You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/hub/security-sso.md
+18-9Lines changed: 18 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,21 +58,28 @@ The default value is 7 days.
58
58
59
59
When enabled, Role Mapping allows you to dynamically assign [roles](./organizations-security#access-control-in-organizations) to organization members based on data provided by your Identity Provider.
60
60
61
-
This section allows you to define a mapping from your IdP's user profile data from your IdP to the assigned role in Hugging Face.
61
+
This section allows you to define a mapping from your IdP's user profile data to the assigned role in Hugging Face.
62
62
63
-
- IdP Role Attribute Mapping
63
+
-**IdP Role Attribute Path**
64
64
65
65
A JSON path to an attribute in your user's IdP profile data.
66
+
It supports dot notation (e.g. `user.role` or `groups`).
67
+
For SAML, this can be a URI if your claims are URIs (e.g. `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`).
66
68
67
-
- Role Mapping
69
+
-**Role Mapping**
68
70
69
71
A mapping from the IdP attribute value to the assigned role in the Hugging Face organization.
72
+
73
+
Available roles are `admin`, `write`, `contributor`, and `read`. See [roles documentation](./organizations-security#access-control-in-organizations) for more details.
70
74
71
-
You must map at least one admin role.
75
+
> [!IMPORTANT]
76
+
> You must map at least one `admin` role in your configuration.
77
+
78
+
If the attribute in the IdP response contains multiple values (e.g. a list of groups), the **first matching mapping** will be used to determine the user's role.
72
79
73
80
If there is no match, a user will be assigned the default role for your organization. The default role can be customized in the `Members` section of the organization's settings.
74
81
75
-
Role synchronization is performed on login.
82
+
Role synchronization is performed on every login.
76
83
77
84
#### Resource Group Mapping
78
85
@@ -83,13 +90,15 @@ When enabled, Resource Group Mapping allows you to dynamically assign members to
A JSON path to an attribute in your user's IdP profile data.
95
+
A JSON path to an attribute in your user's IdP profile data. Similar to Role Mapping, this supports dot notation or URIs for SAML.
96
+
97
+
-**Resource Group Mapping**
89
98
90
-
- Resource Group Mapping
99
+
A mapping from the IdP attribute value to a resource group in your Hugging Face organization. You can assign a specific role (`admin`, `write`, `contributor`, `read`) for each resource group mapping.
91
100
92
-
A mapping from the IdP attribute value to a resource group in your Hugging Face organization.
101
+
Unlike Role Mapping, **Resource Group Mapping is additive**. If a user matches multiple mappings (e.g. they belong to multiple groups in your IdP that are mapped to different Resource Groups), they will be added to **all** matched Resource Groups.
93
102
94
103
If there is no match, the user will not be assigned to any resource group.
0 commit comments