Spaces:

huggingface
/

okta-saml-integration-guide

Running

App Files Files Community

okta-saml-integration-guide / index.html

CharlieBoyer HF Staff

Update index.html

3c94026 verified about 2 months ago

raw

history blame

4.3 kB

	<!doctype html>
	<html>
	<head>
	<meta charset="utf-8" />
	<meta name="viewport" content="width=device-width" />
	<title>My static Space</title>
	<link rel="stylesheet" href="style.css" />
	</head>
	<body>
	<div class="header clearfix">
	<div class="logo-container">
	<img src="https://huggingface.co/front/assets/huggingface_logo-noborder.svg" alt="Hugging Face" style="height:50px;margin-top:10px;">
	</div>
	</div>

	<div class="okta-instructions">
	<h1>How to Configure SAML 2.0 for Hugging Face Enterprise Hub</h1>

	<div class="okta-callout okta-warning">
	<span class="icon-24 icon-warning"></span>
	<p><strong>Notes:</strong></p>
	<ul>
	<li><p>To enable SAML-based SSO, your organization must be on an <strong>Enterprise</strong> or <strong>Enterprise Plus</strong> plan.</p></li>
	<li><p>For details about Hugging Face’s SSO and SCIM options, visit
	<a href="https://huggingface.co/docs/hub/enterprise/sso" target="_blank">Hugging Face Enterprise Documentation</a>.</p></li>
	</ul>
	</div>

	<h2>Contents</h2>
	<ul>
	<li><a href="#features">Supported Features</a></li>
	<li><a href="#steps">Configuration Steps</a></li>
	<li><a href="#notes">Notes</a></li>
	</ul>
	<hr>

	<a name="features"></a><h2>Supported Features</h2>
	<p>The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:</p>
	<ul>
	<li>SP-initiated SSO</li>
	<li>IdP-initiated SSO</li>
	<li>Just-In-Time (JIT) provisioning</li>
	<li>Optional SCIM user deprovisioning (for Advanced SSO customers)</li>
	</ul>
	<p>For more information, see the <a href="https://help.okta.com/en/prod/Content/Topics/Reference/glossary.htm" target="_blank">Okta Glossary</a>.</p>
	<hr>

	<a name="steps"></a><h2>Configuration Steps</h2>
	<ol>
	<li><p>Log in to your <strong>Okta Admin Dashboard</strong>.</p></li>

	<li><p>Go to <strong>Applications > Create App Integration</strong>.</p></li>

	<li><p>Select <strong>SAML 2.0</strong> as the Sign-in method.</p></li>

	<li><p>Enter the following values:</p>
	<ul>
	<li><strong>Single Sign-On URL:</strong>
	<kbd>https://huggingface.co/login/sso/saml</kbd>
	</li>
	<li><strong>Audience URI (SP Entity ID):</strong>
	<kbd>https://huggingface.co</kbd>
	</li>
	<li><strong>Name ID Format:</strong>
	<kbd>EmailAddress</kbd>
	</li>
	<li><strong>Attribute Statements (optional):</strong>
	<ul>
	<li><kbd>email</kbd> → <kbd>user.email</kbd></li>
	<li><kbd>firstName</kbd> → <kbd>user.firstName</kbd></li>
	<li><kbd>lastName</kbd> → <kbd>user.lastName</kbd></li>
	</ul>
	</li>
	</ul>
	</li>

	<li><p>Click <strong>Next</strong>, complete the App Settings, and save.</p></li>

	<li><p>From your new Okta app’s <strong>Sign On</strong> tab, click <strong>View Setup Instructions</strong> and download the <strong>IdP metadata XML</strong> file.</p></li>

	<li><p>In Hugging Face, open your organization’s settings page:
	<kbd>https://huggingface.co/organizations/<your_org>/settings/sso</kbd></p></li>

	<li><p>Upload the IdP metadata XML file, click <strong>Update and Test SAML Configuration</strong>, then enable SSO enforcement.</p></li>

	<li><p>To test, visit <kbd>https://huggingface.co/login/sso/saml/<your_org></kbd> and sign in via Okta.</p></li>
	</ol>
	<hr>

	<a name="notes"></a><h2>Notes</h2>
	<ul>
	<li><p>If you see a “400 SSO not enabled” error, ensure the “Enable SAML SSO” toggle is on in Hugging Face settings.</p></li>
	<li><p>If your IdP certificate changes, re-upload the new metadata to Hugging Face to avoid signature mismatches.</p></li>
	<li><p>SCIM provisioning is available for Enterprise Plus customers using Advanced SSO.</p></li>
	<li><p>For help, contact <kbd>enterprise@huggingface.co</kbd>.</p></li>
	</ul>

	<h3>SP-initiated SSO</h3>
	<p>Go to <strong>https://huggingface.co/login/sso/saml/<your_org></strong> to start an SP-initiated login flow.</p>
	</div>
	</body>
	</html>