Hub documentation
How to configure SAML SSO with Azure
How to configure SAML SSO with Azure
In this guide, we will use Azure as the SSO provider and with the Security Assertion Markup Language (SAML) protocol as our preferred identity protocol.
We currently support SP-initiated and IdP-initiated authentication. User provisioning is part of Enterprise Plusâs Advanced SSO.
This feature is part of the Team & Enterprise plans.
Step 1: Create a new application in your Identity Provider
Open a new tab/window in your browser and sign in to the Azure portal of your organization.
Navigate to âEnterprise applicationsâ and click the âNew applicationâ button.
Youâll be redirected to this page, click on âCreate your own applicationâ, fill the name of your application, and then âCreateâ the application.
Then select âSingle Sign-Onâ, and select SAML
Step 2: Configure your application on Azure
Open a new tab/window in your browser and navigate to the SSO section of your organizationâs settings. Select the SAML protocol.
Copy the âSP Entity Idâ from the organizationâs settings on Hugging Face, and paste it in the âIdentifier (Entity Id)â field on Azure (1).
Copy the âAssertion Consumer Service URLâ from the organizationâs settings on Hugging Face, and paste it in the âReply URLâ field on Azure (2).
The URL looks like this: https://huggingface.co/organizations/[organizationIdentifier]/saml/consume.
Then under âSAML Certificatesâ, verify that âSignin Optionâ is set to âSign SAML response and assertionâ.
Save your new application.
Step 3: Finalize configuration on Hugging Face
In your Azure application, under âSet upâ, find the following field:
- Login Url
And under âSAML Certificatesâ:
- Download the âCertificate (base64)â
You will need them to finalize the SSO setup on Hugging Face.
In the SSO section of your organizationâs settings, copy-paste these values from Azure:
- Login Url -> Sign-on URL
- Certificate -> Public certificate
The public certificate must have the following format:
-----BEGIN CERTIFICATE-----
{certificate}
-----END CERTIFICATE-----You can now click on âUpdate and Test SAML configurationâ to save the settings.
You should be redirected to your SSO provider (IdP) login prompt. Once logged in, youâll be redirected to your organizationâs settings page.
A green check mark near the SAML selector will attest that the test was successful.
Step 4: Enable SSO in your organization
Now that Single Sign-On is configured and tested, you can enable it for members of your organization by clicking on the âEnableâ button.
Once enabled, members of your organization must complete the SSO authentication flow described in How does it work?.
Update on GitHub