diff --git a/docs/hub/_toctree.yml b/docs/hub/_toctree.yml index dce951909..181219e32 100644 --- a/docs/hub/_toctree.yml +++ b/docs/hub/_toctree.yml @@ -283,6 +283,8 @@ title: How to configure OIDC with Okta in the Hub - local: security-sso-okta-saml title: How to configure SAML with Okta in the Hub + - local: security-sso-azure-saml + title: How to configure SAML with Azure in the Hub - local: security-malware title: Malware Scanning - local: security-pickle diff --git a/docs/hub/security-sso-azure-saml.md b/docs/hub/security-sso-azure-saml.md new file mode 100644 index 000000000..1237171b7 --- /dev/null +++ b/docs/hub/security-sso-azure-saml.md @@ -0,0 +1,117 @@ +# How to configure SAML SSO with Azure + +In this guide, we will use Azure as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol. + +We currently support SP-initiated and IdP-initiated authentication. User provisioning is not yet supported at this time. + + + This feature is part of the Enterprise Hub. + + +### Step 1: Create a new application in your Identity Provider + +Open a new tab/window in your browser and sign in to the Azure portal of your organization. + +Navigate to "Enterprise applications" and click the "New application" button. + +
+ +
+ +You'll be redirected to this page, click on "Create your own application", fill the name of your application, and then "Create" the application. + +
+ +
+ +Then select "Single Sign-On", and select SAML + +
+ +
+ + +### Step 2: Configure your application on Azure + +Open a new tab/window in your browser and navigate to the SSO section of your organization's settings. Select the SAML protocol. + +
+ + +
+ +
+ + +
+ +Copy the "SP Entity Id" from the organization's settings on Hugging Face, and paste it in the "Identifier (Entity Id)" field on Azure (1). + +Copy the "Assertion Consumer Service URL" from the organization's settings on Hugging Face, and paste it in the "Reply URL" field on Azure (2). + + +The URL looks like this: `https://huggingface.co/organizations/[organizationIdentifier]/saml/consume`. + +
+ +
+ +Then under "SAML Certificates", verify that "Signin Option" is set to "Sign SAML response and assertion". + +
+ +
+ + +Save your new application. + +### Step 3: Finalize configuration on Hugging Face + +In your Azure application, under "Set up", find the following field: +- Login Url + +And under "SAML Certificates": +- Download the "Certificate (base64)" + +You will need them to finalize the SSO setup on Hugging Face. + + +
+ +
+ +In the SSO section of your organization's settings, copy-paste these values from Azure: + +- Login Url -> Sign-on URL +- Certificate -> Public certificate + +The public certificate must have the following format: + +``` +-----BEGIN CERTIFICATE----- +{certificate} +-----END CERTIFICATE----- +``` + +
+ + +
+ +You can now click on "Update and Test SAML configuration" to save the settings. + +You should be redirected to your SSO provider (IdP) login prompt. Once logged in, you'll be redirected to your organization's settings page. + +A green check mark near the SAML selector will attest that the test was successful. + + +
+ + +
+ +### Step 4: Enable SSO in your organization + +Now that Single Sign-On is configured and tested, you can enable it for members of your organization by clicking on the "Enable" button. + +Once enabled, members of your organization must complete the SSO authentication flow described in [How does it work?](./security-sso#how-does-it-work). diff --git a/docs/hub/security-sso.md b/docs/hub/security-sso.md index d41a3dd0c..23a59f7f9 100644 --- a/docs/hub/security-sso.md +++ b/docs/hub/security-sso.md @@ -35,6 +35,7 @@ We have some guides available to help with configuring based on your chosen SSO - [How to configure OIDC with Okta in the Hub](./security-sso-okta-oidc) - [How to configure SAML with Okta in the Hub](./security-sso-okta-saml) +- [How to configure SAML with Azure in the Hub](./security-sso-azure-saml) ### Users Management