Spaces:

huggingface
/

okta-saml-integration-guide

Running

App Files Files Community

CharlieBoyer HF Staff commited on Oct 22

Commit

87c5a88

verified ·

1 Parent(s): 2e4f014

Update index.html

Browse files

Files changed (1) hide show

index.html +39 -148

index.html CHANGED Viewed

@@ -23,7 +23,7 @@
         <ul>
           <li><p>Your organization must be on an <strong>Enterprise</strong> or <strong>Enterprise Plus</strong> plan to enable SAML-based SSO.</p></li>
           <li><p>You must have administrator access to both your Okta organization and your Hugging Face Enterprise Hub organization.</p></li>
-          <li><p>For details about Hugging Face's SSO and SCIM options, visit the
           <a href="https://huggingface.co/docs/hub/enterprise/sso" target="_blank">Hugging Face Enterprise Documentation</a>.</p></li>
         </ul>
       </div>
@@ -33,189 +33,80 @@
     <ul>
       <li><a href="#features">Supported Features</a></li>
       <li><a href="#steps">Configuration Steps</a></li>
-      <li><a href="#sp-initiated">SP-initiated SSO</a></li>
-      <li><a href="#troubleshoot">Troubleshoot</a></li>
     </ul>
     <hr>
     <a name="features"></a><h2>Supported Features</h2>
-    <p>The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:</p>
     <ul>
-      <li><strong>IdP-initiated SSO:</strong> Users can sign in to Hugging Face directly from their Okta dashboard by clicking the Hugging Face app tile.</li>
-      <li><strong>SP-initiated SSO:</strong> Users can initiate sign-in from the Hugging Face login page, which redirects them to Okta for authentication.</li>
-      <li><strong>Just-In-Time (JIT) provisioning:</strong> User accounts are automatically created in Hugging Face when they first sign in via SAML.</li>
-      <li><strong>Optional SCIM user deprovisioning:</strong> Available for Enterprise Plus customers using Advanced SSO to automatically manage user lifecycle.</li>
     </ul>
-    <p>For more information on the listed features, visit the <a href="https://help.okta.com/okta_help.htm?type=oie&id=ext_glossary" target="_blank">Okta Glossary</a>.</p>
     <hr>
     <a name="steps"></a><h2>Configuration Steps</h2>
-    <h3>Step 1: Get Your Organization Name and Entity ID from Hugging Face</h3>
-    <ol>
-      <li><p>Sign in to <strong>Hugging Face</strong> with your administrator account.</p></li>
-      <li><p>Navigate to your organization's settings page and click on <strong>SSO</strong>:<br>
-        <kbd>https://huggingface.co/organizations/&lt;your_org&gt;/settings/sso</kbd><br>
-        <em>(Replace <kbd>&lt;your_org&gt;</kbd> with your actual organization name)</em>
-      </p></li>
-      <li><p>Click on the <strong>SAML</strong> tab.</p></li>
-      <li><p>Note the following values - you will need them in the next steps:</p>
-        <ul>
-          <li><strong>Organization Name:</strong> Your Hugging Face organization name (e.g., <kbd>your-org</kbd>)</li>
-          <li><strong>Entity ID:</strong> <kbd>https://huggingface.co</kbd></li>
-          <li><strong>ACS URL:</strong> <kbd>https://huggingface.co/login/sso/saml</kbd></li>
-        </ul>
-        <p><em>Keep this page open - you'll return to it later.</em></p>
-      </li>
-    </ol>
-    <h3>Step 2: Add Hugging Face App from Okta Integration Network (OIN)</h3>
-    <ol start="5">
       <li><p>Sign in to your <strong>Okta Admin Dashboard</strong>.</p></li>
-      <li><p>Navigate to <strong>Applications</strong> &gt; <strong>Applications</strong> in the left sidebar.</p></li>
       <li><p>Click <strong>Browse App Catalog</strong>.</p></li>
-      <li><p>Search for <strong>"Hugging Face"</strong> in the search bar.</p></li>
-      <li><p>Select the <strong>Hugging Face Enterprise Hub</strong> application from the results.</p></li>
       <li><p>Click <strong>Add Integration</strong>.</p></li>
     </ol>
-    <h3>Step 3: Configure the Hugging Face App in Okta</h3>
-    <ol start="11">
-      <li><p>On the <strong>General Settings</strong> page, enter the following:</p>
         <ul>
-          <li><strong>Application label:</strong> <kbd>Hugging Face Enterprise Hub</kbd> (or customize as needed)</li>
-          <li><strong>Organization Name:</strong> Enter your Hugging Face organization name from Step 4 (e.g., <kbd>your-org</kbd>)</li>
-          <li><strong>Entity ID:</strong> This should be pre-filled as <kbd>https://huggingface.co</kbd></li>
         </ul>
       </li>
-      <li><p>Click <strong>Next</strong>.</p></li>
-      <li><p>On the <strong>Sign-On Options</strong> page, review the default settings.</p>
-        <ul>
-          <li><strong>Application username format:</strong> Should be set to <kbd>Email</kbd></li>
-        </ul>
-      </li>
-      <li><p>Click <strong>Done</strong>.</p></li>
     </ol>
-    <h3>Step 4: Copy SAML Configuration from Okta</h3>
-    <ol start="15">
-      <li><p>From your Hugging Face app in Okta, go to the <strong>Sign On</strong> tab.</p></li>
-      <li><p>Scroll down to the <strong>SAML 2.0</strong> section and click <strong>View SAML setup instructions</strong>.</p></li>
-      <li><p>From the setup instructions page, copy the following values:</p>
         <ul>
           <li><strong>Identity Provider Single Sign-On URL</strong></li>
-          <li><strong>X.509 Certificate</strong> (the full certificate text between <kbd>-----BEGIN CERTIFICATE-----</kbd> and <kbd>-----END CERTIFICATE-----</kbd>)</li>
         </ul>
-        <p><em>Alternatively, you can find these values in the Sign On tab under "Metadata details".</em></p>
       </li>
     </ol>
-    <h3>Step 5: Configure SAML in Hugging Face</h3>
-    <ol start="18">
-      <li><p>Return to the Hugging Face SSO settings page from Step 3:<br>
-        <kbd>https://huggingface.co/organizations/&lt;your_org&gt;/settings/sso</kbd>
-      </p></li>
-      <li><p>Make sure you're on the <strong>SAML</strong> tab.</p></li>
-      <li><p>Enter the following values from Step 17:</p>
         <ul>
-          <li><strong>Sign On URL:</strong> Paste the <strong>Identity Provider Single Sign-On URL</strong> from Okta</li>
-          <li><strong>X.509 Certificate:</strong> Paste the full certificate text from Okta</li>
         </ul>
       </li>
-      <li><p>Click <strong>Update and Test SAML Configuration</strong>.</p></li>
-      <li><p>If the test is successful, toggle the <strong>Enable SAML SSO</strong> switch to enable SSO enforcement for your organization.</p></li>
     </ol>
-    <h3>Step 6: Assign Users in Okta</h3>
-    <ol start="23">
-      <li><p>Return to your Okta Admin Dashboard.</p></li>
-      <li><p>Navigate to the <strong>Assignments</strong> tab of your Hugging Face app integration.</p></li>
-      <li><p>Click <strong>Assign</strong> and select either <strong>Assign to People</strong> or <strong>Assign to Groups</strong> to grant access to users.</p></li>
-      <li><p>Click <strong>Done</strong> when finished.</p></li>
-    </ol>
-    <p><strong>Your SAML configuration is now complete!</strong> Users can now sign in to Hugging Face through Okta.</p>
-    <hr>
-    <a name="sp-initiated"></a><h2>SP-initiated SSO</h2>
-    <p>Users can initiate sign-in from Hugging Face and be redirected to Okta for authentication.</p>
-    <h3>How to Sign In via SP-initiated SSO</h3>
-    <ol>
-      <li><p>Navigate to the following URL in your browser:<br>
-        <kbd>https://huggingface.co/login/sso/saml/&lt;your_org&gt;</kbd><br>
-        <em>(Replace <kbd>&lt;your_org&gt;</kbd> with your organization name)</em>
-      </p></li>
-      <li><p>You will be automatically redirected to Okta to authenticate.</p></li>
-      <li><p>Enter your Okta credentials and click <strong>Sign In</strong>.</p></li>
-      <li><p>If your credentials are valid, you will be redirected back to Hugging Face and automatically signed in.</p></li>
-    </ol>
     <hr>
-    <a name="troubleshoot"></a><h2>Troubleshoot</h2>
-    <h3>Common Issues and Solutions</h3>
-    <h4>"400 SSO not enabled" Error</h4>
-    <p><strong>Cause:</strong> SAML SSO has not been enabled in Hugging Face settings.</p>
-    <p><strong>Solution:</strong> Ensure the <strong>Enable SAML SSO</strong> toggle is turned on in your Hugging Face organization's SSO settings page.</p>
-    <h4>Signature Verification Failed</h4>
-    <p><strong>Cause:</strong> The certificate in Hugging Face doesn't match the certificate in Okta.</p>
-    <p><strong>Solution:</strong> If your Okta certificate has been updated or rotated, copy the new X.509 certificate from Okta and paste it into Hugging Face settings, then click "Update and Test SAML Configuration".</p>
-    <h4>Users Cannot Sign In After Enabling SSO</h4>
-    <p><strong>Cause:</strong> Users have not been assigned to the Hugging Face app in Okta.</p>
-    <p><strong>Solution:</strong> In Okta Admin Dashboard, go to the Hugging Face app's <strong>Assignments</strong> tab and assign the appropriate users or groups.</p>
-    <h4>Incorrect Organization Name Error</h4>
-    <p><strong>Cause:</strong> The organization name entered in Okta doesn't match your Hugging Face organization name.</p>
-    <p><strong>Solution:</strong> In Okta, go to the Hugging Face app's <strong>General</strong> tab, click <strong>Edit</strong>, and verify the Organization Name matches exactly with your Hugging Face organization name (case-sensitive).</p>
-    <h4>Incorrect Email or Name Information</h4>
-    <p><strong>Cause:</strong> User profile attributes in Okta are not populated correctly.</p>
-    <p><strong>Solution:</strong> Verify that users in Okta have their email, first name, and last name fields populated. Hugging Face automatically receives these attributes through SAML.</p>
-    <h3>Additional Support</h3>
-    <p>If you continue to experience issues or need assistance with advanced configuration options such as SCIM provisioning (available for Enterprise Plus customers), please contact Hugging Face Enterprise support:</p>
     <ul>
-      <li>Email: <a href="mailto:enterprise@huggingface.co">enterprise@huggingface.co</a></li>
-      <li>Documentation: <a href="https://huggingface.co/docs/hub/enterprise" target="_blank">Hugging Face Enterprise Docs</a></li>
-    </ul>
-    <h3>Notes</h3>
-    <ul>
-      <li><p>Ensure you enter the correct Organization Name in Okta (Step 11). An incorrect organization name will prevent authentication.</p></li>
-      <li><p>SCIM provisioning is available for Enterprise Plus customers using Advanced SSO. This allows automatic user provisioning, deprovisioning, and attribute syncing between Okta and Hugging Face.</p></li>
-      <li><p>Hugging Face uses SAML 2.0 with SHA256 encryption for security.</p></li>
-      <li><p>Just-In-Time (JIT) provisioning automatically creates user accounts in Hugging Face when users first sign in via SAML, so you don't need to manually create accounts beforehand.</p></li>
-      <li><p>If you disable SAML SSO in Hugging Face after it has been enabled, users will need to use their regular Hugging Face credentials to sign in.</p></li>
     </ul>
   </div>
 </body>
 </html>

         <ul>
           <li><p>Your organization must be on an <strong>Enterprise</strong> or <strong>Enterprise Plus</strong> plan to enable SAML-based SSO.</p></li>
           <li><p>You must have administrator access to both your Okta organization and your Hugging Face Enterprise Hub organization.</p></li>
+          <li><p>For details about Hugging Face's SSO options, visit the
           <a href="https://huggingface.co/docs/hub/enterprise/sso" target="_blank">Hugging Face Enterprise Documentation</a>.</p></li>
         </ul>
       </div>
     <ul>
       <li><a href="#features">Supported Features</a></li>
       <li><a href="#steps">Configuration Steps</a></li>
+      <li><a href="#notes">Notes</a></li>
     </ul>
     <hr>
     <a name="features"></a><h2>Supported Features</h2>
+    <p>The Okta / Hugging Face Enterprise Hub SAML integration supports the following:</p>
     <ul>
+      <li><strong>IdP-initiated SSO:</strong> Users can sign in to Hugging Face from their Okta dashboard via the Hugging Face app tile.</li>
     </ul>
     <hr>
     <a name="steps"></a><h2>Configuration Steps</h2>
+    <h3>Step 1: Add the Hugging Face App from Okta Integration Network (OIN)</h3>
+    <ol>
       <li><p>Sign in to your <strong>Okta Admin Dashboard</strong>.</p></li>
+      <li><p>Navigate to <strong>Applications</strong> &gt; <strong>Applications</strong>.</p></li>
       <li><p>Click <strong>Browse App Catalog</strong>.</p></li>
+      <li><p>Search for <strong>Hugging Face</strong>.</p></li>
+      <li><p>Select the <strong>Hugging Face</strong> application.</p></li>
       <li><p>Click <strong>Add Integration</strong>.</p></li>
     </ol>
+    <h3>Step 2: Configure the Hugging Face App in Okta</h3>
+    <ol start="7">
+      <li><p>On the <strong>General Settings</strong> page, enter:</p>
         <ul>
+          <li><strong>Application label:</strong> <kbd>Hugging Face</kbd> (or customize as needed)</li>
+          <li><strong>Organization Name:</strong> Your Hugging Face organization name</li>
+          <li><strong>Organization ID:</strong> Your Hugging Face organization ID</li>
         </ul>
+        <p><em>Where to find these values:</em> In Hugging Face, go to your organization settings &rarr; <strong>SSO</strong> tab &rarr; <strong>SAML</strong> sub-tab. You will see both your Organization Name and Organization ID.</p>
+        <p style="border:1px dashed #ccc;padding:8px;margin:10px 0;"><em>Screenshot placeholder — insert your screenshot of the Hugging Face SSO &rarr; SAML page here.</em></p>
       </li>
+      <li><p>Click <strong>Next</strong>, review the <strong>Sign-On Options</strong> (username format should be <kbd>Email</kbd>), then click <strong>Done</strong> to create the app.</p></li>
+      <li><p><strong>Important:</strong> Ensure the administrator performing these steps is <strong>assigned</strong> to the Hugging Face application in Okta (via the <strong>Assignments</strong> tab), otherwise they won't be able to complete the test later.</p></li>
     </ol>
+    <h3>Step 3: Copy SAML Configuration from Okta</h3>
+    <ol start="10">
+      <li><p>From the Hugging Face app in Okta, open the <strong>Sign On</strong> tab.</p></li>
+      <li><p>Scroll to the <strong>SAML 2.0</strong> section and click <strong>View SAML setup instructions</strong> (or check <strong>Metadata details</strong>).</p></li>
+      <li><p>Copy the following values:</p>
         <ul>
           <li><strong>Identity Provider Single Sign-On URL</strong></li>
+          <li><strong>X.509 Certificate</strong> (full certificate text between <kbd>-----BEGIN CERTIFICATE-----</kbd> and <kbd>-----END CERTIFICATE-----</kbd>)</li>
         </ul>
       </li>
     </ol>
+    <h3>Step 4: Configure SAML in Hugging Face</h3>
+    <ol start="13">
+      <li><p>Return to your organization's <strong>SSO</strong> settings in Hugging Face and select the <strong>SAML</strong> tab.</p></li>
+      <li><p>Enter the values from Okta:</p>
         <ul>
+          <li><strong>Sign On URL:</strong> Paste the <strong>Identity Provider Single Sign-On URL</strong> from Okta.</li>
+          <li><strong>X.509 Certificate:</strong> Paste the full certificate text from Okta.</li>
         </ul>
       </li>
+      <li><p>Click <strong>Update and Test SAML Configuration</strong> to validate.</p></li>
+      <li><p>If the test is successful, toggle <strong>Enable SAML SSO</strong> to enforce SSO for your organization.</p></li>
     </ol>
+    <p><strong>What happens next?</strong> Once SSO is enabled, users will continue to sign in to the platform with their usual Hugging Face credentials. However, when they attempt to access content that belongs to your organization, they will be prompted to authenticate via SSO through Okta.</p>
     <hr>
+    <a name="notes"></a><h2>Notes</h2>
     <ul>
+      <li><p>This guide covers <strong>Standard SSO</strong>. For <strong>Advanced SSO</strong> capabilities, see the official docs: <a href="https://huggingface.co/docs/hub/enterprise/sso" target="_blank">Advanced SSO</a>.</p></li>
+      <li><p>For automated user lifecycle management via <strong>SCIM provisioning</strong> (Enterprise Plus with Advanced SSO), see: <a href="https://huggingface.co/docs/hub/enterprise/scim" target="_blank">SCIM Provisioning</a>.</p></li>
+      <li><p>Ensure the <strong>Organization Name</strong> and <strong>Organization ID</strong> entered in Okta exactly match the values shown in your Hugging Face SSO &rarr; SAML settings.</p></li>
     </ul>
   </div>
 </body>
 </html>