diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 9cd035597..12b755d29 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -396,6 +396,8 @@ title: How to configure OIDC with Azure in the Hub - local: security-sso-entra-id-scim title: How to configure SCIM with Microsoft Entra ID (Azure AD) + - local: security-sso-okta-scim + title: How to configure SCIM with Okta - local: security-resource-groups title: Advanced Access Control (Resource Groups) - local: security-malware diff --git a/docs/hub/enterprise-hub-scim.md b/docs/hub/enterprise-hub-scim.md index a793e51a5..9fb77693f 100644 --- a/docs/hub/enterprise-hub-scim.md +++ b/docs/hub/enterprise-hub-scim.md @@ -30,4 +30,5 @@ Once SCIM is enabled in your IdP, users and groups provisioned will appear in th ## Supported Identity Providers We support SCIM with any IdP that implements the SCIM 2.0 protocol. We have specific guides for some of the most popular providers: -- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim) \ No newline at end of file +- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim) +- [How to configure SCIM with Okta](./security-sso-okta-scim) \ No newline at end of file diff --git a/docs/hub/security-sso-entra-id-scim.md b/docs/hub/security-sso-entra-id-scim.md index 759cbb192..4a817bf90 100644 --- a/docs/hub/security-sso-entra-id-scim.md +++ b/docs/hub/security-sso-entra-id-scim.md @@ -52,7 +52,20 @@ This feature is part of the + + + +4. After configuring the user mappings, go back to the Provisioning screen and click on **Provision Microsoft Entra ID Groups** to review group mappings. The default settings for groups are usually sufficient. ### Step 5: Start Provisioning diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md new file mode 100644 index 000000000..042da4a3c --- /dev/null +++ b/docs/hub/security-sso-okta-scim.md @@ -0,0 +1,70 @@ +# How to configure SCIM with Okta + +This guide explains how to set up SCIM user and group provisioning between Okta and your Hugging Face organization using SCIM. + + +This feature is part of the Enterprise Plus plan. + + +### Step 1: Get SCIM configuration from Hugging Face + +1. Navigate to your organization's settings page on Hugging Face. +2. Go to the **SSO** tab, then click on the **SCIM** sub-tab. +3. Copy the **SCIM Tenant URL**. You will need this for the Okta configuration. +4. Click **Generate an access token**. A new SCIM token will be generated. Copy this token immediately and store it securely, as you will not be able to see it again. + +
+ + +
+ +### Step 2: Enter Admin Credentials + +1. In Okta, go to **Applications** and select your Hugging Face app. +2. Go to the **General** tab and click **Edit** on App Settings +3. For the Provisioning option select **SCIM**, click **Save** +4. Go to the **Provisioning** tab and click **Edit**. +5. Enter the **SCIM Tenant URL** as the SCIM connector base URL. +6. Enter **userName** for Unique identifier field for users. +7. Select all necessary actions for Supported provisioning actions. +8. Select **HTTP Header** for Authentication Mode. +9. Enter the **Access Token** you generated as the Authorization Bearer Token. +10. Click **Test Connector Configuration** to verify the connection. +11. Save your changes. + +### Step 3: Configure Provisioning + +1. In the **Provisioning** tab, click **To App** from the side nav. +2. Click **Edit** and check to Enable all the features you need, i.e. Create, Update, Delete Users. +3. Click **Save** at the bottom. + +### Step 4: Configure Attribute Mappings +1. While still in the **Provisioning** tab scroll down to Attribute Mappings section +2. The default attribute mappings often require adjustments for robust provisioning. We recommend using the following configuration. You can delete attributes that are not here: + +
+ Okta SCIM mappings + +
+ +### Step 5: Assign Users or Groups + +1. Visit the **Assignments** tab, click **Assign** +2. Click **Assign to People** or **Assign to Groups** +3. After finding the User or Group that needs to be assigned, click **Assign** next to their name +4. In the mapping modal the Username needs to be edited to comply with the following rules. + + + + + +5. Scroll down and click **Save and Go Back** +6. Click **Done** +7. Confirm that users or groups are created, updated, or deactivated in your Hugging Face organization as expected.