Hugging Face's logo

Spaces:
huggingface
/
okta-saml-integration-guide
Running

App Files Community
okta-saml-integration-guide
File size: 7,143 Bytes 
2517343
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2bbc96c
2517343
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
<!doctype html>
<html>
	<head>
		<meta charset="utf-8" />
		<meta name="viewport" content="width=device-width" />
		<title>My static Space</title>
		<link rel="stylesheet" href="style.css" />
	</head>
	<body>
  <div class="header clearfix">
    <div class="logo-container">
      <img src="https://huggingface.co/front/assets/huggingface_logo-noborder.svg" alt="Hugging Face" style="height:50px;margin-top:10px;">
    </div>
  </div>

  <div class="okta-instructions">
    <h1>How to Configure SAML 2.0 for Hugging Face Enterprise Hub</h1>

    <div class="okta-callout okta-warning">
      <span class="icon-24 icon-warning"></span>
      <div>
        <p><strong>Prerequisites:</strong></p>
        <ul>
          <li>Your organization must be on an <strong>Enterprise</strong> or <strong>Enterprise Plus</strong> plan to enable SAML-based Single Sign-On (SSO).</li>
          <li>You must have <strong>administrator privileges</strong> in both your Okta organization and your Hugging Face Enterprise Hub organization.</li>
          <li>Ensure your Hugging Face organization has a unique <strong>Organization Name</strong> and <strong>Organization ID</strong>. You will find these under <em>Organization Settings → SSO → SAML</em>.</li>
          <li>Have your <strong>Okta Identity Provider (IdP) metadata</strong> available, including:
            <ul>
              <li>Identity Provider Single Sign-On URL</li>
              <li>X.509 Certificate (full text including BEGIN/END markers)</li>
            </ul>
          </li>
          <li>For more information about Hugging Face’s Enterprise SSO, see:
            <a href="https://huggingface.co/docs/hub/en/enterprise-sso" target="_blank">Hugging Face Enterprise SSO Documentation</a>.
          </li>
        </ul>
      </div>
    </div>

    <h2>Contents</h2>
    <ul>
      <li><a href="#features">Supported Features</a></li>
      <li><a href="#steps">Configuration Steps</a></li>
      <li><a href="#sp-initiated">SP-initiated SSO</a></li>
      <li><a href="#notes">Notes</a></li>
      <li><a href="#support">Customer Support Contact</a></li>
    </ul>
    <hr>

    <a name="features"></a>
    <h2>Supported Features</h2>
    <p>The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:</p>
    <ul>
      <li><strong>IdP-initiated SSO:</strong> Users can sign in to Hugging Face directly from the Okta dashboard.</li>
      <li><strong>SP-initiated SSO:</strong> Users accessing Hugging Face content are redirected to Okta for authentication.</li>
    </ul>
    <hr>

    <a name="steps"></a>
    <h2>Configuration Steps</h2>

    <h3>Step 1 — Add the Hugging Face App from Okta Integration Network (OIN)</h3>
    <ol>
      <li>Sign in to your Okta Admin Console.</li>
      <li>Navigate to <strong>Applications → Browse App Catalog</strong>.</li>
      <li>Search for <strong>Hugging Face</strong> and click <strong>Add Integration</strong>.</li>
    </ol>

    <h3>Step 2 — Configure the Hugging Face App in Okta</h3>
    <ol start="4">
      <li>On the <strong>General Settings</strong> page, specify:
        <ul>
          <li><strong>Application label:</strong> <kbd>Hugging Face</kbd></li>
          <li><strong>Organization Name:</strong> Your Hugging Face organization name</li>
          <li><strong>Organization ID:</strong> Your Hugging Face organization ID</li>
        </ul>
        <p><em>Where to find these values:</em> In Hugging Face, go to <strong>Organization Settings → SSO → SAML</strong>.</p>
        <p><img src="/static/images/hf-sso-saml-screenshot.png" alt="Hugging Face SSO SAML screenshot" style="max-width:100%;height:auto;"></p>
      </li>
      <li>Click <strong>Next</strong>, review the sign-on options (the username format should be <kbd>Email</kbd>), and then click <strong>Done</strong>.</li>
      <li><strong>Important:</strong> Ensure the administrator performing these steps is <strong>assigned</strong> to the Hugging Face app in Okta under the <strong>Assignments</strong> tab.</li>
    </ol>

    <h3>Step 3 — Copy SAML Configuration from Okta</h3>
    <ol start="7">
      <li>In the Hugging Face app in Okta, open the <strong>Sign On</strong> tab.</li>
      <li>Locate the <strong>SAML 2.0</strong> section and click <strong>View SAML Setup Instructions</strong>.</li>
      <li>Copy the following values:
        <ul>
          <li><strong>Identity Provider Single Sign-On URL</strong></li>
          <li><strong>X.509 Certificate</strong> — copy the full text including <kbd>-----BEGIN CERTIFICATE-----</kbd> and <kbd>-----END CERTIFICATE-----</kbd>.</li>
        </ul>
      </li>
    </ol>

    <h3>Step 4 — Configure SAML in Hugging Face</h3>
    <ol start="10">
      <li>In Hugging Face, navigate to <strong>Organization Settings → SSO → SAML</strong>.</li>
      <li>Enter the values obtained from Okta:
        <ul>
          <li><strong>Sign On URL:</strong> Paste the Identity Provider Single Sign-On URL.</li>
          <li><strong>X.509 Certificate:</strong> Paste the certificate including BEGIN/END markers.</li>
        </ul>
      </li>
      <li>Click <strong>Update and Test SAML Configuration</strong>.</li>
      <li>If the test succeeds, toggle <strong>Enable SAML SSO</strong> to activate SSO for your organization.</li>
    </ol>

    <hr>

    <a name="sp-initiated"></a>
    <h2>SP-Initiated SSO</h2>
    <p>Hugging Face also supports SP-initiated Single Sign-On. To initiate login directly from Hugging Face:</p>
    <ol>
      <li>Navigate to https://huggingface.co/organizations/{organizationName}/sso</li>
      <li>You’ll be redirected to Okta to authenticate, and then returned to your Hugging Face organization workspace.</li>
    </ol>
    <p>This flow can also occur automatically when accessing restricted organization content — users will be prompted with a “Login with SSO” banner that redirects to Okta.</p>

    <hr>

    <a name="notes"></a>
    <h2>Notes</h2>
    <ul>
      <li>This setup describes <strong>Standard SSO</strong>. For <strong>Advanced SSO</strong> (with SCIM user provisioning and additional network security controls), see 
        <a href="https://huggingface.co/docs/hub/en/enterprise-hub-advanced-sso" target="_blank">Advanced SSO Documentation</a>.
      </li>
      <li>Ensure that the <strong>Organization Name</strong> and <strong>Organization ID</strong> used in Okta exactly match those in Hugging Face SSO settings.</li>
      <li>After enabling SAML, access to organization resources will require authentication through Okta.</li>
    </ul>

    <hr>

    <a name="support"></a>
    <h2>Customer Support Contact</h2>
    <p>For assistance with SSO setup or troubleshooting, please contact the Hugging Face Enterprise Support team:</p>
    <ul>
      <li><strong>Email:</strong> <a href="mailto:enterprise-support@huggingface.co">enterprise-support@huggingface.co</a></li>
      <li><strong>Documentation:</strong> <a href="https://huggingface.co/docs/hub/en/enterprise-sso" target="_blank">https://huggingface.co/docs/hub/en/enterprise-sso</a></li>
    </ul>
  </div>
</body>




</html>