add advanced sso doc

Author: Charlie-Boyer

docs/hub/_toctree.yml

@@ -342,6 +342,8 @@
     sections:
     - local: enterprise-sso
       title: Single Sign-On (SSO)
+    - local: enterprise-hub-advanced-sso
+      title: Advanced Single Sign-On (SSO)
     - local: audit-logs
       title: Audit Logs
     - local: storage-regions

docs/hub/enterprise-hub-advanced-sso.md

@@ -0,0 +1,21 @@
+# Advanced Single Sign-On (SSO)
+
+<Tip warning={true}>
+This feature is part of the <a href="https://huggingface.co/contact/sales?from=enterprise" target="_blank">Enterprise Plus</a> plan.
+</Tip>
+
+Advanced Single Sign-On (SSO) capabilities extend the standard [SSO features](./security-sso) available in the Enterprise Hub, offering enhanced control and automation for user management and access across the entire Hugging Face platform for your organization members.
+
+## User Provisioning
+
+Advanced SSO introduces automated user provisioning, which simplifies the onboarding and offboarding of users.
+
+*   **Just-In-Time (JIT) Provisioning**: When a user from your organization attempts to log in to Hugging Face for the first time via SSO, an account can be automatically created for them if one doesn't already exist. Their profile information and role mappings can be populated based on attributes from your IdP.
+*   **System for Cross-domain Identity Management (SCIM)**: For more robust user lifecycle management, SCIM allows your IdP to communicate user identity information to Hugging Face. This enables automatic creation, updates (e.g., name changes, role changes), and deactivation of user accounts on Hugging Face as changes occur in your IdP. This ensures that user access is always up-to-date with their status in your organization.
+
+## Global SSO Enforcement with Customizable Permissions
+
+Beyond gating access to specific organizational content, Advanced SSO can be configured to make your IdP the mandatory authentication route for all your organization's members interacting with any part of the Hugging Face platform. Your organization's members will be required to authenticate via your IdP for all Hugging Face services, not just when accessing private or organizational repositories.
+
+This feature is particularly beneficial for organizations requiring a higher degree of control, security, and automation in managing their users on Hugging Face.
+

docs/hub/enterprise-hub.md

@@ -14,6 +14,7 @@ Enterprise Hub adds advanced capabilities to organizations, enabling safe, compl
 In this section we will document the following Enterprise Hub features:
 
 - [Single Sign-On (SSO)](./enterprise-sso)
+- [Advanced Single Sign-On (SSO)](./enterprise-hub-advanced-sso)
 - [Audit Logs](./audit-logs)
 - [Storage Regions](./storage-regions)
 - [Dataset viewer for Private datasets](./enterprise-hub-datasets)

docs/hub/enterprise-sso.md

@@ -6,6 +6,8 @@ This feature is part of the <a href="https://huggingface.co/enterprise">Enterpri
 
 Single sign-on (SSO) allows organizations to securely manage user authentication through their own identity provider (IdP). Both SAML 2.0 and OpenID Connect (OIDC) protocols are supported.
 
+Please note that this feature is intended to manage access to organization-specific resources such as private models, datasets, and Spaces. However, it does not replace the core authentication mechanism for the Hugging Face platform. For enhanced capabilities like automated user provisioning (JIT/SCIM) and global SSO enforcement, see our [Advanced SSO documentation](./enterprise-hub-advanced-sso).
+
 <div class="flex justify-center" style="max-width: 550px">
   <img
     class="block dark:hidden m-0!"

docs/hub/organizations.md

@@ -11,6 +11,7 @@ If an organization needs to track user access to a dataset due to licensing or p
 - [Access Control in Organizations](./organizations-security)
 - [Enterprise Hub features](./enterprise-hub)
   - [SSO](./enterprise-sso)
+  - [Advanced SSO](./enterprise-hub-advanced-sso)
   - [Audit Logs](./audit-logs)
   - [Storage Regions](./storage-regions)
   - [Dataset viewer for Private datasets](./enterprise-hub-datasets)

docs/hub/security-sso-azure-saml.md

@@ -2,7 +2,7 @@
 
 In this guide, we will use Azure as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol.
 
-We currently support SP-initiated and IdP-initiated authentication. User provisioning is not yet supported at this time.
+We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso).
 
 <Tip warning={true}>
 	This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.

docs/hub/security-sso-okta-saml.md

@@ -2,7 +2,7 @@
 
 In this guide, we will use Okta as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol.
 
-We currently support SP-initiated and IdP-initiated authentication. User provisioning is not yet supported at this time.
+We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso).
 
 <Tip warning={true}>
 	This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.

docs/hub/security-sso.md

@@ -5,8 +5,7 @@ The Hugging Face Hub gives you the ability to implement mandatory Single Sign-On
 We support both SAML 2.0 and OpenID Connect (OIDC) protocols.
 
 <Tip warning={true}>
-This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>.
-</Tip>
+This feature is part of the <a href="https://huggingface.co/enterprise">Enterprise Hub</a>. For enhanced capabilities like automated user provisioning (JIT/SCIM) and global SSO enforcement, see our <a href="./enterprise-hub-advanced-sso">Advanced SSO documentation</Tip>
 
 ## How does it work?