How to Configure SAML 2.0 for Hugging Face Enterprise Hub

Prerequisites:

Your organization must be on an Enterprise or Enterprise Plus plan to enable SAML-based SSO.
You must have administrator access to both your Okta organization and your Hugging Face Enterprise Hub organization.
For details about Hugging Face’s SSO options, visit the official documentation: Hugging Face Enterprise SSO Documentation.

Supported Features
Configuration Steps
Notes

Supported Features

The Okta / Hugging Face Enterprise Hub SAML integration supports the following:

IdP-initiated SSO and SP-initiated SSO: Users can initiate authentication either from the identity provider (Okta) or from the service provider (Hugging Face).

Configuration Steps

Step 1 — Add the Hugging Face App from Okta Integration Network (OIN)

Sign in to your Okta Admin Dashboard.
Go to Applications → Browse App Catalog.
Search for and select the application named Hugging Face.
Click Add Integration.

Step 2 — Configure the Hugging Face App in Okta

On the General Settings page, enter:
- Application label: Hugging Face
- Organization Name: Your Hugging Face organization name
- Organization ID: Your Hugging Face organization ID
Where to find these values: In Hugging Face, go to Organization Settings → SSO → SAML. You will see both the Organization Name and Organization ID.
Click Next, review the Sign-On Options (username format should be Email), then click Done.
Important: Ensure the administrator performing these steps is assigned to the Hugging Face app in Okta (via the Assignments tab).

Step 3 — Copy SAML Configuration from Okta

In the Hugging Face app in Okta, open the Sign On tab.
Locate the SAML 2.0 section and click View SAML Setup Instructions (or go to Metadata Details).
Copy the following values:
- Identity Provider Single Sign-On URL
- X.509 Certificate — copy the full certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Step 4 — Configure SAML in Hugging Face

Return to your organization’s Organization Settings → SSO → SAML tab in Hugging Face.
Enter the values from Okta:
- Sign On URL: Paste the Identity Provider Single Sign-On URL from Okta.
- X.509 Certificate: Paste the full certificate (including BEGIN/END markers) from Okta.
Click Update and Test SAML Configuration to validate.
If the test is successful, toggle Enable SAML SSO to activate SSO for your organization.

What happens next ? Users will still sign in to Hugging Face with their usual accounts. When they access content belonging to your organization, they’ll be prompted to authenticate via SSO through Okta.

Notes

This guide covers the Standard SSO setup. For Advanced SSO (with automated user provisioning and SCIM), see Advanced SSO Documentation.
For automated user lifecycle management via SCIM Provisioning (Enterprise Plus with Advanced SSO), see SCIM and Advanced Features Overview.
Ensure the Organization Name and Organization ID entered in Okta exactly match those displayed in your Hugging Face SSO → SAML settings.