huggingface · Muhammadsaeed707 · Aug 6, 2025 · Jul 29, 2025 · Jul 29, 2025 · Aug 1, 2025
diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml
@@ -396,6 +396,8 @@
         title: How to configure OIDC with Azure in the Hub
       - local: security-sso-entra-id-scim
         title: How to configure SCIM with Microsoft Entra ID (Azure AD)
+      - local: security-sso-okta-scim
+        title: How to configure SCIM with Okta in the Hub
     - local: security-resource-groups
       title: Advanced Access Control (Resource Groups)
     - local: security-malware

diff --git a/docs/hub/enterprise-hub-scim.md b/docs/hub/enterprise-hub-scim.md
@@ -30,4 +30,5 @@ Once SCIM is enabled in your IdP, users and groups provisioned will appear in th
 ## Supported Identity Providers
 
 We support SCIM with any IdP that implements the SCIM 2.0 protocol. We have specific guides for some of the most popular providers:
-- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim)
+- [How to configure SCIM with Microsoft Entra ID](./security-sso-entra-id-scim)
+- [How to configure SCIM with Okta](./security-sso-okta-scim)
diff --git a/docs/hub/security-sso-okta-scim.md b/docs/hub/security-sso-okta-scim.md
@@ -0,0 +1,63 @@
+# How to configure SCIM with Okta
+
+This guide explains how to set up SCIM user and group provisioning between Okta and your Hugging Face organization using SCIM.
+
+<Tip warning={true}>
+This feature is part of the <a href="https://huggingface.co/contact/sales?from=enterprise" target="_blank">Enterprise Plus</a> plan.
+</Tip>
+
+### Step 1: Get SCIM configuration from Hugging Face
+
+1.  Navigate to your organization's settings page on Hugging Face.
+2.  Go to the **SSO** tab, then click on the **SCIM** sub-tab.
+3.  Copy the **SCIM Tenant URL**. You will need this for the Okta configuration.
+4.  Click **Generate an access token**. A new SCIM token will be generated. Copy this token immediately and store it securely, as you will not be able to see it again.
+
+<div class="flex justify-center">
+    <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/scim-settings.png"/>
+    <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/scim-settings-dark.png"/>
+</div>
+
+### Step 2: Enter Admin Credentials
+
+1. In Okta, go to **Applications** and select your Hugging Face app.
+2. Go to the **Provisioning** tab and click **Integration** from the side nav.
+3. Check **Enable API Integration**.
+4. Enter the **SCIM Tenant URL** as the Base URL.
+5. Enter the **access token** you generated as the OAuth Bearer Token.
+6. Click **Test API Credentials** to verify the connection.
+7. Save your changes.
+
+### Step 3: Configure Provisioning
+
+1. In the **Provisioning** tab, click **To App** from the side nav.
+2. Click **Edit** and check to Enable all the features you need, i.e. Create, Update, Delete Users.
+3. Click **Save** at the bottom.
+
+### Step 4: Configure Attribute Mappings
+1.  While still in the **Provisioning** tab scroll down to Attribute Mappings section
+2.  The default attribute mappings often require adjustments for robust provisioning. We recommend using the following configuration. You can delete attributes that are not here:
+
+<div class="flex justify-center">
+    <img class="block dark:hidden" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/scim-okta-mappings.png" alt="Okta SCIM mappings"/>
+    <img class="hidden dark:block" src="https://huggingface.co/datasets/huggingface/documentation-images/resolve/main/hub/sso/scim-okta-mappings-dark.png" alt="Okta SCIM mappings"/>
+</div>
+
+### Step 5: Assign Users or Groups
+
+1. Visit the **Assignments** tab, click **Assign**
+2. Click **Assign to People** or **Assign to Groups** 
+3. After finding the User or Group that needs to be assigned, click **Assign** next to their name
+4. In the mapping modal the Username needs to be edited to comply with the following rules.
+
+> **Note:**  
+> - Only regular characters and `-` are accepted in the Username.  
+> - `--` (double dash) is forbidden.  
+> - `-` cannot start or end the name.  
+> - Digit-only names are not accepted.  
+> - Minimum length is 2 and maximum length is 42.
+> - Username has to be unique
-> **Note:**  
-> - Only regular characters and `-` are accepted in the Username.  
-> - `--` (double dash) is forbidden.  
-> - `-` cannot start or end the name.  
-> - Digit-only names are not accepted.  
-> - Minimum length is 2 and maximum length is 42.
-> - Username has to be unique
+<tip>
+<ul>
+<li>Only regular characters and `-` are accepted in the Username.</li>
+<li>`--` (double dash) is forbidden.</li>
+<li>`-` cannot start or end the name.</li>
+<li>Digit-only names are not accepted.</li>
+<li>Minimum length is 2 and maximum length is 42.</li>
+<li>Username has to be unique.</li>
+</ul>
+</tip>
-> **Note:**  
-> - Only regular characters and `-` are accepted in the Username.  
-> - `--` (double dash) is forbidden.  
-> - `-` cannot start or end the name.  
-> - Digit-only names are not accepted.  
-> - Minimum length is 2 and maximum length is 42.
-> - Username has to be unique
+<tip>
+<ul>
+<li>Only regular characters and `-` are accepted in the Username.</li>
+<li>`--` (double dash) is forbidden.</li>
+<li>`-` cannot start or end the name.</li>
+<li>Digit-only names are not accepted.</li>
+<li>Minimum length is 2 and maximum length is 42.</li>
+<li>Username has to be unique.</li>
+</ul>
+</tip>
+
+5. Scroll down and click **Save and Go Back** 
+6. Click **Done**
+7. Confirm that users or groups are created, updated, or deactivated in your Hugging Face organization as expected.