How to Configure SAML 2.0 for Hugging Face Enterprise Hub
Prerequisites:
- Your organization must be on an Enterprise or Enterprise Plus plan to enable SAML-based Single Sign-On (SSO).
- You must have administrator privileges in both your Okta organization and your Hugging Face Enterprise Hub organization.
- Ensure your Hugging Face organization has a unique Organization Name and Organization ID. You will find these under Organization Settings → SSO → SAML.
- Have your Okta Identity Provider (IdP) metadata available, including:
- Identity Provider Single Sign-On URL
- X.509 Certificate (full text including BEGIN/END markers)
- For more information about Hugging Face’s Enterprise SSO, see:
Hugging Face Enterprise SSO Documentation.
Contents
Supported Features
The Okta / Hugging Face Enterprise Hub SAML integration supports the following features:
- IdP-initiated SSO: Users can sign in to Hugging Face directly from the Okta dashboard.
- SP-initiated SSO: Users accessing Hugging Face content are redirected to Okta for authentication.
Configuration Steps
Step 1 — Add the Hugging Face App from Okta Integration Network (OIN)
- Sign in to your Okta Admin Console.
- Navigate to Applications → Browse App Catalog.
- Search for Hugging Face and click Add Integration.
Step 2 — Configure the Hugging Face App in Okta
- On the General Settings page, specify:
- Application label: Hugging Face
- Organization Name: Your Hugging Face organization name
- Organization ID: Your Hugging Face organization ID
Where to find these values: In Hugging Face, go to Organization Settings → SSO → SAML.
- Click Next, review the sign-on options (the username format should be Email), and then click Done.
- Important: Ensure the administrator performing these steps is assigned to the Hugging Face app in Okta under the Assignments tab.
Step 3 — Copy SAML Configuration from Okta
- In the Hugging Face app in Okta, open the Sign On tab.
- Locate the SAML 2.0 section and click View SAML Setup Instructions.
- Copy the following values:
- Identity Provider Single Sign-On URL
- X.509 Certificate — copy the full text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
Step 4 — Configure SAML in Hugging Face
- In Hugging Face, navigate to Organization Settings → SSO → SAML.
- Enter the values obtained from Okta:
- Sign On URL: Paste the Identity Provider Single Sign-On URL.
- X.509 Certificate: Paste the certificate including BEGIN/END markers.
- Click Update and Test SAML Configuration.
- If the test succeeds, toggle Enable SAML SSO to activate SSO for your organization.
SP-Initiated SSO
Hugging Face also supports SP-initiated Single Sign-On. To initiate login directly from Hugging Face:
- Navigate to https://huggingface.co/organizations/{organizationName}/sso
- You’ll be redirected to Okta to authenticate, and then returned to your Hugging Face organization workspace.
This flow can also occur automatically when accessing restricted organization content — users will be prompted with a “Login with SSO” banner that redirects to Okta.
Notes
- This setup describes Standard SSO. For Advanced SSO (with SCIM user provisioning and additional network security controls), see
Advanced SSO Documentation.
- Ensure that the Organization Name and Organization ID used in Okta exactly match those in Hugging Face SSO settings.
- After enabling SAML, access to organization resources will require authentication through Okta.
Customer Support Contact
For assistance with SSO setup or troubleshooting, please contact the Hugging Face Enterprise Support team:
