From dd8c080c3066c6f9c4dea59269f41dfe6cf9dfd6 Mon Sep 17 00:00:00 2001 From: Muhammadsaeed707 Date: Tue, 29 Jul 2025 18:10:09 -0400 Subject: [PATCH 1/7] add okta configuration steps for scim --- docs/hub/_toctree.yml | 2 + docs/hub/enterprise-hub-scim.md | 3 +- docs/hub/security-sso-okta-scim.md | 62 ++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 docs/hub/security-sso-okta-scim.md diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 9cd035597..0e6671217 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -396,6 +396,8 @@ title: How to configure OIDC with Azure in the Hub - local: security-sso-entra-id-scim title: How to configure SCIM with Microsoft Entra ID (Azure AD) + - local: security-sso-okta-scim + title: How to configure SCIM with Okta in the Hub - local: security-resource-groups title: Advanced Access Control (Resource Groups) - local: security-malware diff --git a/docs/hub/enterprise-hub-scim.md b/docs/hub/enterprise-hub-scim.md index a793e51a5..9fb77693f 100644 --- a/docs/hub/enterprise-hub-scim.md +++ b/docs/hub/enterprise-hub-scim.md @@ -30,4 +30,5 @@ Once SCIM is enabled in your IdP, users and groups provisioned will appear in th ## Supported Identity Providers We support SCIM with any IdP that implements the SCIM 2.0 protocol. We have specific guides for some of the most popular providers: -- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim) \ No newline at end of file +- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim) +- [How to configure SCIM with Okta](./security-sso-okta-scim) \ No newline at end of file diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md new file mode 100644 index 000000000..0bd98b26c --- /dev/null +++ b/docs/hub/security-sso-okta-scim.md @@ -0,0 +1,62 @@ +# How to configure SCIM with Okta + +This guide explains how to set up SCIM user and group provisioning between Okta and your Hugging Face organization using SCIM. + + +This feature is part of the Enterprise Plus plan. + + +### Step 1: Get SCIM configuration from Hugging Face + +1. Navigate to your organization's settings page on Hugging Face. +2. Go to the **SSO** tab, then click on the **SCIM** sub-tab. +3. Copy the **SCIM Tenant URL**. You will need this for the Okta configuration. +4. Click **Generate an access token**. A new SCIM token will be generated. Copy this token immediately and store it securely, as you will not be able to see it again. + +
+ + +
+ +### Step 2: Enter Admin Credentials + +1. In Okta, go to **Applications** and select your Hugging Face app. +2. Go to the **Provisioning** tab and click **Integration** from the side nav. +3. Check **Enable API Integration**. +4. Enter the **SCIM Tenant URL** as the Base URL. +5. Enter the **access token** you generated as the OAuth Bearer Token. +6. Click **Test API Credentials** to verify the connection. +7. Save your changes. + +### Step 3: Configure Provisioning + +1. In the **Provisioning** tab, click **To App** from the side nav. +2. Click **Edit** and check to Enable all the features you need, i.e. Create, Update, Delete Users. +3. Click **Save** at the bottom. + +### Step 4: Configure Attribute Mappings +1. While still in the **Provisioning** tab scroll down to Attribute Mappings section +2. The default attribute mappings often require adjustments for robust provisioning. We recommend using the following configuration. You can delete attributes that are not here: + +
+ Okta SCIM mappings +
+ +### Step 5: Test Assigning Users + +1. Visit the **Assignments** tab, click **Assign** +2. Click **Assign to People** or **Assign to Groups** +3. After finding the User or Group that needs to be assigned, click **Assign** next to their name +4. In the mapping modal the Username needs to be edited. + +> **Note:** +> Only regular characters and `-` are accepted in the Username. +> - `--` (double dash) is forbidden. +> - `-` cannot start or end the name. +> - Digit-only names are not accepted. +> - Minimum length is 2 and maximum length is 42. +> - Username has to be unique + +5. Scroll down and click **Save and Go Back** +6. Click **Done** +7. Confirm that users or groups are created, updated, or deactivated in your Hugging Face organization as expected. From 5cf0f0d55d0c0f164f425bd1b80fe8c3b7138480 Mon Sep 17 00:00:00 2001 From: Muhammadsaeed707 Date: Tue, 29 Jul 2025 18:29:53 -0400 Subject: [PATCH 2/7] fix note slightly --- docs/hub/security-sso-okta-scim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md index 0bd98b26c..734353d59 100644 --- a/docs/hub/security-sso-okta-scim.md +++ b/docs/hub/security-sso-okta-scim.md @@ -50,7 +50,7 @@ This feature is part of the - Okta SCIM mappings + Okta SCIM mappings -### Step 5: Test Assigning Users +### Step 5: Assign Users or Groups 1. Visit the **Assignments** tab, click **Assign** 2. Click **Assign to People** or **Assign to Groups** 3. After finding the User or Group that needs to be assigned, click **Assign** next to their name -4. In the mapping modal the Username needs to be edited. +4. In the mapping modal the Username needs to be edited to comply with the following rules. > **Note:** > - Only regular characters and `-` are accepted in the Username. From f882828cbdefa08489393c002c9ed3775380229e Mon Sep 17 00:00:00 2001 From: Muhammadsaeed707 Date: Fri, 1 Aug 2025 11:33:13 -0400 Subject: [PATCH 4/7] add dark picture --- docs/hub/security-sso-okta-scim.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md index 8cb8a2907..4b8cc86b7 100644 --- a/docs/hub/security-sso-okta-scim.md +++ b/docs/hub/security-sso-okta-scim.md @@ -40,6 +40,7 @@ This feature is part of the Okta SCIM mappings + ### Step 5: Assign Users or Groups From dbf902bd1722e777638bd405c33f21f6b490a3e4 Mon Sep 17 00:00:00 2001 From: Muhammadsaeed707 Date: Mon, 4 Aug 2025 16:55:02 -0400 Subject: [PATCH 5/7] add more detailed steps for HF apps --- docs/hub/_toctree.yml | 2 +- docs/hub/security-sso-okta-scim.md | 33 ++++++++++++++++++------------ 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 0e6671217..12b755d29 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -397,7 +397,7 @@ - local: security-sso-entra-id-scim title: How to configure SCIM with Microsoft Entra ID (Azure AD) - local: security-sso-okta-scim - title: How to configure SCIM with Okta in the Hub + title: How to configure SCIM with Okta - local: security-resource-groups title: Advanced Access Control (Resource Groups) - local: security-malware diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md index 4b8cc86b7..3207d1377 100644 --- a/docs/hub/security-sso-okta-scim.md +++ b/docs/hub/security-sso-okta-scim.md @@ -21,12 +21,16 @@ This feature is part of the Date: Wed, 6 Aug 2025 12:58:14 -0400 Subject: [PATCH 7/7] add username rules to entra --- docs/hub/security-sso-entra-id-scim.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/hub/security-sso-entra-id-scim.md b/docs/hub/security-sso-entra-id-scim.md index 759cbb192..4a817bf90 100644 --- a/docs/hub/security-sso-entra-id-scim.md +++ b/docs/hub/security-sso-entra-id-scim.md @@ -52,7 +52,20 @@ This feature is part of the +
    +
  • Only regular characters and `-` are accepted in the Username.
    • +
  • `--` (double dash) is forbidden.
    • +
  • `-` cannot start or end the name.
    • +
  • Digit-only names are not accepted.
    • +
  • Minimum length is 2 and maximum length is 42.
    • +
  • Username has to be unique within your org.
    • +
+ + +4. After configuring the user mappings, go back to the Provisioning screen and click on **Provision Microsoft Entra ID Groups** to review group mappings. The default settings for groups are usually sufficient. ### Step 5: Start Provisioning