|
| 1 | +# How to configure SAML SSO with Google Workspace |
| 2 | + |
| 3 | +In this guide, we will use Google Workspace as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol. |
| 4 | + |
| 5 | +We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso). |
| 6 | + |
| 7 | +<Tip warning={true}> |
| 8 | + This feature is part of the <a href="https://huggingface.co/enterprise">Team & Enterprise</a> plans. |
| 9 | +</Tip> |
| 10 | + |
| 11 | +### Step 1: Create SAML App in Google Workspace |
| 12 | + |
| 13 | +- In your Google Workspace admin console, navigate to `Admin` > `Apps` > `Web and mobile apps`. |
| 14 | +- Click `Add app` and then `Add custom SAML app`. |
| 15 | +- You must provide a name for your application in the "App name" field. |
| 16 | +- Click `Continue`. |
| 17 | + |
| 18 | +<div class="flex justify-center"> |
| 19 | +<img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-app-details.png"/> |
| 20 | +<img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-app-details-dark.png"/> |
| 21 | +</div> |
| 22 | + |
| 23 | +### Step 2: Configure Hugging Face with Google's IdP Details |
| 24 | + |
| 25 | +- The next screen in the Google setup contains the SSO information for your application. |
| 26 | +- In your Hugging Face organization settings, go to the `SSO` tab and select the `SAML` protocol. |
| 27 | +- Copy the **SSO URL** from Google into the **Sign-on URL** field on Hugging Face. |
| 28 | +- Copy the **Certificate** from Google into the corresponding field on Hugging Face. The public certificate must have the following format: |
| 29 | + ``` |
| 30 | + -----BEGIN CERTIFICATE----- |
| 31 | + {certificate} |
| 32 | + -----END CERTIFICATE----- |
| 33 | + ``` |
| 34 | + |
| 35 | +<div class="flex justify-center"> |
| 36 | +<img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-idp-details.png"/> |
| 37 | +<img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-idp-details-dark.png"/> |
| 38 | +</div> |
| 39 | + |
| 40 | +- In the Google Workspace setup, click `Continue`. |
| 41 | + |
| 42 | +### Step 3: Configure Google with Hugging Face's SP Details |
| 43 | + |
| 44 | +- In the "Service provider details" screen, you'll need the `Assertion Consumer Service URL` and `SP Entity ID` from your Hugging Face SSO settings. Copy them into the corresponding `ACS URL` and `Entity ID` fields in Google. |
| 45 | +- Ensure the following are set: |
| 46 | + - Check the **Signed response** box. |
| 47 | + - Name ID format: `EMAIL` |
| 48 | + - Name ID: `Basic Information > Primary email` |
| 49 | + |
| 50 | +<div class="flex justify-center"> |
| 51 | +<img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-sp-details.png"/> |
| 52 | +<img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-sp-details-dark.png"/> |
| 53 | +</div> |
| 54 | + |
| 55 | +- Click `Continue`. |
| 56 | + |
| 57 | +### Step 4: Attribute Mapping |
| 58 | + |
| 59 | +- On the "Attribute mapping" screen, click `Add mapping` and configure the attributes you want to send. This step is optional and depends on whether you want to use [Role Mapping](./security-sso#role-mapping) or [Resource Group Mapping](./security-sso#resource-group-mapping) on Hugging Face. |
| 60 | + |
| 61 | +<div class="flex justify-center"> |
| 62 | +<img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-attribute-mapping.png"/> |
| 63 | +<img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/sso-google-saml-attribute-mapping-dark.png"/> |
| 64 | +</div> |
| 65 | + |
| 66 | +- Click `Finish`. |
| 67 | + |
| 68 | +### Step 5: Test and Enable SSO |
| 69 | + |
| 70 | +<Tip warning={true}> |
| 71 | +Before testing, ensure you have granted access to the application for the appropriate users in the Google Workspace admin console under the app's "User access" settings. The admin performing the test must have access. It may take a few minutes for user access changes to apply on Google Workspace. |
| 72 | +</Tip> |
| 73 | + |
| 74 | +- Now, in your Hugging Face SSO settings, click on **"Update and Test SAML configuration"**. |
| 75 | +- You should be redirected to your Google login prompt. Once logged in, you'll be redirected to your organization's settings page. |
| 76 | +- A green check mark near the SAML selector will confirm that the test was successful. |
| 77 | +- Once the test is successful, you can enable SSO for your organization by clicking the "Enable" button. |
| 78 | +- Once enabled, members of your organization must complete the SSO authentication flow described in the [How does it work?](./security-sso#how-does-it-work) section. |
0 commit comments