diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index 57db7a66a..1672f4fb0 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -418,6 +418,8 @@ title: How to configure SCIM with EntraID (Azure AD) - local: security-sso-google-saml title: How to configure SAML with Google Workspace + - local: security-sso-google-oidc + title: How to configure OIDC with Google Workspace - local: security-resource-groups title: Advanced Access Control (Resource Groups) - local: security-malware diff --git a/docs/hub/security-sso-google-oidc.md b/docs/hub/security-sso-google-oidc.md new file mode 100644 index 000000000..6e0bae9e2 --- /dev/null +++ b/docs/hub/security-sso-google-oidc.md @@ -0,0 +1,46 @@ +# How to configure OIDC SSO with Google Workspace + +In this guide, we will use Google Workspace as the SSO provider with the OpenID Connect (OIDC) protocol as our preferred identity protocol. + +We currently support SP-initiated authentication. User provisioning is part of Enterprise Plus's [Advanced SSO](./enterprise-hub-advanced-sso). + + + This feature is part of the Team & Enterprise plans. + + +### Step 1: Create OIDC App in Google Workspace + +- In your Google Cloud console, search and navigate to `Google Auth Platform` > `Clients`. +- Click `Create Client`. +- For Application Type select `Web Application`. +- Provide a name for your application. +- Retrieve the `Redirection URI` from your Hugging Face organization settings, go to the `SSO` tab and select the `OIDC` protocol. +- Click `Create`. +- A pop-up will appear with the `Client ID` and `Client Secret`, copy those and paste them into your Hugging Face organization settings. In the `SSO` tab (make sure `OIDC` is selected) paste the corresponding values for `Client Identifier` and `Client Secret`. + +
+ + +
+ +### Step 2: Configure Hugging Face with Google's OIDC Details + +- At this point the **Client ID** and **Client Secret** should be set in your Hugging Face organization settings `SSO` tab. +- Set the **Issuer URL** to `https://accounts.google.com`. + +
+ + +
+ +### Step 3: Test and Enable SSO + + +Before testing, ensure you have granted access to the application for the appropriate users. The admin performing the test must have access. + + +- Now, in your Hugging Face SSO settings, click on **"Update and Test OIDC configuration"**. +- You should be redirected to your Google login prompt. Once logged in, you'll be redirected to your organization's settings page. +- A green check mark near the OIDC selector will confirm that the test was successful. +- Once the test is successful, you can enable SSO for your organization by clicking the "Enable" button. +- Once enabled, members of your organization must complete the SSO authentication flow described in \ No newline at end of file diff --git a/docs/hub/security-sso.md b/docs/hub/security-sso.md index 0d2223d70..477398136 100644 --- a/docs/hub/security-sso.md +++ b/docs/hub/security-sso.md @@ -37,6 +37,7 @@ We have some guides available to help with configuring based on your chosen SSO - [How to configure SAML with Okta in the Hub](./security-sso-okta-saml) - [How to configure SAML with Azure in the Hub](./security-sso-azure-saml) - [How to configure SAML with Google Workspace in the Hub](./security-sso-google-saml) +- [How to configure OIDC with Google Workspace in the Hub](./security-sso-google-oidc) ### Users Management