Hub

Join the Hugging Face community

and get access to the augmented documentation experience

Collaborate on models, datasets and Spaces

Faster examples with accelerated inference

Switch between documentation themes

to get started

How to configure OIDC SSO with Google Workspace

In this guide, we will use Google Workspace as the SSO provider with the OpenID Connect (OIDC) protocol as our preferred identity protocol.

We currently support SP-initiated authentication. For user provisioning, see SCIM.

This feature is part of the Team & Enterprise plans.

In your Google Cloud console, search and navigate to Google Auth Platform > Clients.
Click Create Client.
For Application Type select Web Application.
Provide a name for your application.
Retrieve the Redirection URI from your Hugging Face organization settings, go to the SSO tab and select the OIDC protocol.
Click Create.
A pop-up will appear with the Client ID and Client Secret, copy those and paste them into your Hugging Face organization settings. In the SSO tab (make sure OIDC is selected) paste the corresponding values for Client Identifier and Client Secret.

At this point the Client ID and Client Secret should be set in your Hugging Face organization settings SSO tab.
Set the Issuer URL to https://accounts.google.com.

Before testing, ensure you have granted access to the application for the appropriate users. The admin performing the test must have access.

Now, in your Hugging Face SSO settings, click on “Update and Test OIDC configuration”.
You should be redirected to your Google login prompt. Once logged in, you’ll be redirected to your organization’s settings page.
A green check mark near the OIDC selector will confirm that the test was successful.
Once the test is successful, you can enable SSO for your organization by clicking the “Enable” button.
Once enabled, members of your organization must complete the SSO authentication flow described in the How it works section.