Hub

Join the Hugging Face community

and get access to the augmented documentation experience

Collaborate on models, datasets and Spaces

Faster examples with accelerated inference

Switch between documentation themes

to get started

How to configure OIDC SSO with Okta

In this guide, we will use Okta as the SSO provider and with the Open ID Connect (OIDC) protocol as our preferred identity protocol.

This feature is part of the Enterprise Hub.

Step 1: Create a new application in your Identity Provider

Open a new tab/window in your browser and sign in to your Okta account.

Navigate to “Admin/Applications” and click the “Create App Integration” button.

Then choose an “OIDC - OpenID Connect” application, select the application type “Web Application” and click “Create”.

Step 2: Configure your application in Okta

Open a new tab/window in your browser and navigate to the SSO section of your organization’s settings. Select the OIDC protocol.

Copy the “Redirection URI” from the organization’s settings on Hugging Face, and paste it in the “Sign-in redirect URI” field on Okta. The URL looks like this: https://huggingface.co/organizations/[organizationIdentifier]/oidc/consume.

You can leave the optional Sign-out redirect URIs blank.

Save your new application.

Step 3: Finalize configuration on Hugging Face

In your Okta application, under “General”, find the following fields:

Client ID
Client secret
Issuer URL You will need these to finalize the SSO setup on Hugging Face.

The Okta Issuer URL is generally a URL like https://tenantId.okta.com; you can refer to their guide for more details.

In the SSO section of your organization’s settings on Hugging Face, copy-paste these values from Okta:

Client ID
Client Secret

You can now click on “Update and Test OIDC configuration” to save the settings.

You should be redirected to your SSO provider (IdP) login prompt. Once logged in, you’ll be redirected to your organization’s settings page.

A green check mark near the OIDC selector will attest that the test was successful.

Step 4: Enable SSO in your organization

Now that Single Sign-On is configured and tested, you can enable it for members of your organization by clicking on the “Enable” button.

Once enabled, members of your organization must complete the SSO authentication flow described in the How does it work? section.

< > Update on GitHub

←Single Sign-On (SSO) How to configure SAML with Okta in the Hub→