You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/hub/security-sso.md
+19-8Lines changed: 19 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,17 +62,23 @@ This section allows you to define a mapping from your IdP's user profile data fr
62
62
63
63
- IdP Role Attribute Mapping
64
64
65
-
A JSON path to an attribute in your user's IdP profile data.
65
+
- IdP Role Attribute Path
66
+
67
+
This is a text input field where you specify the JSON path to an attribute in your user's IdP profile data (e.g., `email`, `groups`, or a custom claim like `custom_roles`). For SAML, if the attribute is a URI reference (e.g., `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role`), the system will directly use the URI as the path.
66
68
67
69
- Role Mapping
68
70
69
-
A mapping from the IdP attribute value to the assigned role in the Hugging Face organization.
71
+
This section provides a dynamic list of mappings. For each row, you will:
72
+
- Enter the **IdP Group/Attribute Value**: This is a text input where you type the *exact value* expected from your Identity Provider's attribute (e.g., `admins`, `developers`, `viewers`).
73
+
- Select the **Hugging Face Role**: This is a dropdown where you choose the corresponding role within the Hugging Face organization (e.g., `admin`, `write`, `read`, `contributor`).
74
+
75
+
The system checks if the value extracted from the "IdP Role Attribute Path" either exactly matches one of the "IdP Group/Attribute Value" entries, or if it is an array and one of its elements matches an entry.
70
76
71
-
You must map at least one admin role.
77
+
You must map at least one admin role.
72
78
73
-
If there is no match, a user will be assigned the default role for your organization. The default role can be customized in the `Members` section of the organization's settings.
79
+
If no mapping is found, a user will be assigned the default role for your organization. The default role can be customized in the `Members` section of the organization's settings.
74
80
75
-
Role synchronization is performed on login.
81
+
Role synchronization is performed on login.
76
82
77
83
#### Resource Group Mapping
78
84
@@ -85,13 +91,18 @@ When enabled, Resource Group Mapping allows you to dynamically assign members to
85
91
86
92
- IdP Attribute Path
87
93
88
-
A JSON path to an attribute in your user's IdP profile data.
94
+
This is a text input field where you specify the JSON path to an attribute in your user's IdP profile data (e.g., `department`, `project_access`). For SAML, if the attribute is a URI reference, the system will use the URI directly.
89
95
90
96
- Resource Group Mapping
91
97
92
-
A mapping from the IdP attribute value to a resource group in your Hugging Face organization.
98
+
This section provides a dynamic list of mappings. For each row, you will:
99
+
- Enter the **IdP Attribute Value**: This is a text input where you type the *exact value* expected from your Identity Provider's attribute (e.g., `AI_Research`, `ML_Ops`, `Data_Science`).
100
+
- Select the **Resource Group**: This is a dropdown where you choose an existing resource group within your Hugging Face organization.
101
+
- Select the **Role Assignation**: This is a dropdown where you choose the access level within the selected resource group (e.g., `admin`, `write`, `read`, `contributor`).
102
+
103
+
The system checks if the value extracted from the "IdP Attribute Path" either exactly matches one of the "IdP Attribute Value" entries, or if it is an array and one of its elements matches an entry.
93
104
94
-
If there is no match, the user will not be assigned to any resource group.
105
+
If no mapping is found, the user will not be assigned to any resource group.
0 commit comments