|
|
<!doctype html> |
|
|
<html> |
|
|
<head> |
|
|
<meta charset="utf-8" /> |
|
|
<meta name="viewport" content="width=device-width" /> |
|
|
<title>My static Space</title> |
|
|
<link rel="stylesheet" href="style.css" /> |
|
|
</head> |
|
|
<body> |
|
|
<div class="header clearfix"> |
|
|
<div class="logo-container"> |
|
|
<img src="https://huggingface.co/front/assets/huggingface_logo-noborder.svg" alt="Hugging Face" style="height:50px;margin-top:10px;"> |
|
|
</div> |
|
|
</div> |
|
|
|
|
|
<div class="okta-instructions"> |
|
|
<h1>How to Configure SAML 2.0 for Hugging Face Enterprise Hub</h1> |
|
|
|
|
|
<div class="okta-callout okta-warning"> |
|
|
<span class="icon-24 icon-warning"></span> |
|
|
<div> |
|
|
<p><strong>Prerequisites:</strong></p> |
|
|
<ul> |
|
|
<li>Your organization must be on an <strong>Enterprise</strong> or <strong>Enterprise Plus</strong> plan to enable SAML-based Single Sign-On (SSO).</li> |
|
|
<li>You must have <strong>administrator privileges</strong> in both your Okta organization and your Hugging Face Enterprise Hub organization.</li> |
|
|
<li>Ensure your Hugging Face organization has a unique <strong>Organization Name</strong> and <strong>Organization ID</strong>. You will find these under <em>Organization Settings → SSO → SAML</em>.</li> |
|
|
<li>Have your <strong>Okta Identity Provider (IdP) metadata</strong> available, including: |
|
|
<ul> |
|
|
<li>Identity Provider Single Sign-On URL</li> |
|
|
<li>X.509 Certificate (full text including BEGIN/END markers)</li> |
|
|
</ul> |
|
|
</li> |
|
|
<li>For more information about Hugging Face’s Enterprise SSO, see: |
|
|
<a href="https://huggingface.co/docs/hub/en/enterprise-sso" target="_blank">Hugging Face Enterprise SSO Documentation</a>. |
|
|
</li> |
|
|
</ul> |
|
|
</div> |
|
|
</div> |
|
|
|
|
|
<h2>Contents</h2> |
|
|
<ul> |
|
|
<li><a href="#features">Supported Features</a></li> |
|
|
<li><a href="#steps">Configuration Steps</a></li> |
|
|
<li><a href="#sp-initiated">SP-initiated SSO</a></li> |
|
|
<li><a href="#notes">Notes</a></li> |
|
|
<li><a href="#support">Customer Support Contact</a></li> |
|
|
</ul> |
|
|
<hr> |
|
|
|
|
|
<a name="features"></a> |
|
|
<h2>Supported Features</h2> |
|
|
<p>The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:</p> |
|
|
<ul> |
|
|
<li><strong>IdP-initiated SSO:</strong> Users can sign in to Hugging Face directly from the Okta dashboard.</li> |
|
|
<li><strong>SP-initiated SSO:</strong> Users accessing Hugging Face content are redirected to Okta for authentication.</li> |
|
|
</ul> |
|
|
<hr> |
|
|
|
|
|
<a name="steps"></a> |
|
|
<h2>Configuration Steps</h2> |
|
|
|
|
|
<h3>Step 1 — Add the Hugging Face App from Okta Integration Network (OIN)</h3> |
|
|
<ol> |
|
|
<li>Sign in to your Okta Admin Console.</li> |
|
|
<li>Navigate to <strong>Applications → Browse App Catalog</strong>.</li> |
|
|
<li>Search for <strong>Hugging Face</strong> and click <strong>Add Integration</strong>.</li> |
|
|
</ol> |
|
|
|
|
|
<h3>Step 2 — Configure the Hugging Face App in Okta</h3> |
|
|
<ol start="4"> |
|
|
<li>On the <strong>General Settings</strong> page, specify: |
|
|
<ul> |
|
|
<li><strong>Application label:</strong> <kbd>Hugging Face</kbd></li> |
|
|
<li><strong>Organization Name:</strong> Your Hugging Face organization name</li> |
|
|
<li><strong>Organization ID:</strong> Your Hugging Face organization ID</li> |
|
|
</ul> |
|
|
<p><em>Where to find these values:</em> In Hugging Face, go to <strong>Organization Settings → SSO → SAML</strong>.</p> |
|
|
<p><img src="/static/images/hf-sso-saml-screenshot.png" alt="Hugging Face SSO SAML screenshot" style="max-width:100%;height:auto;"></p> |
|
|
</li> |
|
|
<li>Click <strong>Next</strong>, review the sign-on options (the username format should be <kbd>Email</kbd>), and then click <strong>Done</strong>.</li> |
|
|
<li><strong>Important:</strong> Ensure the administrator performing these steps is <strong>assigned</strong> to the Hugging Face app in Okta under the <strong>Assignments</strong> tab.</li> |
|
|
</ol> |
|
|
|
|
|
<h3>Step 3 — Copy SAML Configuration from Okta</h3> |
|
|
<ol start="7"> |
|
|
<li>In the Hugging Face app in Okta, open the <strong>Sign On</strong> tab.</li> |
|
|
<li>Locate the <strong>SAML 2.0</strong> section and click <strong>View SAML Setup Instructions</strong>.</li> |
|
|
<li>Copy the following values: |
|
|
<ul> |
|
|
<li><strong>Identity Provider Single Sign-On URL</strong></li> |
|
|
<li><strong>X.509 Certificate</strong> — copy the full text including <kbd>-----BEGIN CERTIFICATE-----</kbd> and <kbd>-----END CERTIFICATE-----</kbd>.</li> |
|
|
</ul> |
|
|
</li> |
|
|
</ol> |
|
|
|
|
|
<h3>Step 4 — Configure SAML in Hugging Face</h3> |
|
|
<ol start="10"> |
|
|
<li>In Hugging Face, navigate to <strong>Organization Settings → SSO → SAML</strong>.</li> |
|
|
<li>Enter the values obtained from Okta: |
|
|
<ul> |
|
|
<li><strong>Sign On URL:</strong> Paste the Identity Provider Single Sign-On URL.</li> |
|
|
<li><strong>X.509 Certificate:</strong> Paste the certificate including BEGIN/END markers.</li> |
|
|
</ul> |
|
|
</li> |
|
|
<li>Click <strong>Update and Test SAML Configuration</strong>.</li> |
|
|
<li>If the test succeeds, toggle <strong>Enable SAML SSO</strong> to activate SSO for your organization.</li> |
|
|
</ol> |
|
|
|
|
|
<hr> |
|
|
|
|
|
<a name="sp-initiated"></a> |
|
|
<h2>SP-Initiated SSO</h2> |
|
|
<p>Hugging Face also supports SP-initiated Single Sign-On. To initiate login directly from Hugging Face:</p> |
|
|
<ol> |
|
|
<li>Navigate to https://huggingface.co/organizations/{organizationName}/sso</li> |
|
|
<li>You’ll be redirected to Okta to authenticate, and then returned to your Hugging Face organization workspace.</li> |
|
|
</ol> |
|
|
<p>This flow can also occur automatically when accessing restricted organization content — users will be prompted with a “Login with SSO” banner that redirects to Okta.</p> |
|
|
|
|
|
<hr> |
|
|
|
|
|
<a name="notes"></a> |
|
|
<h2>Notes</h2> |
|
|
<ul> |
|
|
<li>This setup describes <strong>Standard SSO</strong>. For <strong>Advanced SSO</strong> (with SCIM user provisioning and additional network security controls), see |
|
|
<a href="https://huggingface.co/docs/hub/en/enterprise-hub-advanced-sso" target="_blank">Advanced SSO Documentation</a>. |
|
|
</li> |
|
|
<li>Ensure that the <strong>Organization Name</strong> and <strong>Organization ID</strong> used in Okta exactly match those in Hugging Face SSO settings.</li> |
|
|
<li>After enabling SAML, access to organization resources will require authentication through Okta.</li> |
|
|
</ul> |
|
|
|
|
|
<hr> |
|
|
|
|
|
<a name="support"></a> |
|
|
<h2>Customer Support Contact</h2> |
|
|
<p>For assistance with SSO setup or troubleshooting, please contact the Hugging Face Enterprise Support team:</p> |
|
|
<ul> |
|
|
<li><strong>Email:</strong> <a href="mailto:enterprise-support@huggingface.co">enterprise-support@huggingface.co</a></li> |
|
|
<li><strong>Documentation:</strong> <a href="https://huggingface.co/docs/hub/en/enterprise-sso" target="_blank">https://huggingface.co/docs/hub/en/enterprise-sso</a></li> |
|
|
</ul> |
|
|
</div> |
|
|
</body> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
</html> |
|
|
|
