diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 12b755d29..d98591767 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -387,17 +387,20 @@ title: Single Sign-On (SSO) sections: - local: security-sso-okta-oidc - title: How to configure OIDC with Okta in the Hub + title: How to configure OIDC with Okta - local: security-sso-okta-saml - title: How to configure SAML with Okta in the Hub + title: How to configure SAML with Okta + - local: security-sso-okta-scim + title: How to configure SCIM with Okta - local: security-sso-azure-saml - title: How to configure SAML with Azure in the Hub + title: How to configure SAML with EntraID (Azure AD) - local: security-sso-azure-oidc - title: How to configure OIDC with Azure in the Hub + title: How to configure OIDC with EntraID (Azure AD) - local: security-sso-entra-id-scim - title: How to configure SCIM with Microsoft Entra ID (Azure AD) - - local: security-sso-okta-scim - title: How to configure SCIM with Okta + title: How to configure SCIM with EntraID (Azure AD) + - local: security-sso-google-saml + title: How to configure SAML with Google Workspace + - local: security-resource-groups title: Advanced Access Control (Resource Groups) - local: security-malware diff --git a/docs/hub/security-sso-google-saml.md b/docs/hub/security-sso-google-saml.md new file mode 100644 index 000000000..2d57ca24a --- /dev/null +++ b/docs/hub/security-sso-google-saml.md @@ -0,0 +1,78 @@ +# How to configure SAML SSO with Google Workspace + +In this guide, we will use Google Workspace as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol. + +We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso). + + + This feature is part of the Team & Enterprise plans. + + +### Step 1: Create SAML App in Google Workspace + +- In your Google Workspace admin console, navigate to `Admin` > `Apps` > `Web and mobile apps`. +- Click `Add app` and then `Add custom SAML app`. +- You must provide a name for your application in the "App name" field. +- Click `Continue`. + +
+ + +
+ +### Step 2: Configure Hugging Face with Google's IdP Details + +- The next screen in the Google setup contains the SSO information for your application. +- In your Hugging Face organization settings, go to the `SSO` tab and select the `SAML` protocol. +- Copy the **SSO URL** from Google into the **Sign-on URL** field on Hugging Face. +- Copy the **Certificate** from Google into the corresponding field on Hugging Face. The public certificate must have the following format: + ``` + -----BEGIN CERTIFICATE----- + {certificate} + -----END CERTIFICATE----- + ``` + +
+ + +
+ +- In the Google Workspace setup, click `Continue`. + +### Step 3: Configure Google with Hugging Face's SP Details + +- In the "Service provider details" screen, you'll need the `Assertion Consumer Service URL` and `SP Entity ID` from your Hugging Face SSO settings. Copy them into the corresponding `ACS URL` and `Entity ID` fields in Google. +- Ensure the following are set: + - Check the **Signed response** box. + - Name ID format: `EMAIL` + - Name ID: `Basic Information > Primary email` + +
+ + +
+ +- Click `Continue`. + +### Step 4: Attribute Mapping + +- On the "Attribute mapping" screen, click `Add mapping` and configure the attributes you want to send. This step is optional and depends on whether you want to use [Role Mapping](./security-sso#role-mapping) or [Resource Group Mapping](./security-sso#resource-group-mapping) on Hugging Face. + +
+ + +
+ +- Click `Finish`. + +### Step 5: Test and Enable SSO + + +Before testing, ensure you have granted access to the application for the appropriate users in the Google Workspace admin console under the app's "User access" settings. The admin performing the test must have access. It may take a few minutes for user access changes to apply on Google Workspace. + + +- Now, in your Hugging Face SSO settings, click on **"Update and Test SAML configuration"**. +- You should be redirected to your Google login prompt. Once logged in, you'll be redirected to your organization's settings page. +- A green check mark near the SAML selector will confirm that the test was successful. +- Once the test is successful, you can enable SSO for your organization by clicking the "Enable" button. +- Once enabled, members of your organization must complete the SSO authentication flow described in the [How does it work?](./security-sso#how-does-it-work) section. \ No newline at end of file diff --git a/docs/hub/security-sso.md b/docs/hub/security-sso.md index 5a949471a..0d2223d70 100644 --- a/docs/hub/security-sso.md +++ b/docs/hub/security-sso.md @@ -36,6 +36,7 @@ We have some guides available to help with configuring based on your chosen SSO - [How to configure OIDC with Azure in the Hub](./security-sso-azure-oidc) - [How to configure SAML with Okta in the Hub](./security-sso-okta-saml) - [How to configure SAML with Azure in the Hub](./security-sso-azure-saml) +- [How to configure SAML with Google Workspace in the Hub](./security-sso-google-saml) ### Users Management