assigned NGC access permissions.

An NVIDIA premium cloud service subscription, such as NVIDIA AI Enterprise or NVIDIA DGX Cloud, will be granted through purchase, an early access program, or the NGC Activate Subscription portal. Subscriptions get enabled on enterprise NGC orgs. Alternatively, an individual org is converted to an enterprise org when a user activates their subscription through the NGC Activate Subscription portal. An NGC enterprise org is linked to an NCA account and supports additional users, subdividing NGC resources into NGC teams, and role-based access rules.

3.1. NVIDIA Cloud Accounts and NGC

NVIDIA Cloud Accounts (NCA) provide a convenient and scalable way to set up and manage access to NVIDIA cloud services for various users within your company.

NCA is required for managing user access within NGC. It is fully integrated with NGC, allowing user management to be handled within the NGC environment. Adding users through the NGC Add User pane automates the process of updating the NCA account, saving NGC owners and administrators the step of navigating to the NCA user interface.

After the user is added, the next step (Step 2) requires the NGC owner or administrator to assign access permissions to the service entitlements hosted in the NGC org (for example, NVIDIA AI Enterprise or NVIDIA DGX Cloud).

As a follow-up step, the owner or administrator can navigate to the NCA UI console to set up essential services like the following:

• Set up an account recovery email (Highly recommended)

• Add additional NCA administrators (Highly recommended)

• Enter company information

• Manage user tenancy status

Removing a user from NGC doesn't remove their associated NCA account. The user's access permissions within the NGC organization are revoked, but the NCA account itself remains active. To completely remove a user from all NVIDIA cloud services, the user must be removed at the NCA account level.

While users can be added and assigned permissions within the NGC UI console, administrators should be aware of additional steps necessary to manage the NCA account.

To learn more about NCA, visit NVIDIA Cloud Accounts.

3.2. NGC Teams

An NGC team is a virtual sub-unit within an org, each with its own registry space. Only the same NGC team members have access to that team's registry space. Creating NGC teams allows users to share images within their team while keeping them hidden from other NGC teams in the same organization. Only the org owner or a user with the user admin role can create NGC teams. A user admin assigned at the org level (without specifying teams), can manage users across all NGC teams within the organization. If assigned to a specific NGC team, the user admin can only access and manage users exclusively within that team.

To create an NGC team, follow these steps:

1. Log in to your NGC org.

2. Select Organization from the user account menu.

   

3. On the dashboard or in the left navigation, select Teams.

   

4. On the Teams page, click Create Team on the upper right corner.

   

5. Enter a team name and description. Note that names must be all lowercase.

6. Click Create Team to finish.

3.3. NGC Org Owner and Other Org Users

When an NGC org is created, an NVIDIA Cloud Account (NCA) is required to access the NGC org. The NCA account is automatically generated, and the user needs to name it. The user is assigned the owner role in NCA and NGC as the initial user.

As mentioned previously, an individual org is only accessible by the org owner; additional users are not supported. To verify the type of org you manage, sign in to NGC to access your org. Under the user account menu, select Organization, and then select Organization Profile in the left navigation pane.

The org owner possesses the highest admin privileges in an NGC org. The org owner of an enterprise org can add and remove NGC teams and users, and assign NGC permissions to each added user by managing the assignment of teams and roles. When a new user gets added, the org owner invites the user to join the NVIDIA Cloud Account, then assigns access to the entire org or limits the user's access to a team or a set of teams created within the org. Then, the org owner controls the user's access by assigning the permissions (roles) necessary to perform their functions within the org or team.

An org supports up to three org owners, and only an org owner can add or invite additional org owners to share in the NGC org management responsibilities. In NCA, only one owner is supported, therefore to support the additional NGC org owners the account owner must assign the NCA "Admin" role when creating the add user invitation. For details, see the steps to add org additional org owners. To prevent accidentally adding an outside user as an org owner, the email address domain between all org owners’ users must match.

For example, if the users' email addresses are john@intelligence.ai, jane@intelligence.ai, and peter@intelligence.ai, then all three can be added as org owners because their email address domains match. In contrast, if Peter’s email address was peter@artificial.ai, then Peter cannot be added as an org owner.

Follow the steps in the next section to add a new org owner or additional users with different access permissions.

3.3.1. Adding NGC Users to an Org

The following section guides you through the steps to add a new org owner or additional users with different access permissions.

1. Sign in to NGC. Select the correct NCA account linked to the NGC org you want to manage, and click Continue.

   

2. Select Organization from the user account menu. On the dashboard or in the left navigation, select Users.

   

3. Click Add User at the top-right corner.

   Important:

   If your org is linked to an external IdP/SSO service, managing user membership using NGC IdP Membership Rules is recommended. If your IdP doesn't support groups, you can use the NGC add user service.

   

4. In Step 1, invite the user to be an "admin" if they require the ability to manage users in the NCA account, or assign the "member" role in NCA if they do not manage users.

   • Enter the user email address, making sure the domain matches your email domain.

   • Assign the NVIDIA Cloud Account Role "Administrator" or "Member."

   • Customize the invitation email to inform the user what this is for (optional).

   • Set an expiry for the invitation link (default: 6 hours).

   • Click Add User and Send Invitation to proceed to Step 2.

     

5. After completing Step 1, you will see a successful invitation dialog and Step 2 configuration buttons become active.

   User Role

   To assign a role to the user:

   • Select Organization for role assignment.
   • Under the Organization roles, select Owner.

   • Click Add Role to finish.

     Note:

     If the user being added will not manage users or NGC teams, assign the "member" role in NCA and don’t assign the Owner or User Admin role in NGC.

     

   Controlled Permissions

   To assign controlled permissions to a user:

   • Click the Organization or Team radio button.

   • Assign a "role" under each NGC application, depending on the level of access to grant the user.

     

   In this example, the user added is assigned the Viewer role under NVIDIA AI Enterprise and the User role under Private Registry. These permissions limit the user to viewing and pulling artifacts from the NVIDIA Catalog and pushing and pulling artifacts to the org's private registry.

   To learn more about NGC product roles, refer to the documentation for each product.

   Note:

   NVIDIA NGC is introducing a new user role, "Public API Endpoints User," to control access to NVIDIA inferencing credits used for calling NVIDIA API Catalog NIM endpoints. This role must be assigned to NGC organization users who need to generate an NGC Personal Key to use API Catalog credits. For more information, go to Assigning Services to Your Personal API Key. To update user roles, go to Updating User Roles.

   Team Role Assignment

   Assigning the user permissions at a Team level grants them access only to resources (such as containers, models) shared with that specific team. To grant a user access to resources across the entire org, assign the user roles at the Organization level.

6. The user added will receive an NCA invitation email message that includes the NCA URL to accept the invite and access the NGC org. Share the link to Accepting an NCA Invitation to Access NGC with the invited user.

In the case of org owners, after all three org owners are added, any org owner can replace another org owner when needed. An org owner can remove another org owner by going to the 'users' list and selecting Remove User.

When an org owner is deleted, an email notification is sent to the remaining active owners about the deletion event. Using the same steps above, a replacement owner can be invited.

3.3.2. Updating User Roles

The following section guides you through the steps to update user roles.

1. After signing in and selecting the NGC org to update, navigate to the Organization > Users page.

   

   

2. To locate the user, you can search by either email address or name using the filtering bar.

   

3. Click on the user you want to modify, then click Edit Membership at the top of the page.

   

4. Select the desired roles to add to the user and click Add Role. A confirmation message will appear.

   

5. To remove roles, find the assigned roles in the table at the bottom of the page. Click the X to remove that role from the user.

   

   Afterwards, you'll see a confirmation dialog.

3.3.3. Removing a User from an NGC Org

The following section guides you through the steps to remove a user from an NGC org.

Only the organization owner or a user admin can remove a user from the org.

To remove a user from an NGC org, follow these steps:

1. Click on your user account icon to open the menu, then select Organization and click on Users.

   

2. Use the filter tool to find the email address of the user you want to remove.

   

3. Click the Actions ellipsis and select Remove User.

   

   Removing a user from the NGC org will revoke all their access to NGC. However, the user will still remain an active tenant member in the NVIDIA Cloud Account (NCA), where user tenancy is managed.

   In NGC, you grant access permissions (roles) to a user, and removing the user only removes these permissions. To completely delete the user from NCA, follow the steps provided in the NCA User Guide.

3.3.4. Securing the Owner Account with Multi-Factor Authentication

When you create your owner account, you receive an NVIDIA identity account that is protected by a password you set at the time of owner account creation. You can further secure access to your owner account by setting up multi-factor authentication using the directions below:

1. Go to NVIDIA and click the sign-in icon.

   

2. Sign in with the credentials you set up during the org owner account setup.

3. From your NVIDIA user profile page, navigate to the bottom, click on Security settings, and click Update.

   

4. You will be prompted to enter your password again to access security settings.

5. Navigate to the Multi-factor Security settings.

   

6. You can now configure your identity account for two-factor authentication.

   Go to the NVIDIA N-factor help page for details on how to set it up.

3.3.5. Contacting your Org Owner

As a user within an NGC organization, you may need to contact the organization owner to request a new service subscription or add a new user. NGC simplifies this communication with the Contact Admin option in your user account menu.

1. First, sign into the NGC application with your organization. Then click on your user ID in the top right corner to access the user account menu.

   

2. Select Contact Admin to open the email editor dialog.

   

   Within this editor, you can choose from the following email templates:

   • Product Request: Use this template when requesting a specific product for your <org-name> organization. For example, "I'd like to request the [product name] product for the <org-name> organization."

   • Team Access Request: Select this template if you need to request access to the org or a particular team, such as "[team-name]," within your <org-name> organization.

   Both templates come with pre-populated message content, but you can edit or delete portions of the message to create a customized message to send to your organization owner.

   

3. Once you are ready to send the message, click Send.

   The organization owner will receive the email from noreply-ngc@nvidia.com and will include your email address. The following is a sample email message:

   

   By following these steps and using the Contact Admin option, you can easily initiate communication with your organization owner.

3.4. Transferring Your Product Activation Invitation

When you receive an NGC product activation email, and you want to activate the product in an account you don’t own, you must transfer the product activation invitation to the account owner. Follow the steps below to transfer.

1. To transfer a product, at the Activate Product page, click View All NVIDIA Cloud Accounts. This displays accounts you are a member of but do not own; those without the ‘owner’ tag are not owned by you. Review carefully to identify the account associated with the desired NGC organization before starting the transfer process.

   

2. Click the Transfer Product Activation link under the Actions column.

3. Review the pop-up indicating that the transfer cannot be undone and confirm that you are certain about proceeding with the transfer.

   

4. Check the default email template for accuracy, then click Transfer Product Activation. Editing is optional if the content is correct.

   

Activating an NVIDIA NGC product depends on how you obtained the product activation message. This chapter provides comprehensive instructions for activating your NGC product, regardless of whether you received an NGC email invitation from NGC (noreply-ngc@nvidia.com), an NVIDIA commercial entitlement certificate (noreply@nvidia.com), or registered for a free individual NGC organization. It outlines the steps to create and link your NVIDIA Identity account and NVIDIA Cloud Account to your NGC organization, and details the activation process required to access NGC products.

4.1. Activating Your NGC Product from an NGC Email Invitation

Customers can try upcoming NVIDIA NGC AI products through the NVIDIA Developer website or by engaging directly with the NVIDIA product team. Once approved, you will receive a welcome email from NVIDIA NGC, similar to the image shown below, guiding you on how to begin your onboarding process and activate the software. To access NGC, you need to be a tenant of an NVIDIA Cloud Account used to manage access to NGC for you and additional users. The following sections explain how to use your NVIDIA NGC welcome email.

If you’re already an NVIDIA NGC user, go directly to NGC Product Activation by Invitation - Existing User.

4.1.1. NGC Product Activation by Invitation - New User

This section describes the steps necessary to activate a new NGC product as a new user to NVIDIA NGC.

1. Go to your inbox to find the email "Welcome to NVIDIA NGC". Click the Accept invitation and sign-in button.

   

2. To create your NVIDIA sign-in identity account, type in a password and confirm it (must meet the complexity check), review the NVIDIA account Terms of Use and Privacy Policy, and click Create Account to accept and proceed with your identity account creation.

   

3. A verification email is sent to your email address.

   

4. Open the email, copy the code, paste it in the Verify Your Email screen, and click Continue.

   

   

   You may see an additional browser page open to validate the creation of your user account. Close this page and return to the browser page you started on.

5. In the Almost done! dialog, select your communication preferences, and then click Submit.

   

6. You must now complete the creation of your new NVIDIA Cloud Account. Provide a meaningful name (spaces are not allowed) that helps you identify it easily against other accounts you own or are a member of.
   Note:

   Creating a new NCA will generate a new NGC org where your product will be activated. The NGC org is directly linked to this NCA.

   

7. You’ve now activated your NGC product, and you will be redirected to the NGC org subscription page where you can verify your product is active.

   

   That's it! You're all set up with your product.

Optional: You should have received a welcome email from your NVIDIA Cloud account. You can choose to complete the setup of your account now or at a later time.

Complete the steps in Setting up your NCA Account to configure your NCA account. The users you add to your NGC org are automatically added to the NCA account. To remove users or update NCA-related tenancy settings for a user, you need to take these actions in NCA.

4.1.2. NGC Product Activation by Invitation - Existing User

This section describes the steps to activate a new NGC product invitation received if you already have an NVIDIA NGC organization.

1. Go to your inbox to find the email "Welcome to NVIDIA NGC". Click the Accept invitation and sign-in button.

   

2. Sign in to your NVIDIA identity account.

   

   

3. Review the product details you want to activate on the Activate Product page, select the account under which the product should be activated, and click Activate Product. By default, only the accounts eligible to activate the product are displayed. Alternatively, you can activate the new product under a new account and NGC organization by clicking Activate with a new NVIDIA Cloud Account.

   

   Note:

   If you want to activate the product in an account you are not an owner of, you must transfer the product activation invitation to the owner. You can find the transfer steps here.

4. You’ve now activated your NGC product, and you will be redirected to the NGC org subscription page where you can verify your product is active. Click the Launch button for the service you want to access.

   

   That's it! You're all set up with your product.

Optional: You should have received a welcome email from your NVIDIA Cloud account. You can choose to complete the setup of your account now or at a later time.

Complete the steps in Setting up your NCA Account to configure your NCA account. The users you add to your NGC org are automatically added to the NCA account. To remove users or update NCA-related tenancy settings for a user, you need to take these actions in NCA.

4.2. Activating NGC Product from an NVIDIA Commercial Entitlement Certificate

When you procure a software subscription for an NVIDIA product, you'll receive an entitlement certificate attachment in an email with instructions on how to claim your entitlement.The following steps guide you through the entitlement registration process.

1. Find the Entitlement Certificate Email

   Open your email inbox and locate the email titled "NVIDIA Entitlement Certificate - Ref" containing your entitlement certificate attachment.

   Here is a sample entitlement certificate email:

   

   The entitlement certificate is provided as a PDF attachment. The following is an example:

   

   The PDF also includes instructions for using the certificate. Here is an example:

   

2. Login or Register
   • If you're an existing NVIDIA customer, click Already have an entitlement? Please Login.
   • If you're a new NVIDIA customer, click the "registration page" link to begin claiming your entitlement.
3. Sign In

   Enter your NVIDIA username and click Sign In.

   

   • Existing NVIDIA customers: Enter your password, and then click Login.
   • New customers: Create a new identity user account by setting a password.
4. Select or Create an NVIDIA Cloud Account (NCA)
   • Returning customers are prompted by the NCA picker to choose an existing NCA or create a new NCA to activate the subscription entitlement. Select an existing account if you want the new subscription activated in the existing NGC org linked to the NCA account or create a new NCA to activate the subscription in a new NGC org.

     

     • To use an existing account, select the desired account and click Continue.
       Note:

       You must select an account you "own"; otherwise, the entitlement claim will fail.

     • To create a new account, click Create New NVIDIA Cloud Account.
   • New customers: You will be prompted to create a new NCA. Choose a meaningful account name for easy identification.

     

5. Complete Entitlement Registration

   After selecting or creating an NCA, you will be directed to the entitlement registration page. Fill out the required fields and click Register.

   

   Required Information:

   • Primary Contact Information
     • First Name
     • Last Name
     • Email Address
     • Claiming Entitlement as
   • Company
     • Company Name
     • Location (Country)
     • Address
     • Industry
   • Primary Contact Details*
     • Location (Country)
     • Address
     • Phone
     • Job Role

   * Click the checkbox above if the Primary Contact address is the same as the company address.

6. Email Confirmation and Access

   After a successful registration, you'll receive two emails from NVIDIA. An email from Application Hub and an email from NCA:

   • NVIDIA Application Hub Email: Click Log In to access your software subscription in NGC.

     

     First, click the Application Hub email message to login and begin accessing NGC and the NVIDIA enterprise support portal.

7. Click the NVIDIA NGC card to access your software subscription in NGC.

   

   When you are in NGC, you can add additional users for them to access NGC by following steps in Adding NGC Users to an Org.

   Your registration is now complete!

Optional: From the NCA email, complete the steps in Setting up your NCA Account to configure your NCA account. The users you add to your NGC org are automatically added to the NCA account. To remove users or update NCA-related tenancy settings for a user, you need to take these actions in NCA.

4.3. Signing Up for a Free Individual NGC Org

This section describes the steps to sign up for an individual NGC org to access NGC Catalog artifacts gated by authentication. While setting up the NGC org, an NVIDIA Cloud Account is also created.

1. Go to the NGC sign-in page from your browser, enter your email address, and then click Continue.

   

2. To create your NVIDIA sign-in identity account, type in a password and confirm it (must meet the complexity check), review the NVIDIA account Terms of Use and Privacy Policy, and click Create Account to accept and proceed with your identity account creation.

   

3. A verification email is sent to your email address.

   

4. Open the email, copy the code, paste it in the Verify Your Email screen, and click Continue.

   

   

   You may see an additional browser page open to validate the creation of your user account. Close this page and return to the browser page you started on.

5. In the Almost done! dialog, select your communication preferences, and then click Submit.

   

6. Give your NVIDIA Cloud Account (NCA) a name that will help you identify it easily the next time you sign-in.

   

7. Complete your user profile at the Set Your Profile screen, agree to the NVIDIA GPU Cloud Terms of Use, and then click Submit.

   

   Your NVIDIA account is created, and you are automatically redirected to your individual NGC org.

   

   Your registration is now complete.

Optional: From the NCA email, complete the steps in Setting up your NCA Account to configure your NCA account. The users you add to your NGC org are automatically added to the NCA account. To remove users or update NCA-related tenancy settings for a user, you need to take these actions in NCA.

4.4. Setting up your NCA Account

To finish setting up your NVIDIA Cloud Account, find your NCA invitation email message in your inbox and click Log In Now.

1. Your NVIDIA Cloud Account (NCA) provides the services to set up a recovery email address in case your existing one becomes unavailable, manage access for additional users (subscription required), and set up billing information to purchase consumption-based NVIDIA cloud products.

   

2. Enter your email address to Login and click Continue.

   

3. Enter the credentials you created for your NVIDIA identity account.

   

4. On the NCA landing page you can find the details of your account. Here you can setup a recovery email address that can be used to regain access if the email address you used to create your account becomes unavailable. Go to Setting Up NCA Recovery Email for steps on how to setup your recovery email.

4.4.1. Setting Up NCA Recovery Email

To set up your NVIDIA Cloud Account (NCA) recovery email, follow these steps.

1. Click Edit on the Account Details pane under the Account Management > Details page.

   

2. On the Edit - Details dialog, enter the email address that you want to use for account recovery. This email address must be different from the address used to create the account. You can optionally set a description of this account, click Save.

   

3. Check to see that the recovery email status on the Account Details pane changed to Pending.

   

4. Go to your recovery email inbox, search for the NVIDIA message with the title "NVIDIA Cloud Account, Verify Your Recovery Email", and click Verify.

   

   You should see that your email has been verified.

   

5. Go back to your NCA console and check the recovery email status has updated with the address you assigned.

   

4.5. Accepting an NCA Invitation to Access NGC

Follow these steps to accept an invitation to join an NVIDIA Cloud Account and access NGC.

1. Check your email inbox for a message titled "You've been invited to an NVIDIA Cloud Account." Open the email and click Login to proceed.

   

2. If you are new to NVIDIA, you are prompted to create an NVIDIA identity account. Create a password that is at least 9 characters long and uses a mix of uppercase and lowercase letters, numbers, and special characters. If you already have an NVIDIA identity account, enter your password to continue. You can skip to Step 6 below.

   

   You will be asked to verify your email address in a confirmation email.

   

3. Check your email inbox for a message titled "NVIDIA Accounts". Open the email and click Verify Email Address.

   

   The email confirmation message will display in your browser.

   

4. NVIDIA would like permission to send you the latest news related to our software and products, as well as learn more about how you use our websites to make sure we send you information relevant to you. Select your options and click Submit.

   

5. You are prompted by NVIDIA Cloud Accounts to accept the invitation to join your company's account. Click Accept Invitation to continue joining.

   

6. Enter your password (required for security).

   

7. Accept the terms of use and privacy policy to access your software subscription.

   

   You can now access the NGC org.

An enterprise org can federate its external SSO/IdP identity service to centralize user authentication and manage access to NVIDIA cloud services. This section covers how to configure NGC org authentication through an external SSO provider such as Azure AD or Okta.

The setup process to federate an NGC org to an external SSO identity provider is now guided by an NVIDIA IdP onboarding wizard app and the steps are performed by the customer. To gain access to the IdP onboarding app, contact your NVIDIA sales representative or submit a support case with NVIDIA Enterprise Support. If you don’t have an NVIDIA sales rep or an active support contract, please email integration-requests@nvidia.com and submit the following information in your request message:

1. Your company name

2. A list of email domains that must be associated with the partner (e.g. acme.com, acme.net). The list can only include domains owned by the customer.

   Note:

   If the request is submitted by email, an identity verification process will be required before the IdP onboarding can be started.

3. The email addresses of the customer representatives who are expected to perform the IdP federation configuration steps.

5.1. Federating IdP with NVIDIA Cloud Services

When your request to federate your IdP is approved, you will receive an email with the NVIDIA URL to access the IdP onboarding configuration tool. Follow the steps below.

1. Access the Tool

   Locate the NVIDIA email, then either create an NVIDIA identity account with your work email or sign in with an existing account.

   

2. Initial Setup

   After you log in, you will see the initial screen of the IdP onboarding tool. Complete the required fields and click Next.

   • Your company name: NVIDIA will verify your employment.
   • Your identity management system: Select your IdP (e.g., Azure AD, Okta) from the dropdown.
   • Your email domains: Enter the domains managed by your IdP.

   

3. Onboarding Wizard

   You will be guided through a configuration wizard based on the IdP system you selected (Azure AD, OpenID Connect, or SAML).

   • Entra ID (Azure AD)

     

   • OpenID Connect Provider

     

   • SAML

     

4. Perform a Login Test

   After completing the IdP onboarding configuration, follow the instructions to test the login process.

   Read the Login test instructions and click Next.

   

   Review your login test results. If successful across all login services, click Confirm. If not, troubleshoot your IdP system and retest.

   

5. (Optional) Seek Support or Reassign Task

   Use the "Help" button to access support options.

   

   You can also reassign the task to complete the IdP configuration to a colleague.

   

6. Complete the IdP onboarding

   Once your login test is successful, you will see a success message.

   

   The NVIDIA team will finalize the onboarding generally within one business day, and you will receive a confirmation email.

   

Once your IdP is federated, NVIDIA cloud platforms are not automatically enabled to authenticate users through your external IdP. Since your company may have users accessing NVIDIA cloud platforms with NVIDIA-based identity user accounts, we would like to assist in identifying these users, communicating upcoming changes, and planning the migration of enterprise entitlements to their new external IdP-based identity user accounts. Please contact ngc-sso@nvidia.com to conduct this audit and coordinate the transition.

5.2. Authenticating and Managing User Access

This chapter covers the steps required to authenticate users through an enterprise SSO/IdP identity service, add new users, manage user permissions and roles, and ensure secure access to organizational resources.

After an NGC org is federated against an enterprise SSO/IdP identity service, the users signing into NGC will automatically be prompted to authenticate against their enterprise SSO/IdP service and redirected back to NGC after a successful sign-in. To add new users to an org federated to an external SSO/IdP provider, the org owner follows the steps described in Adding NGC Users to an Org. Alternatively, suppose the external IdP provider supports OIDC claims to identify the user's membership to a group or set of groups. In that case, NGC can be configured to map these OIDC claims to NGC org, teams, and role assignments. See the NGC IdP Membership Rules section for more details.

Note that NGC orgs no longer manage user tenancy; users and/or groups are assigned "permissions" to access NGC org resources and are tenants of the NVIDIA Cloud Account (NCA) linked to the NGC org. Users and groups are now added to the NVIDIA Cloud Account.

If you are managing user memberships using IdP-based group tags (claims), you need to add these groups both in the NCA account under "Add Groups" and in the NGC org under "External IdP > IdP rules." (In the future, we will deliver a feature where groups are added in NCA and discovered automatically in NGC to assign access permissions.)

To ensure access to the NCA account and NGC org is never lost, even if the IdP service is rendered inaccessible, configure a "Recovery email address" under the NCA account. This email address will be used to authenticate you outside of your IdP. For more information about email recovery, refer to Setting Up NCA Recovery Email.

Some NVIDIA products (like NGC) provide a UI option for customers to manually disable/deactivate/dis-enroll users manually within the NVIDIA application and trigger the revocation of credential assets by deleting the user. For example, NGC supports removing a user from an NGC org, and this event automatically triggers the revocation of user-owned NGC API keys. However, such application-specific admin functions do not remove users from other NVIDIA applications unless the removal is performed at the NCA account level. The risk with this process is that if the user were part of other NVIDIA services that grant credential assets, these assets would remain as active dangling assets against those services because the user account remains "active" in our central identity service and NCA. The user's API keys are thus not revoked. The only way to guarantee NVIDIA-wide user account removal is to integrate user event sharing with the NVIDIA IdP federation service, and the customer must be guided to execute the NVIDIA recommended de-provisioning operations in the NVIDIA IdP federation service.

5.3. NGC IdP Membership Rules

An enterprise org can be federated to an external SSO/IdP identity service to centrally manage a company's rules for user authentication to cloud services.

When the NGC org is linked to an external IdP, the org owner will see the ability to start creating membership rules under the Organization > External IdP configuration page.

If the NGC org is not linked to an enterprise-owned SSO IdP provider, the 'External IdP' web prompt is disabled with a message stating the org is not linked to an IdP. You can request to link your org to an enterprise-owned SSO IdP by emailing ngc-sso@nvidia.com.

The membership rules feature uses Open ID Connect (OIDC) claims containing the user's membership attributes. However, if your integration is based on SAML, our IdP federation service will translate your SAML based identities and group labels to the appropriate OIDC Id-token and group labels our Cloud Platforms expect.

Sample ID-token expected by NGC

The ID-token contains several claims that carry attributes associated with the user. Specifically, we are interested in the "groups" claims values that map users to specific membership groups in their Active Directory (AD) service.

It's important to note that the external IdP uses the name "groups" to carry membership attribute values in the example above. However, other IdP providers may use a different name for their membership attribute claim. If your IdP provider uses a different claim name, check that NGC supports it by emailing ngc-sso@nvidia.com.

An org owner or user_admin will create membership rules by mapping the name (alias) value of the IdP 'groups' claim to NGC org roles and permissions. Within the enterprise AD service, users assigned to these groups will receive the roles and permissions assigned to the group name in the NGC IdP rules.

Example

In this example, we are using Okta as the enterprise-owned SSO IdP provider. It is assumed the same person managing Okta also has NGC org owner permissions.

Okta Settings

First, the NGC org gets linked as a client application to the Okta IdP service.

On Okta, managed users get assigned to the NGC client application, enabling them to sign in to NGC using their Okta SSO account.

At this point, users have not been assigned to a 'group'.

On Okta, secure AD groups are created, and users can be assigned to a group or a set of groups.

In this example, Adam and Amy are assigned to the NGC_AIE_PR_Admin group. Note that this is being done manually using the Okta user management feature, but this is typically managed automatically by using an enterprise active directory integrated into the IdP provider.

At this point, Adam and Amy can sign into NGC, but there isn't an IdP rule that assigns them NGC org roles and permissions. The next section covers creating the NGC IdP membership rules that will grant Adam and Amy their roles.

Configuring NGC

After the IdP groups are created and users are assigned to secure AD groups on the Okta IdP side, the administrator (org owner) is ready to configure NGC IdP membership rules.

NGC

In the NGC web application, go to NGC External IdP settings and click Create Rule.

Type in a Rule Name that describes the purpose of the rule.

Then, under the If group equals field, enter the name of the IdP 'group' claim that will map to this rule. Note that the name must match exactly and is case-sensitive.

Finally, assign the NGC team or org-level access, and assign cloud service roles to grant to users that are assigned to the group. Click Save.

Once the rule is saved, the org owner must activate the rules to apply the membership roles to Adam and Amy when they sign in.

This completes the creation of an NGC IdP membership rule.

The org owner or user_admin can create multiple rules to support multiple group claim values from the IdP. An example of multiple IdP membership rules created can be seen below.

When the Activate Rules button is clicked, the org owner or user_admin is prompted to confirm activation of the IdP rules. When the rules are activated, the NGC IDP rule system reviews user memberships previously added to the org using the "user invitation" method. The NGC IdP rule system will check if the user account maps to a new IdP membership rule. If one does, the previous account membership is deleted, and a new user account membership using the same email address and IdP association will be created. The permissions and roles that get assigned to the new account membership are based on the IdP 'groups' claim attribute.

This section describes activating a subscription and linking it to your NGC Account.

1. Access the activation page directly via Activate Subscription.
2. Sign in to NGC with your email address and password if prompted. If you have not created an NGC account, create one now.
3. On the Activate Subscription page, enter your Business Information using your company's headquarters address and the serial number or activation code described by the specific offer. If entering multiple serial numbers or activation codes, use a comma to separate each.
4. Click Activate Subscription.

   

5. Once the system validates the serial numbers, review the information displayed and click Request Activation.

   

6. The Subscriptions page will display for your organization with the active NVIDIA AI Enterprise subscription.
7. Use the left navigation and click Enterprise Catalog to access the NVIDIA AI Enterprise software suite.

   

This section describes switching to a different org or team after logging in.

In the top menu bar, click your user account icon. Then, select your org menu to expand the view to other available orgs. If you manage many orgs, you can use the search field to find the specific org you want to select. Select the desired org by clicking it once.

Depending on the org or team you select, your current page may also refresh.

NVIDIA NGC API keys are required to authenticate with NGC services using NCG CLI, Docker CLI, or direct API requests.

NGC provides two types of API keys:

Personal Keys

• Any NGC org user can generate a personal key.
• An NGC org user can grant a personal key up to the permissions assigned to them in the NGC org.
• A personal key is linked to the user’s NGC org lifecycle.
  • If the user’s permissions change, the available permissions that can be or are assigned to the personal key also change.
  • If the user is removed from the NGC org, the key's validity is revoked.
• Supports updating permissions, rotation, and deletion (immediate revocation).
  • Org owners and user_admins can revoke any member’s key on demand.
• Each user can generate up to eight personal keys.

Use personal keys to begin using NGC services within your sandbox. Personal keys are best suited for individuals working on early development and testing code before moving to pre-production and production releases.

To learn how to authorize the services you have access to in the org and generate a personal key, go to Generating a Personal API Key.

Important:

Use the legacy NGC API Key to authenticate with Base Command Platform, Fleet Command, or other NGC services that don’t support "Personal key" authentication. For cross-org authorization, continue using the legacy NGC API Key. NVIDIA plans to deprecate the legacy NGC API key after 2025. NVIDIA encourages you to use the Personal Key, but if you need to continue using the legacy API key, go to Generating a Legacy NGC API Key to find out where to create a new one. Also, your current NGC API key will continue to work.

Service Keys

• The lifecycle of service keys is linked to the NGC org account, not associated with an individual user.
• Only NGC org owners and user_admins can manage service keys.
• A service key can be scoped to access only the permissions and services required, or full access to the services enabled in the org.
• Supports scoped permissions, updating permissions, on-demand revocation, rotation, and deletion.
• An NGC org can have up to 50 service keys.

Use service keys when you require automated communication between machines and deploying to pre-production and production environments where you do not want to depend on a user’s membership status in the NGC org.

Note:

Service keys currently do not support listing artifacts in NGC CLI or Docker CLI. This functionality will be added in the future. In the meantime, use a Personal API key to list artifacts.

Examples using NGC API Keys

Here are some examples of using NGC API keys to authenticate with NGC CLI and Docker CLI:

NGC CLI

Copy

Copied!

            

            
$ ngc config set 
        

Paste your key value at the API_KEY prompt:

Copy

Copied!

            

            
[Enter API key [****API-Key]. Choices: [<VALID_APIKEY>]
        

Important:

Always use the latest NGC CLI version to access the newest features, bug fixes, performance improvements, and security updates. Check for the latest versions at NGC CLI Installers or run ngc version list to view the latest releases, then upgrade using

Copy

Copied!

            

            
ngc version upgrade
        

Docker CLI

Copy

Copied!

            

            
docker login nvcr.io --username '$oauthtoken'
        

For the username, enter '$oauthtoken' exactly as shown. It is a special name that indicates that you will authenticate with an API key. Paste your key value at the Password prompt.

8.1. Supported NGC Applications and API Key Types

The NVIDIA NGC applications/services that support Personal and Service Keys are listed below:

8.2. Generating NGC API Keys

Generating API keys is essential for authenticating with NGC services using the NGC CLI, Docker CLI, or direct API requests.

8.2.1. Generating a Personal API Key

1. Sign in to the NGC website.

   From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password.

2. Click your user account icon in the top-right corner and select Setup.

   

3. Click Generate API Key from the available options.

   

4. On the Setup > API Keys page, click + Generate Personal Key on the menu or the pane.

   

5. In the Generate Personal Key dialog, fill in the required information for your key.

   

   • Key Name: Enter a unique name for your key.
   • Expiration: Choose the expiration date for the key.

     

   • Services Included: Choose from the available services the key is permitted to access. Refer to Assigning Services to Your Personal API Key to learn more about each service and when to assign service access to your Personal Key.
6. Click Generate Personal Key when finished.

   Your API key appears in the following dialog.

7. NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by selecting Copy Personal Key or using the copy icon to the right of the API key.

   

   You can generate up to eight personal keys and manage them from the Setup > Personal Keys dashboard. To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a personal key.

   

8.2.1.1. Assigning Services to Your Personal API Key

The services you can assign to a personal API key depend on two factors:

• The services enabled for the NGC org where you generate the API key.
• The service roles assigned to you by your NGC org owner or administrator.

For example, consider an NGC org with the following services enabled:

An NGC user account might have the following access roles assigned:

In this scenario, the NGC org has enabled NVIDIA Microservices, Private Registry, NVIDIA AI Enterprise, and Cloud Functions (NVCF). The user account has been granted access roles for all these services. Therefore, a personal API key can be generated with permissions to access one or all of them.

If a service is unavailable for assignment to the API key, it indicates that the org owner or administrator has not granted the user the necessary role for that service.

For details about each service listed above and its function, see the table Supported NGC Applications and API Key Types.

8.2.1.2. Generating a Legacy NGC API Key

To generate a legacy API key, go to Setup > API Keys and click + Generate Legacy Key in the Legacy Keys drop-down.

In the Generate Legacy Key dialog, click on + Generate Legacy Key.

8.2.2. Generating a Service API Key

1. Sign in to the NGC website.

   From a browser, go to https://ngc.nvidia.com/signin and then enter your email and password.

2. Select Organization from the user account menu on the upper right.

   

   Select Service Keys on the organization dashboard.

   

3. On the Organization > Service Keys page, click + Create Service Key button to create a key.

   

4. In the Create Service Key dialog, fill in the required configuration. Service keys currently support services such as NVIDIA NIM, NGC Catalog, and Private Registry. Assign scopes and resource permissions to the key.

   

   In the Entity Type field, select from the available options to grant to the API key.

   

   In the Scope field, choose from the available options.

   

5. Click Next Step to review your key configuration.

   

6. Once you verified the configuration, click Confirm to generate your service key. Your service key appears in the next dialog.

   

7. NGC does not save your key, so store it securely. You can copy your API Key to the clipboard by clicking the copy icon to the right of the API key or the Copy Service Key button.

   

   Make sure to copy the key value before leaving this page. Once you navigate away, the key value cannot be retrieved, and replacing it will require generating a new key.

   NGC supports multiple Service API keys, which are managed from the Organization > Service Keys dashboard.

   To activate or deactivate a key, click the Active toggle. The Actions (ellipsis) menu allows you to rotate or delete a service key.

   

   Note:

   When managing containers, ensure the scopes Get Container and Get Container list are assigned to your service key. For other types of artifacts, add the Get Artifact and Get Artifact list scopes. These scopes are the minimum required to discover the artifacts that need to be managed. Refer to the NGC Catalog User Guide and Private Registry User Guide for more information.

The NGC Notification Services feature enables NGC users to subscribe to email notifications to receive service change events. By subscribing to notifications, users can stay updated with the latest changes and developments in the NGC cloud platform and its services.

NGC customers can be informed of the following types of changes:

• Customer-impacting service enhancements (release notes)

• Security vulnerabilities (CVEs) and scanning reports

• Software end-of-life announcements

• Scheduled web portal maintenance to an NGC property

NGC customers can subscribe to notifications in the following ways:

• During their first sign-in, the NGC portal will pop up a modal allowing users to set their notifications preferences.

  

  The following sample toast notification confirms the user’s email preference settings:

  

• After their initial sign-in, users can edit their notification preferences under their NGC user account settings page.

  

Notification preferences are organized based on the subscriptions enabled within the organization. Access to these preferences will be gated by the service roles assigned to each user.

NVIDIA NGC Network Protocols

NVIDIA NGC Network Protocols

The table below lists the required network protocols and port configurations for communication with NVIDIA NGC services.

To enable access, ensure that these ports are open in your web proxy, which connects your network to external services.

Notice

_{THE INFORMATION IN THIS GUIDE AND ALL OTHER INFORMATION CONTAINED IN NVIDIA DOCUMENTATION REFERENCED IN THIS GUIDE IS PROVIDED "AS IS." NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE INFORMATION FOR THE PRODUCT, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA's aggregate and cumulative liability towards customer for the product described in this guide shall be limited in accordance with the NVIDIA terms and conditions of sale for the product.}

_{THE NVIDIA PRODUCT DESCRIBED IN THIS GUIDE IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED OR INTENDED FOR USE IN CONNECTION WITH THE DESIGN, CONSTRUCTION, MAINTENANCE, AND/OR OPERATION OF ANY SYSTEM WHERE THE USE OR A FAILURE OF SUCH SYSTEM COULD RESULT IN A SITUATION THAT THREATENS THE SAFETY OF HUMAN LIFE OR SEVERE PHYSICAL HARM OR PROPERTY DAMAGE (INCLUDING, FOR EXAMPLE, USE IN CONNECTION WITH ANY NUCLEAR, AVIONICS, LIFE SUPPORT OR OTHER LIFE CRITICAL APPLICATION). NVIDIA EXPRESSLY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY OF FITNESS FOR SUCH HIGH RISK USES. NVIDIA SHALL NOT BE LIABLE TO CUSTOMER OR ANY THIRD PARTY, IN WHOLE OR IN PART, FOR ANY CLAIMS OR DAMAGES ARISING FROM SUCH HIGH RISK USES.}

_{NVIDIA makes no representation or warranty that the product described in this guide will be suitable for any specified use without further testing or modification. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer's sole responsibility to ensure the product is suitable and fit for the application planned by customer and to do the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer's product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this guide. NVIDIA does not accept any liability related to any default, damage, costs or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this guide, or (ii) customer product designs.}

_{Other than the right for customer to use the information in this guide with the product, no other license, either expressed or implied, is hereby granted by NVIDIA under this guide. Reproduction of information in this guide is permissible only if reproduction is approved by NVIDIA in writing, is reproduced without alteration, and is accompanied by all associated conditions, limitations, and notices.}

Trademarks

_{NVIDIA and the NVIDIA logo are trademarks and/or registered trademarks of NVIDIA Corporation in the United States and other countries. Other company and product names may be trademarks of the respective companies with which they are associated.}