update sso doc (#1765)

Charlie-Boyer · web-flow · commit 1204a9db0423 · 2025-06-07T00:35:17.000+02:00
* add advanced sso doc

* add restrictions
diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml
@@ -342,6 +342,8 @@
     sections:
     - local: enterprise-sso
       title: Single Sign-On (SSO)
+    - local: enterprise-hub-advanced-sso
+      title: Advanced Single Sign-On (SSO)
     - local: audit-logs
       title: Audit Logs
     - local: storage-regions
diff --git a/docs/hub/enterprise-hub-advanced-sso.md b/docs/hub/enterprise-hub-advanced-sso.md
@@ -0,0 +1,34 @@
+# Advanced Single Sign-On (SSO)
+
+<Tip warning={true}>
+This feature is part of the <a href="https://huggingface.co/contact/sales?from=enterprise" target="_blank">Enterprise Plus</a> plan.
+</Tip>
+
+Advanced Single Sign-On (SSO) capabilities extend the standard [SSO features](./security-sso) available in the Enterprise Hub, offering enhanced control and automation for user management and access across the entire Hugging Face platform for your organization members.
+
+## User Provisioning
+
+Advanced SSO introduces automated user provisioning, which simplifies the onboarding and offboarding of users.
+
+*   **Just-In-Time (JIT) Provisioning**: When a user from your organization attempts to log in to Hugging Face for the first time via SSO, an account can be automatically created for them if one doesn't already exist. Their profile information and role mappings can be populated based on attributes from your IdP.
+*   **System for Cross-domain Identity Management (SCIM)**: For more robust user lifecycle management, SCIM allows your IdP to communicate user identity information to Hugging Face. This enables automatic creation, updates (e.g., name changes, role changes), and deactivation of user accounts on Hugging Face as changes occur in your IdP. This ensures that user access is always up-to-date with their status in your organization.
+
+## Global SSO Enforcement 
+
+Beyond gating access to specific organizational content, Advanced SSO can be configured to make your IdP the mandatory authentication route for all your organization's members interacting with any part of the Hugging Face platform. Your organization's members will be required to authenticate via your IdP for all Hugging Face services, not just when accessing private or organizational repositories.
+
+This feature is particularly beneficial for organizations requiring a higher degree of control, security, and automation in managing their users on Hugging Face.
+
+## Limitations on Managed User Accounts
+
+<Tip warning={true}>
+Important Considerations for Managed Accounts.
+</Tip>
+
+To ensure organizational control and data governance, user accounts provisioned and managed via Advanced SSO ("managed user accounts") have specific limitations:
+
+*   **No Public Content Creation**: Managed user accounts cannot create public content on the Hugging Face platform. This includes, but is not limited to, public models, datasets, or Spaces. All content created by these accounts is restricted to within your organization or private visibility.
+*   **No External Collaboration**: Managed user accounts are restricted from collaborating outside of your Hugging Face organization. This means they cannot, for example, join other organizations, contribute to repositories outside their own organization.
+
+These restrictions are in place to maintain the integrity and security boundaries defined by your enterprise. If members of your organization require the ability to create public content or collaborate more broadly on the Hugging Face platform, they will need to do so using a separate, personal Hugging Face account that is not managed by your organization's Advanced SSO.
+
diff --git a/docs/hub/enterprise-hub.md b/docs/hub/enterprise-hub.md
@@ -14,6 +14,7 @@ Enterprise Hub adds advanced capabilities to organizations, enabling safe, compl
 In this section we will document the following Enterprise Hub features:
 
 - [Single Sign-On (SSO)](./enterprise-sso)
+- [Advanced Single Sign-On (SSO)](./enterprise-hub-advanced-sso)
 - [Audit Logs](./audit-logs)
 - [Storage Regions](./storage-regions)
 - [Dataset viewer for Private datasets](./enterprise-hub-datasets)
diff --git a/docs/hub/enterprise-sso.md b/docs/hub/enterprise-sso.md
@@ -6,6 +6,8 @@ This feature is part of the <a href="https://huggingface.co/enterprise">Enterpri
 
 Single sign-on (SSO) allows organizations to securely manage user authentication through their own identity provider (IdP). Both SAML 2.0 and OpenID Connect (OIDC) protocols are supported.
 
+Please note that this feature is intended to manage access to organization-specific resources such as private models, datasets, and Spaces. However, it does not replace the core authentication mechanism for the Hugging Face platform. For enhanced capabilities like automated user provisioning (JIT/SCIM) and global SSO enforcement, see our [Advanced SSO documentation](./enterprise-hub-advanced-sso).
+
 <div class="flex justify-center" style="max-width: 550px">
   <img
     class="block dark:hidden m-0!"
diff --git a/docs/hub/organizations.md b/docs/hub/organizations.md
@@ -11,6 +11,7 @@ If an organization needs to track user access to a dataset due to licensing or p
 - [Access Control in Organizations](./organizations-security)
 - [Enterprise Hub features](./enterprise-hub)
   - [SSO](./enterprise-sso)
+  - [Advanced SSO](./enterprise-hub-advanced-sso)
   - [Audit Logs](./audit-logs)
   - [Storage Regions](./storage-regions)
   - [Dataset viewer for Private datasets](./enterprise-hub-datasets)
diff --git a/docs/hub/security-sso-azure-saml.md b/docs/hub/security-sso-azure-saml.md
@@ -2,7 +2,7 @@
 
 In this guide, we will use Azure as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol.
 
-We currently support SP-initiated and IdP-initiated authentication. User provisioning is not yet supported at this time.
+We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso).
 
 <Tip warning={true}>
 	This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.
diff --git a/docs/hub/security-sso-okta-saml.md b/docs/hub/security-sso-okta-saml.md
@@ -2,7 +2,7 @@
 
 In this guide, we will use Okta as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol.
 
-We currently support SP-initiated and IdP-initiated authentication. User provisioning is not yet supported at this time.
+We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso).
 
 <Tip warning={true}>
 	This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.
diff --git a/docs/hub/security-sso.md b/docs/hub/security-sso.md
@@ -5,8 +5,7 @@ The Hugging Face Hub gives you the ability to implement mandatory Single Sign-On
 We support both SAML 2.0 and OpenID Connect (OIDC) protocols.
 
 <Tip warning={true}>
-This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.
-</Tip>
+This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>. For enhanced capabilities like automated user provisioning (JIT/SCIM) and global SSO enforcement, see our <a href="./enterprise-hub-advanced-sso">Advanced SSO documentation</Tip>
 
 ## How does it work?
 
