How to Configure SAML 2.0 for Hugging Face Enterprise Hub
Prerequisites
Before you begin, make sure the following conditions are met:
- Your Hugging Face organization must be on an Enterprise or Enterprise Plus plan to enable SAML-based Single Sign-On (SSO).
- You must have administrator privileges in both your Okta organization and your Hugging Face Enterprise Hub organization.
- Your Hugging Face organization must have a unique Organization Name and Organization ID.
- These can be found in Organization Settings → SSO → SAML in Hugging Face.
- You need your Okta Identity Provider (IdP) metadata, including:
- Identity Provider Single Sign-On URL
- X.509 Certificate (full text including
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----)
- For more information about Hugging Face’s Enterprise SSO, visit the Hugging Face Enterprise SSO Documentation.
Supported Features
The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:
| Feature | Supported | Description |
|---|---|---|
| IdP-initiated SSO | ✅ | Users can sign in directly from the Okta dashboard. |
| SP-initiated SSO | ✅ | Users accessing Hugging Face are redirected to Okta for authentication. |
| JIT (Just-In-Time) Provisioning | ✅ | Accounts are created automatically on first login via SSO. |
| Single Logout (SLO) | ❌ | Not currently supported. |
Configuration Steps
Step 1 — Add the Hugging Face App from Okta Integration Network (OIN)
- Sign in to your Okta Admin Console.
- Navigate to Applications → Browse App Catalog.
- Search for Hugging Face and click Add Integration.
Step 2 — Configure the Hugging Face App in Okta
On the General Settings page, specify:
- Application label:
Hugging Face - Organization Name: Your Hugging Face organization name
- Organization ID: Your Hugging Face organization ID
(These values are visible under Organization Settings → SSO → SAML in Hugging Face.)
- Application label:
Click Next, verify the sign-on options (username format should be Email), and then click Done.
Ensure the administrator performing these steps is assigned to the Hugging Face app under the Assignments tab.
Step 3 — Copy SAML Configuration from Okta
- In the Hugging Face app in Okta, open the Sign On tab.
- Locate the SAML 2.0 section and click View SAML Setup Instructions.
- Copy the following values:
- Identity Provider Single Sign-On URL
- X.509 Certificate — full text including
BEGINandENDcertificate markers.
Step 4 — Configure SAML in Hugging Face
- In Hugging Face, go to Organization Settings → SSO → SAML.
- Enter the values copied from Okta:
- Sign On URL: Paste the Identity Provider Single Sign-On URL.
- X.509 Certificate: Paste the full certificate text.
- Click Update and Test SAML Configuration.
- If the test succeeds, toggle Enable SAML SSO to activate SSO for your organization.
SP-Initiated SSO
Hugging Face supports SP-initiated Single Sign-On. To start the login flow directly from Hugging Face:
- Go to https://huggingface.co/login.
- Select Sign in with your Enterprise SSO.
- Enter your organization name and click Continue.
- You’ll be redirected to Okta for authentication, then returned to your Hugging Face workspace.
Users can also trigger this flow automatically when trying to access organization content — they’ll see a banner prompting “Login with SSO” that redirects them to Okta.
Notes
- This configuration covers Standard SSO.
For Advanced SSO (with SCIM user provisioning and advanced network security), see the Hugging Face Advanced SSO Documentation. - Make sure that the Organization Name and Organization ID used in Okta exactly match the values in your Hugging Face settings.
- Once SAML is enabled, access to organization content requires Okta authentication.
Customer Support Contact
If you need help with setup or troubleshooting, contact Hugging Face Enterprise Support:
- Email: enterprise-support@huggingface.co
- Documentation: https://huggingface.co/docs/hub/en/enterprise-sso
© Hugging Face, Inc. All rights reserved.