diff --git a/content/admin/company/_index.md b/content/admin/company/_index.md index bb43c5555e..dcd5e01af6 100644 --- a/content/admin/company/_index.md +++ b/content/admin/company/_index.md @@ -19,12 +19,12 @@ grid: - title: Configure Single Sign-On description: Discover how to configure SSO for your entire company. icon: key - link: /admin/company/settings/sso/ + link: /security/for-admins/single-sign-on/ - title: Set up SCIM description: Set up SCIM to automatically provision and deprovision users in your company. icon: checklist - link: /admin/company/settings/scim/ + link: /security/for-admins/scim/ - title: Domain management description: Add and verify your domains. icon: domain_verification diff --git a/content/admin/company/owners.md b/content/admin/company/owners.md index eea6c18df4..c6463a8a62 100644 --- a/content/admin/company/owners.md +++ b/content/admin/company/owners.md @@ -6,7 +6,7 @@ title: Manage company owners {{< include "admin-early-access.md" >}} -As a company owner, you can configure [Single Sign-on (SSO)](./settings/sso.md) and [System for Cross-domain Identity Management (SCIM)](./settings/scim.md) for all organizations under the company. +As a company owner, you can configure [Single Sign-on (SSO)](../../security/for-admins/single-sign-on/_index.md) and [System for Cross-domain Identity Management (SCIM)](../../security/for-admins/scim.md) for all organizations under the company. ## Add a company owner diff --git a/content/admin/company/settings/group-mapping.md b/content/admin/company/settings/group-mapping.md deleted file mode 100644 index d87ce553c1..0000000000 --- a/content/admin/company/settings/group-mapping.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Group mapping in Docker Admin -keywords: Group Mapping, SCIM, Docker Admin -title: Group Mapping ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-group-mapping product="admin" layer="company" %}} \ No newline at end of file diff --git a/content/admin/company/settings/scim.md b/content/admin/company/settings/scim.md deleted file mode 100644 index 8921b1729e..0000000000 --- a/content/admin/company/settings/scim.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -description: System for Cross-domain Identity Management -keywords: SCIM, SSO -title: SCIM ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to manage SCIM for your company. To manage SCIM for an organization, see [SCIM for an organization](/admin/organization/security-settings/scim/). - -{{% admin-scim product="admin" layer="company" %}} diff --git a/content/admin/company/settings/sso-configuration.md b/content/admin/company/settings/sso-configuration.md deleted file mode 100644 index 65500fd5cc..0000000000 --- a/content/admin/company/settings/sso-configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: SSO configuration -keywords: configure, sso, docker admin -title: Configure Single Sign-On for a company ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to configure SSO for your company. To configure SSO for an organization, see [Configure SSO for an organization](/admin/organization/security-settings/sso-configuration/). - -## Step one: Add and verify your domain - -{{% admin-domains product="admin" layer="company" %}} - -{{% admin-sso-config product="admin" layer="company" %}} diff --git a/content/admin/company/settings/sso-management.md b/content/admin/company/settings/sso-management.md deleted file mode 100644 index b5c5ffd7fa..0000000000 --- a/content/admin/company/settings/sso-management.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: Manage SSO -keywords: manage, single sign-on, SSO, sign-on -title: Manage Single Sign-On for a company ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to manage SSO for your company. To manage SSO for an organization, see [Manage SSO for an organization](/admin/organization/security-settings/sso-management/). - -## Manage organizations - -{{% admin-sso-management-orgs product="admin" %}} - -{{% admin-sso-management product="admin" layer="company" %}} diff --git a/content/admin/company/settings/sso.md b/content/admin/company/settings/sso.md deleted file mode 100644 index 417f5c2d81..0000000000 --- a/content/admin/company/settings/sso.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Overview of Single Sign-On for companies. -keywords: Single Sign-On, SSO, sign-on -title: Single Sign-On overview for companies ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-sso product="admin" layer="company" %}} \ No newline at end of file diff --git a/content/admin/organization/_index.md b/content/admin/organization/_index.md index 9c6b3b76ef..d1e024e678 100644 --- a/content/admin/organization/_index.md +++ b/content/admin/organization/_index.md @@ -24,8 +24,8 @@ grid: icon: settings_suggest link: /admin/organization/general-settings/ - title: SSO & SCIM - description: 'Set up [Single Sign-On](/admin/organization/security-settings/sso/) - and [SCIM](/admin/organization/security-settings/scim/) for your organization. + description: 'Set up [Single Sign-On](/security/for-admins/single-sign-on/) + and [SCIM](/security/for-admins/scim/) for your organization. ' icon: key diff --git a/content/admin/organization/security-settings/group-mapping.md b/content/admin/organization/security-settings/group-mapping.md deleted file mode 100644 index aab60b50df..0000000000 --- a/content/admin/organization/security-settings/group-mapping.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Group mapping in Docker Admin -keywords: Group Mapping, SCIM, Docker Admin -title: Group Mapping ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-group-mapping product="admin" layer="organization" %}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/scim.md b/content/admin/organization/security-settings/scim.md deleted file mode 100644 index cadaed6ae4..0000000000 --- a/content/admin/organization/security-settings/scim.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -description: System for Cross-domain Identity Management -keywords: SCIM, SSO -title: SCIM ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to manage SCIM for your organization. To manage SCIM for a company, see [SCIM for a company](/admin/company/settings/scim/). - -{{% admin-scim product="admin" layer="organization" %}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/sso-configuration.md b/content/admin/organization/security-settings/sso-configuration.md deleted file mode 100644 index c7c19bfe2e..0000000000 --- a/content/admin/organization/security-settings/sso-configuration.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -description: SSO configuration -keywords: configure, sso, docker admin -title: Configure Single Sign-On for an organization ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to configure SSO for your organization. To configure SSO for a company, see [Configure SSO for a company](/admin/company/settings/sso-configuration/). - -## Step one: Add and verify your domain - -{{% admin-domains product="admin" layer="organization" %}} - - -{{% admin-sso-config product="admin" layer="organization" %}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/sso-faq.md b/content/admin/organization/security-settings/sso-faq.md deleted file mode 100644 index 4a936db0e2..0000000000 --- a/content/admin/organization/security-settings/sso-faq.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Single Sign-on FAQs -keywords: Docker, Docker Admin, SSO FAQs, single sign-on -title: Single Sign-On FAQs -toc_max: 2 ---- - -{{< include "admin-early-access.md" >}} - -{{< include "admin-sso-faq.md" >}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/sso-management.md b/content/admin/organization/security-settings/sso-management.md deleted file mode 100644 index ff247e6752..0000000000 --- a/content/admin/organization/security-settings/sso-management.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -description: Manage SSO -keywords: manage, single sign-on, SSO, sign-on -title: Manage Single Sign-On for an organization ---- - -{{< include "admin-early-access.md" >}} - -Follow the steps on this page to manage SSO for an organization. To manage SSO for a company, see [Manage SSO for a company](/admin/company/settings/sso-management/). - - -{{% admin-sso-management product="admin" layer="organization" %}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/sso.md b/content/admin/organization/security-settings/sso.md deleted file mode 100644 index 5683bdbdda..0000000000 --- a/content/admin/organization/security-settings/sso.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Single Sign-On overview for organizations -keywords: Single Sign-On, SSO, sign-on -title: Single Sign-On overview for organizations ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-sso product="admin" layer="organization" %}} \ No newline at end of file diff --git a/content/desktop/release-notes.md b/content/desktop/release-notes.md index b5b41ab778..8c20c27f2b 100644 --- a/content/desktop/release-notes.md +++ b/content/desktop/release-notes.md @@ -1642,7 +1642,7 @@ Installing Docker Desktop 4.5.0 from scratch has a bug which defaults Docker Des ### New - Easy, Secure sign in with Auth0 and Single Sign-on - - Single Sign-on: Users with a Docker Business subscription can now configure SSO to authenticate using their identity providers (IdPs) to access Docker. For more information, see [Single Sign-on](../single-sign-on/index.md). + - Single Sign-on: Users with a Docker Business subscription can now configure SSO to authenticate using their identity providers (IdPs) to access Docker. For more information, see [Single Sign-on](../security/for-admins/single-sign-on/index.md). - Signing in to Docker Desktop now takes you through the browser so that you get all the benefits of auto-filling from password managers. ### Upgrades diff --git a/content/docker-hub/_index.md b/content/docker-hub/_index.md index 67cf838558..fd30f8df4f 100644 --- a/content/docker-hub/_index.md +++ b/content/docker-hub/_index.md @@ -43,7 +43,7 @@ GitHub and Bitbucket and push them to Docker Hub. * [Create and manage teams and organizations](orgs.md) * [Create a company](creating-companies.md) * [Enforce sign in](configure-sign-in.md) -* Set up [SSO](../single-sign-on/index.md) and [SCIM](scim.md) +* Set up [SSO](../security/for-admins/single-sign-on/index.md) and [SCIM](../security/for-admins/scim.md) * Use [Group mapping](group-mapping.md) * [Carry out domain audits](domain-audit.md) * [Use Image Access Management](image-access-management.md) to control developers' access to certain types of images diff --git a/content/docker-hub/admin-overview.md b/content/docker-hub/admin-overview.md index f5de4717fb..776be29dbe 100644 --- a/content/docker-hub/admin-overview.md +++ b/content/docker-hub/admin-overview.md @@ -13,7 +13,7 @@ grid: description: Learn how to onboard users to your organization. - title: Enable Single Sign-On description: Understand and use Single Sign-On. - link: /single-sign-on/ + link: /security/for-admins/single-sign-on/ icon: key --- diff --git a/content/docker-hub/api/latest.yaml b/content/docker-hub/api/latest.yaml index 222c0c266f..5d336580e7 100644 --- a/content/docker-hub/api/latest.yaml +++ b/content/docker-hub/api/latest.yaml @@ -108,7 +108,7 @@ tags: x-displayName: SCIM description: | SCIM is a provisioning system that lets you manage users within your identity provider (IdP). - For more information, see [System for Cross-domain Identity management](https://docs.docker.com/docker-hub/scim/). + For more information, see [System for Cross-domain Identity management](https://docs.docker.com/security/for-admins/scim/). x-tagGroups: - name: General tags: diff --git a/content/docker-hub/company-faqs.md b/content/docker-hub/company-faqs.md index c796b03d17..abd1cbf63a 100644 --- a/content/docker-hub/company-faqs.md +++ b/content/docker-hub/company-faqs.md @@ -47,7 +47,7 @@ Contact your designated CSM team member or Docker Support with a list of the Doc ### How does a company owner manage SSO/SCIM settings from my new parent company? -See your [SCIM](scim.md) and [SSO](../single-sign-on/configure/index.md) settings. +See your [SCIM](scim.md) and [SSO](../security/for-admins/single-sign-on/configure/index.md) settings. ### How does a company owner enable group mapping in my IdP? diff --git a/content/docker-hub/company-owner.md b/content/docker-hub/company-owner.md index cb63cf214e..19ca9e4e5d 100644 --- a/content/docker-hub/company-owner.md +++ b/content/docker-hub/company-owner.md @@ -4,7 +4,7 @@ keywords: company, owners title: Manage company owners --- -As a company owner, you can configure [Single Sign-on (SSO)](../single-sign-on/configure/index.md) and [System for Cross-domain Identity Management (SCIM)](../docker-hub/scim.md) for all organizations under the company. This is only visible if your organization has a Docker Business subscription. If you want to upgrade your subscription to include the organization under the company, see [upgrade your subscription](../subscription/upgrade.md). +As a company owner, you can configure [Single Sign-on (SSO)](../security/for-admins/single-sign-on/configure/index.md) and [System for Cross-domain Identity Management (SCIM)](../security/for-admins/scim.md) for all organizations under the company. This is only visible if your organization has a Docker Business subscription. If you want to upgrade your subscription to include the organization under the company, see [upgrade your subscription](../subscription/upgrade.md). ## Add a company owner diff --git a/content/docker-hub/general-faqs.md b/content/docker-hub/general-faqs.md index 433f06ec10..387486abb4 100644 --- a/content/docker-hub/general-faqs.md +++ b/content/docker-hub/general-faqs.md @@ -11,7 +11,7 @@ redirect: A Docker ID is a username for your Docker account that lets you access Docker products. All you need is an email address to create a Docker ID, or you can sign up with your Google or GitHub account. Your Docker ID must be between 4 and 30 characters long, and can only contain numbers and lowercase letters. You cannot use any special characters or spaces. -For more information, see [Docker ID](../docker-id/index.md). If your admin enforces [Single sign-on (SSO)](../single-sign-on/index.md), a Docker ID is provisioned for new users. +For more information, see [Docker ID](../docker-id/index.md). If your admin enforces [Single sign-on (SSO)](../security/for-admins/single-sign-on/index.md), a Docker ID is provisioned for new users. Developers may have multiple Docker IDs in order to separate their Docker IDs that are associated with an organization in Docker Business or Team, and their personal use Docker IDs. @@ -65,7 +65,7 @@ The organization owner can also add additional owners to help them manage users, ### Can I configure multiple SSO identity providers (IdPs) to authenticate users to a single org? Docker SSO allows only one IdP configuration per organization. For more -information, see [Configure SSO](../single-sign-on/index.md) and [SSO FAQs](../single-sign-on/faqs.md). +information, see [Configure SSO](../security/for-admins/single-sign-on/configure/_index.md) and [SSO FAQs](../faq/security/single-sign-on/faqs.md). ### What is a service account? diff --git a/content/docker-hub/group-mapping.md b/content/docker-hub/group-mapping.md deleted file mode 100644 index 32ceaf8e3f..0000000000 --- a/content/docker-hub/group-mapping.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Group mapping in Docker Hub -keywords: Group Mapping, SCIM, Docker Hub -title: Group Mapping ---- - -{{% admin-group-mapping product="hub" %}} \ No newline at end of file diff --git a/content/docker-hub/manage-a-team.md b/content/docker-hub/manage-a-team.md index fa7aa8f6f2..f5e2ef71b1 100644 --- a/content/docker-hub/manage-a-team.md +++ b/content/docker-hub/manage-a-team.md @@ -26,7 +26,7 @@ An organization owner is an administrator who is responsible to manage repositories and add team members to the organization. They have full access to private repositories, all teams, billing information, and org settings. An org owner can also specify [permissions](#permissions-reference) for each team in -the organization. Only an org owner can enable [SSO](../single-sign-on/index.md) +the organization. Only an org owner can enable [SSO](../security/for-admins/single-sign-on/index.md) for the organization. When SSO is enabled for your organization, the org owner can also manage users. Docker can auto-provision Docker IDs for new end-users or @@ -53,7 +53,7 @@ To give a team access to a repository ![Team Repo Permissions](images/team-repo-permission.png) -Organization owners can also assign members the editor role to grant partial administrative access. See [Roles and permissions](/docker-hub/roles-and-permissions/) for more about the editor role. +Organization owners can also assign members the editor role to grant partial administrative access. See [Roles and permissions](/security/for-admins/roles-and-permissions/) for more about the editor role. ### Permissions reference diff --git a/content/docker-hub/organization-faqs.md b/content/docker-hub/organization-faqs.md index 127e694b37..390881fa0b 100644 --- a/content/docker-hub/organization-faqs.md +++ b/content/docker-hub/organization-faqs.md @@ -21,7 +21,7 @@ select the owner role from the drop-down menu. See [Organization owner](manage-a ### How do I know how many active users are part of my organization? -If your organization uses a Software Asset Management tool, you can use it to find out how many users have Docker Desktop installed. If your organization doesn't use this software, you can run an internal survey to find out who is using Docker Desktop. See [Identify your Docker users and their Docker accounts](../docker-hub/onboard.md#step-1-identify-your-docker-users-and-their-docker-accounts). With a Docker Business subscription, you can manage members in your identity provider and automatically provision them to your Docker organization with [SSO](../single-sign-on/_index.md) or [SCIM](../docker-hub/scim.md). +If your organization uses a Software Asset Management tool, you can use it to find out how many users have Docker Desktop installed. If your organization doesn't use this software, you can run an internal survey to find out who is using Docker Desktop. See [Identify your Docker users and their Docker accounts](../docker-hub/onboard.md#step-1-identify-your-docker-users-and-their-docker-accounts). With a Docker Business subscription, you can manage members in your identity provider and automatically provision them to your Docker organization with [SSO](../security/for-admins/single-sign-on/_index.md) or [SCIM](../security/for-admins/scim.md). ### Do users first need to authenticate with Docker before an owner can add them to an organization? diff --git a/content/docker-hub/scim.md b/content/docker-hub/scim.md deleted file mode 100644 index 421c086672..0000000000 --- a/content/docker-hub/scim.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: System for Cross-domain Identity Management -keywords: SCIM, SSO -title: SCIM -direct_from: -- /docker-hub/company-scim/ ---- - -{{% admin-scim %}} diff --git a/content/single-sign-on/domain-faqs.md b/content/faq/security/single-sign-on/domain-faqs.md similarity index 96% rename from content/single-sign-on/domain-faqs.md rename to content/faq/security/single-sign-on/domain-faqs.md index 5045f0fb1e..9a0b871e11 100644 --- a/content/single-sign-on/domain-faqs.md +++ b/content/faq/security/single-sign-on/domain-faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: Domains +aliases: +- /single-sign-on/domain-faqs/ --- ### Can I add sub-domains? diff --git a/content/single-sign-on/enforcement-faqs.md b/content/faq/security/single-sign-on/enforcement-faqs.md similarity index 96% rename from content/single-sign-on/enforcement-faqs.md rename to content/faq/security/single-sign-on/enforcement-faqs.md index 7a8c3ce6eb..ce1bc0336c 100644 --- a/content/single-sign-on/enforcement-faqs.md +++ b/content/faq/security/single-sign-on/enforcement-faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: Enforcement +aliases: +- /single-sign-on/enforcement-faqs/ --- ### We currently have a Docker Team subscription. How do we enable SSO? @@ -18,7 +20,7 @@ Yes. You must verify a domain before using it with an SSO connection. ### Does Docker SSO support authenticating through the command line? -Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../security/for-developers/access-tokens.md). +Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../../../security/for-developers/access-tokens.md). ### How does SSO affect our automation systems and CI/CD pipelines? @@ -60,5 +62,5 @@ No. They are different features that you can use separately or together. Enforcing SSO ensures that users sign in using their SSO credentials instead of their Docker ID. One of the benefits is that SSO enables you to better manage user credentials. Enforcing sign-in to Docker Desktop ensures that users always sign in to an -account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../security/for-admins/configure-sign-in.md). +account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../../../security/for-admins/configure-sign-in.md). diff --git a/content/single-sign-on/faqs.md b/content/faq/security/single-sign-on/faqs.md similarity index 93% rename from content/single-sign-on/faqs.md rename to content/faq/security/single-sign-on/faqs.md index 61df4cd1c0..840b589067 100644 --- a/content/single-sign-on/faqs.md +++ b/content/faq/security/single-sign-on/faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: General +aliases: +- /single-sign-on/faqs/ --- ### Is Docker SSO available for all paid subscriptions? @@ -18,7 +20,7 @@ Docker supports Service Provider Initiated (SP-initiated) SSO flow. This means u ### Where can I find detailed instructions on how to configure Docker SSO? -You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](index.md). +You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](../../../security/for-admins/single-sign-on/configure/_index.md). ### Does Docker SSO support multi-factor authentication (MFA)? diff --git a/content/single-sign-on/idp-faqs.md b/content/faq/security/single-sign-on/idp-faqs.md similarity index 98% rename from content/single-sign-on/idp-faqs.md rename to content/faq/security/single-sign-on/idp-faqs.md index 199036d379..63a1e36c78 100644 --- a/content/single-sign-on/idp-faqs.md +++ b/content/faq/security/single-sign-on/idp-faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: Identity providers +aliases: +- /single-sign-on/idp-faqs/ --- ### Is it possible to use more than one IdP with Docker SSO? diff --git a/content/single-sign-on/saml-faqs.md b/content/faq/security/single-sign-on/saml-faqs.md similarity index 91% rename from content/single-sign-on/saml-faqs.md rename to content/faq/security/single-sign-on/saml-faqs.md index 75df68bca7..51ad5efba0 100644 --- a/content/single-sign-on/saml-faqs.md +++ b/content/faq/security/single-sign-on/saml-faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: SAML +aliases: +- /single-sign-on/saml-faqs/ --- ### Does SAML authentication require additional attributes? diff --git a/content/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md similarity index 93% rename from content/single-sign-on/users-faqs.md rename to content/faq/security/single-sign-on/users-faqs.md index 784253fc5a..ee78813b77 100644 --- a/content/single-sign-on/users-faqs.md +++ b/content/faq/security/single-sign-on/users-faqs.md @@ -2,6 +2,8 @@ description: Single Sign-on FAQs keywords: Docker, Docker Hub, SSO FAQs, single sign-on title: Manage users +aliases: +- /single-sign-on/users-faqs/ --- ### How do I manage users when using SSO? @@ -32,7 +34,7 @@ If users attempt to sign in through the CLI, they must authenticate using a pers ### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain? -Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file. +Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../../../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file. Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password). @@ -55,7 +57,7 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Is Docker SSO fully synced with the IdP? -Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](/docker-hub/members/#remove-a-member-or-invitee) from the organization. [SCIM](/docker-hub/scim/) is available to provide full synchronization with users and groups. +Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](/docker-hub/members/#remove-a-member-or-invitee) from the organization. [SCIM](../../../security/for-admins/scim.md) is available to provide full synchronization with users and groups. Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process. diff --git a/content/security/_index.md b/content/security/_index.md index d0804cbc3a..d09b4ab214 100644 --- a/content/security/_index.md +++ b/content/security/_index.md @@ -31,6 +31,18 @@ grid_admins: description: Explore how Docker Scout can help you create a more secure software supply chain. icon: query_stats link: /scout/ +- title: SSO + description: Learn how to configure SSO for your company or organization. + icon: key + link: /security/for-admins/single-sign-on/ +- title: SCIM + description: Set up SCIM to automatically provision and deprovision users. + icon: checklist + link: /security/for-admins/scim/ +- title: Roles and permissions + description: Assign roles to individuals giving them different permissions within an organization. + icon: badge + link: /security/for-admins/roles-and-permissions/ grid_developers: - title: Set up two-factor authentication description: Add an extra layer of authentication to your Docker account. @@ -61,6 +73,10 @@ grid_resources: description: Understand the steps you can take to improve the security of your container. icon: category link: /develop/security-best-practices/ +- title: Docker Scout + description: Explore how Docker Scout can help you create a more secure software supply chain. + icon: query_stats + link: /scout/ --- Docker provides security guardrails for both administrators and developers. diff --git a/content/security/for-admins/configure-sign-in.md b/content/security/for-admins/configure-sign-in.md index 193e578b70..2e7ce0db33 100644 --- a/content/security/for-admins/configure-sign-in.md +++ b/content/security/for-admins/configure-sign-in.md @@ -37,7 +37,7 @@ following occurs: > Enforcing sign-in to Docker Desktop isn't the same as enforcing SSO. To ensure > that your users always sign in using their SSO credentials, you must also > enforce SSO. For more details, see [Single Sign-On -> overview](../../single-sign-on/_index.md). +> overview](single-sign-on/_index.md). ## Create a registry.json file to enforce sign-in diff --git a/layouts/shortcodes/admin-group-mapping.html b/content/security/for-admins/group-mapping.md similarity index 80% rename from layouts/shortcodes/admin-group-mapping.html rename to content/security/for-admins/group-mapping.md index 89f3ed79f3..691f9b817b 100644 --- a/layouts/shortcodes/admin-group-mapping.html +++ b/content/security/for-admins/group-mapping.md @@ -1,20 +1,18 @@ -{{ $scim_link := "[Enable SCIM](/docker-hub/scim/)" }} -{{ $mapping_link := "[user-level attributes](docker-hub/scim.md#set-up-role-mapping)"}} - -{{ if eq (.Get "product") "admin" }} -{{ $scim_link = "[Enable SCIM](/admin/organization/security-settings/scim/)" }} -{{ $mapping_link = "[user-level attributes](admin/organization/security-settings/scim.md#set-up-role-mapping)"}} -{{ if eq (.Get "layer") "company" }} -{{ $scim_link = "[Enable SCIM](/admin/company/settings/scim/)" }} -{{ $mapping_link = "[user-level attributes](admin/company/settings/scim.md#set-up-role-mapping)"}} -{{ end }} -{{ end }} +--- +description: Group mapping for administrators +keywords: Group Mapping, SCIM, Docker Hub, Docker Admin, admin, security +title: Group Mapping +aliases: +- /admin/company/settings/group-mapping/ +- /admin/organization/security-settings/group-mapping/ +- /docker-hub/group-mapping/ +--- With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams. > **Tip** > -> Group mapping is ideal for adding a user to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, you can use {{ $mapping_link }}. +> Group mapping is ideal for adding a user to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, you can use [user-level attributes](scim.md#set-up-role-mapping). { .tip } ## How group mapping works @@ -37,7 +35,7 @@ After every successful SSO sign-in authentication, the JIT provisioner performs b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user is not a member, it adds the user to the default team and organization configured in the SSO connection. -![JIT provisioning](/docker-hub/images/group-mapping.png) +![JIT provisioning](../images/group-mapping.png) ## Use group mapping @@ -59,7 +57,7 @@ The following lists the supported group mapping attributes: | id | Unique ID of the group in UUID format. This attribute is read-only. | | displayName | Name of the group following the group mapping format: `organization:team`. | | members | A list of users that are members of this group. | -| members[x].value | Unique ID of the user that is a member of this group. Members are referenced by ID. | +| members(x).value | Unique ID of the user that is a member of this group. Members are referenced by ID. | To take advantage of group mapping, follow the instructions provided by your IdP: @@ -71,5 +69,5 @@ Once complete, a user who signs in to Docker through SSO is automatically added > **Tip** > -> {{ $scim_link }} to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. -{ .tip } +> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. +{ .tip } \ No newline at end of file diff --git a/content/docker-hub/roles-and-permissions.md b/content/security/for-admins/roles-and-permissions.md similarity index 96% rename from content/docker-hub/roles-and-permissions.md rename to content/security/for-admins/roles-and-permissions.md index 8cfe8292d2..22ceb5776e 100644 --- a/content/docker-hub/roles-and-permissions.md +++ b/content/security/for-admins/roles-and-permissions.md @@ -2,8 +2,10 @@ description: > Use roles in your organization to control who has access to content, registry, and organization management permissions. -keywords: members, teams, organization, company, roles, access +keywords: members, teams, organization, company, roles, access, docker hub, docker admin, security title: Roles and permissions +aliases: +- /docker-hub/roles-and-permissions/ --- Organization and company owners can assign roles to individuals giving them different permissions in the organization. This section is for owners who want to learn about the defined roles and their permission scopes. @@ -52,7 +54,7 @@ When you add members to a team, you can manage their repository permissions. For See the following diagram for an example of how permissions may work for a user. In this example, the first permission check is for the role: member or editor. Editors have administrative permissions for repositories across the namespace of the organization. Members may have administrative permissions for a repository if they're a member of a team that grants those permissions. -![User repository permissions within an organization](./images/roles-and-permissions-member-editor-roles.png) +![User repository permissions within an organization](../images/roles-and-permissions-member-editor-roles.png) ### Organization management permissions diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md new file mode 100644 index 0000000000..21d3e9db6a --- /dev/null +++ b/content/security/for-admins/scim.md @@ -0,0 +1,55 @@ +--- +description: System for Cross-domain Identity Management +keywords: SCIM, SSO +title: SCIM +direct_from: +- /docker-hub/company-scim/ +- /docker-hub/scim/ +- /admin/company/settings/scim/ +- /admin/organization/security-settings/scim/ +--- + +This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers. + +SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company. + +Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. + +The following provisioning features are supported: + - Creating new users + - Push user profile updates + - Remove users + - Deactivate users + - Re-activate users + - Group mapping + +The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members. + +| Attribute | Description +|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| +| userName | User's primary email address. This is used as the unique identifier of the user. | +| name.givenName | User’s first name | +| name.familyName | User’s surname | +| active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. | + +For additional details about supported attributes and SCIM, see [Docker Hub API SCIM reference](/docker-hub/api/latest/#tag/scim). + +## Set up SCIM + +You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO is not required. + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-scim %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-scim product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + diff --git a/layouts/shortcodes/admin-sso.md b/content/security/for-admins/single-sign-on/_index.md similarity index 79% rename from layouts/shortcodes/admin-sso.md rename to content/security/for-admins/single-sign-on/_index.md index d96ab4c82d..345e6e55e1 100644 --- a/layouts/shortcodes/admin-sso.md +++ b/content/security/for-admins/single-sign-on/_index.md @@ -1,16 +1,12 @@ -{{ $product_name := "Docker Hub" }} -{{ $sso_config_link := "[configuring SSO](/single-sign-on/configure/)" }} -{{ $role_mapping_link := "[Set up role mapping](docker-hub/scim.md#set-up-role-mapping)" }} - -{{ if eq (.Get "product") "admin" }} -{{ $product_name = "Docker Admin" }} -{{ $sso_config_link = "[configuring SSO](/admin/organization/security-settings/sso-configuration/)" }} -{{ $role_mapping_link = "[Set up role mapping](admin/organization/security-settings/scim.md#set-up-role-mapping)" }} -{{ if eq (.Get "layer") "company" }} -{{ $sso_config_link = "[configuring SSO](/admin/company/settings/sso-configuration/)" }} -{{ $role_mapping_link = "[Set up role mapping](admin/company/settings/scim.md#set-up-role-mapping)" }} -{{ end }} -{{ end }} +--- +description: Overview of Single Sign-On +keywords: Single Sign-On, SSO, sign-on, admin, docker hub, docker admin, security +title: Single Sign-On overview +aliases: +- /single-sign-on/ +- /admin/company/settings/sso/ +- /admin/organization/security-settings/sso-management/ +--- SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). @@ -20,13 +16,13 @@ When SSO is enabled, users are redirected to your IdP's authentication page to s The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. -![SSO architecture](/single-sign-on/images/SSO.png) +![SSO architecture](images/SSO.png) ## How to set it up Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. -After establishing the connection between the IdP server and Docker, administrators sign in to {{ $product_name }} and complete the SSO enablement process. +After establishing the connection between the IdP server and Docker, administrators sign in to Docker Hub or Docker Admin and complete the SSO enablement process. When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company, assigned to an organization, and optionally assigned to a team. @@ -42,7 +38,7 @@ When a user signs in using SSO, Docker obtains the following attributes from the If you use SAML for your SSO connection, Docker obtains these attributes from the SAML assertion message. Your IdP may use different naming for SAML attributes than those listed above. The following table lists the possible SAML attributes that can be present in order for your SSO connection to work. -You can also configure attributes to override default values, such as default team or organization. See {{ $role_mapping_link }}. +You can also configure attributes to override default values, such as default team or organization. See [role mapping](../scim.md#set-up-role-mapping). | SSO attribute | SAML assertion message attributes | | ---------------- | ------------------------- | @@ -55,7 +51,7 @@ You can also configure attributes to override default values, such as default te > **Important** > -> If none of the email address attributes listed in the previous table are found, SSO will return an error. +> If none of the email address attributes listed in the previous table are found, SSO returns an error. { .important} ## Prerequisites @@ -69,5 +65,5 @@ In addition, you should add all email addresses to your IdP. ## What's next? -- Start {{ $sso_config_link }} -- Explore the [FAQs](/single-sign-on/faqs/) +- Start [configuring SSO](configure/_index.md) +- Explore the [FAQs](../../../faq/security/single-sign-on/faqs.md) \ No newline at end of file diff --git a/content/security/for-admins/single-sign-on/configure/_index.md b/content/security/for-admins/single-sign-on/configure/_index.md new file mode 100644 index 0000000000..9a06c6c5b7 --- /dev/null +++ b/content/security/for-admins/single-sign-on/configure/_index.md @@ -0,0 +1,59 @@ +--- +description: Learn how to configure Single Sign-On for your organization or company. +keywords: configure, sso, docker hub, hub, docker admin, admin, security +title: Configure Single Sign-On +aliases: +- /docker-hub/domains/ +- /docker-hub/sso-connection/ +- /docker-hub/enforcing-sso/ +- /single-sign-on/configure/ +- /admin/company/settings/sso-configuration/ +- /admin/organization/security-settings/sso-configuration/ +--- + +Follow the steps on this page to configure SSO for your organization or company. + +## Step one: Add and verify your domain + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-domains product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-domains product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + +## Step two: Create an SSO connection + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-config product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{% admin-sso-config product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + +## More resources + +The following video provides an overview of configuring SSO with SAML in Entra ID (formerly Azure AD). + + + +## What's next? + +- [Set up SCIM](../../scim.md) +- [Enable Group mapping](../../group-mapping.md) +- [Manage your SSO connections](../manage/_index.md) + diff --git a/content/single-sign-on/images/SSO.png b/content/security/for-admins/single-sign-on/images/SSO.png similarity index 100% rename from content/single-sign-on/images/SSO.png rename to content/security/for-admins/single-sign-on/images/SSO.png diff --git a/content/security/for-admins/single-sign-on/manage/_index.md b/content/security/for-admins/single-sign-on/manage/_index.md new file mode 100644 index 0000000000..d8a2d7a5ab --- /dev/null +++ b/content/security/for-admins/single-sign-on/manage/_index.md @@ -0,0 +1,52 @@ +--- +description: Learn how to manage Single Sign-On for your organization or company. +keywords: manage, single sign-on, SSO, sign-on, docker hub, docker admin, admin, security +title: Manage Single Sign-On +aliases: +- /admin/company/settings/sso-management/ +- /single-sign-on/manage/ +--- + +## Manage organizations + +> **Note** +> +> You must have a [company](/docker-hub/creating-companies/) to manage more than one organization. + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management-orgs product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-sso-management-orgs product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + +## Manage domains + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-sso-management product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-sso-management product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + + ## What's next? + +- [Set up SCIM](../../scim.md) +- [Enable Group mapping](../../group-mapping.md) + diff --git a/content/docker-hub/images/group-mapping.png b/content/security/images/group-mapping.png similarity index 100% rename from content/docker-hub/images/group-mapping.png rename to content/security/images/group-mapping.png diff --git a/content/docker-hub/images/roles-and-permissions-member-editor-roles.png b/content/security/images/roles-and-permissions-member-editor-roles.png similarity index 100% rename from content/docker-hub/images/roles-and-permissions-member-editor-roles.png rename to content/security/images/roles-and-permissions-member-editor-roles.png diff --git a/content/single-sign-on/_index.md b/content/single-sign-on/_index.md deleted file mode 100644 index beacf02bf9..0000000000 --- a/content/single-sign-on/_index.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Overview of Single Sign-On -keywords: Single Sign-On, SSO, sign-on -title: Single Sign-On overview ---- - -{{% admin-sso product="hub" %}} \ No newline at end of file diff --git a/content/single-sign-on/configure/_index.md b/content/single-sign-on/configure/_index.md deleted file mode 100644 index c488694461..0000000000 --- a/content/single-sign-on/configure/_index.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -description: Learn how to configure Single Sign-On for your organization or company. -keywords: configure, sso, docker hub, hub -title: Configure Single Sign-On -aliases: -- /docker-hub/domains/ -- /docker-hub/sso-connection/ -- /docker-hub/enforcing-sso/ ---- - -Follow the steps on this page to configure SSO for your organization or company. - -## Step one: Add and verify your domain - -{{% admin-domains product="hub" %}} - -{{% admin-sso-config product="hub" %}} \ No newline at end of file diff --git a/content/single-sign-on/manage/_index.md b/content/single-sign-on/manage/_index.md deleted file mode 100644 index 1dda9be6d6..0000000000 --- a/content/single-sign-on/manage/_index.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: Learn how to manage Single Sign-On for your organization or company. -keywords: manage, single sign-on, SSO, sign-on -title: Manage Single Sign-On ---- - -## Manage organizations - -> **Note** -> -> You must have a [company](/docker-hub/creating-companies/) to manage more than one organization. - -{{% admin-sso-management-orgs product="hub" %}} - -{{% admin-sso-management product="hub" %}} diff --git a/content/subscription/details.md b/content/subscription/details.md index e9d430c806..eea026a49a 100644 --- a/content/subscription/details.md +++ b/content/subscription/details.md @@ -44,7 +44,7 @@ Docker Team includes: - Unlimited [Vulnerability Scanning](../docker-hub/vulnerability-scanning.md) - 5000 image [pulls per day](../docker-hub/download-rate-limit.md) for each team member -There are also advanced collaboration and management tools, including organization and team management with [Role Based Access Control (RBAC)](../docker-hub/roles-and-permissions.md), [audit logs](../docker-hub/audit-log.md), and more. +There are also advanced collaboration and management tools, including organization and team management with [Role Based Access Control (RBAC)](../security/for-admins/roles-and-permissions.md), [audit logs](../docker-hub/audit-log.md), and more. For a list of features available in each tier, see [Docker Pricing](https://www.docker.com/pricing/). @@ -58,8 +58,8 @@ Docker Business includes: - [Image Access Management](../security/for-admins/image-access-management.md) which lets admins control what content developers can access - [Registry Access Management](../security/for-admins/registry-access-management.md) which lets admins control what registries developers can access - [Company layer](../docker-hub/creating-companies.md) to manage multiple organizations and settings -- [Single Sign-On](../single-sign-on/index.md) -- [System for Cross-domain Identity Management](../docker-hub/scim.md) and more. +- [Single Sign-On](../security/for-admins/single-sign-on/index.md) +- [System for Cross-domain Identity Management](../security/for-admins/scim.md) and more. For a list of features available in each tier, see [Docker Pricing](https://www.docker.com/pricing/). diff --git a/content/support.md b/content/support.md index 6a2a9eb19e..9f46b8a2a3 100644 --- a/content/support.md +++ b/content/support.md @@ -103,4 +103,4 @@ You can also see if an answer already exists in the following FAQs: - [Docker Desktop for Linux](../desktop/faqs/linuxfaqs.md) - [Docker Desktop for Mac](../desktop/faqs/macfaqs.md) - [Docker Desktop for Windows](../desktop/faqs/windowsfaqs.md) -- [Single Sign-on](../single-sign-on/faqs.md) \ No newline at end of file +- [Single Sign-on](faq/security/single-sign-on/faqs.md) \ No newline at end of file diff --git a/data/toc.yaml b/data/toc.yaml index 7271321527..d07685ae6e 100644 --- a/data/toc.yaml +++ b/data/toc.yaml @@ -2010,18 +2010,6 @@ Manuals: title: Manage users - path: /admin/company/owners/ title: Manage company owners - - sectiontitle: SSO & SCIM - section: - - path: /admin/company/settings/sso/ - title: Single Sign-On overview - - path: /admin/company/settings/sso-configuration/ - title: Configure Single Sign-On - - path: /admin/company/settings/sso-management/ - title: Manage Single Sign-On - - path: /admin/company/settings/scim/ - title: SCIM - - path: /admin/company/settings/group-mapping/ - title: Group mapping - sectiontitle: Organization administration section: @@ -2035,18 +2023,6 @@ Manuals: title: Activity logs - path: /admin/organization/general-settings/ title: General settings - - sectiontitle: SSO & SCIM - section: - - path: /admin/organization/security-settings/sso/ - title: Single Sign-On overview - - path: /admin/organization/security-settings/sso-configuration/ - title: Configure Single Sign-On - - path: /admin/organization/security-settings/sso-management/ - title: Manage Single Sign-On - - path: /admin/organization/security-settings/scim/ - title: SCIM - - path: /admin/organization/security-settings/group-mapping/ - title: Group mapping - sectiontitle: Administration section: @@ -2070,20 +2046,6 @@ Manuals: title: Create and manage a team - path: /docker-hub/members/ title: Manage members - - path: /docker-hub/roles-and-permissions/ - title: Roles and permissions - - sectiontitle: Single Sign-on - section: - - path: /single-sign-on/ - title: Overview - - path: /single-sign-on/configure/ - title: Configure - - path: /single-sign-on/manage/ - title: Manage - - path: /docker-hub/scim/ - title: SCIM - - path: /docker-hub/group-mapping/ - title: Group mapping - path: /docker-hub/audit-log/ title: Audit logs - path: /docker-hub/deactivate-account/ @@ -2095,8 +2057,22 @@ Manuals: title: Overview - sectiontitle: For admins section: + - sectiontitle: Single Sign-on + section: + - path: /security/for-admins/single-sign-on/ + title: Overview + - path: /security/for-admins/single-sign-on/configure/ + title: Configure + - path: /security/for-admins/single-sign-on/manage/ + title: Manage + - path: /security/for-admins/scim/ + title: SCIM + - path: /security/for-admins/group-mapping/ + title: Group mapping - path: /security/for-admins/configure-sign-in/ title: Enforce sign in + - path: /security/for-admins/roles-and-permissions/ + title: Roles and permissions - path: /security/for-admins/domain-audit/ title: Domain audit - path: /security/for-admins/image-access-management/ @@ -2202,20 +2178,6 @@ FAQ: title: Organization - path: /docker-hub/company-faqs/ title: Company - - sectiontitle: Single Sign-On - section: - - path: /single-sign-on/faqs/ - title: General - - path: /single-sign-on/saml-faqs/ - title: SAML - - path: /single-sign-on/idp-faqs/ - title: Identity providers - - path: /single-sign-on/domain-faqs/ - title: Domains - - path: /single-sign-on/enforcement-faqs/ - title: Enforcement - - path: /single-sign-on/users-faqs/ - title: Manage users - path: /subscription/faq/ title: Subscription - sectiontitle: Security @@ -2224,3 +2186,17 @@ FAQ: title: General - path: /faq/security/eci-faq/ title: Enhanced Container Isolation + - sectiontitle: Single Sign-On + section: + - path: /faq/security/single-sign-on/faqs/ + title: General + - path: /faq/security/single-sign-on/saml-faqs/ + title: SAML + - path: /faq/security/single-sign-on/idp-faqs/ + title: Identity providers + - path: /faq/security/single-sign-on/domain-faqs/ + title: Domains + - path: /faq/security/single-sign-on/enforcement-faqs/ + title: Enforcement + - path: /faq/security/single-sign-on/users-faqs/ + title: Manage users diff --git a/layouts/shortcodes/admin-domain-audit.md b/layouts/shortcodes/admin-domain-audit.md index 3d35728962..05fd30e6a9 100644 --- a/layouts/shortcodes/admin-domain-audit.md +++ b/layouts/shortcodes/admin-domain-audit.md @@ -1,14 +1,14 @@ {{ $product_link := "[Docker Hub](https://hub.docker.com)" }} {{ $domain_navigation := "Select **Organizations**, your organization, **Settings**, and then **Security**." }} -{{ $sso_link := "[SSO](/single-sign-on/)" }} -{{ $scim_link := "[SCIM](/docker-hub/scim/)" }} +{{ $sso_link := "[SSO](/security/for-admins/single-sign-on/)" }} +{{ $scim_link := "[SCIM](/security/for-admins/scim/)" }} {{ $invite_link := "[Invite members](/docker-hub/members/)" }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} {{ $domain_navigation = "Select your organization in the left navigation drop-down menu, and then select **Domain management**." }} - {{ $sso_link = "[SSO](/admin/organization/security-settings/sso/)" }} - {{ $scim_link = "[SCIM](/admin/organization/security-settings/scim/)" }} + {{ $sso_link = "[SSO](/security/for-admins/single-sign-on/)" }} + {{ $scim_link = "[SCIM](/security/for-admins/scim/)" }} {{ $invite_link = "[Invite members](/admin/organization/members/)" }} {{ end }} diff --git a/layouts/shortcodes/admin-domains.html b/layouts/shortcodes/admin-domains.html index 816a83da66..65eb01c2f9 100644 --- a/layouts/shortcodes/admin-domains.html +++ b/layouts/shortcodes/admin-domains.html @@ -6,10 +6,7 @@ {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} - {{ $domain_navigation = "Select your organization in the left navigation drop-down menu, and then select **Domain management**." }} - {{ if eq (.Get "layer") "company" }} - {{ $domain_navigation = "Select your company in the left navigation drop-down menu, and then select **Domain management**." }} - {{ end }} + {{ $domain_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **Domain management**." }} {{ end }} diff --git a/layouts/shortcodes/admin-org-onboarding.md b/layouts/shortcodes/admin-org-onboarding.md index a5bd03e141..daa090942f 100644 --- a/layouts/shortcodes/admin-org-onboarding.md +++ b/layouts/shortcodes/admin-org-onboarding.md @@ -1,11 +1,11 @@ -{{ $sso_link := "[Configure SSO](/single-sign-on/)" }} -{{ $scim_link := "[Configure SCIM](/docker-hub/scim/)" }} +{{ $sso_link := "[Configure SSO](/security/for-admins/single-sign-on/)" }} +{{ $scim_link := "[Configure SCIM](/security/for-admins/scim/)" }} {{ $members_link := "[Invite members](/docker-hub/members/)" }} {{ $audit_link := "[Audit your domains](/docker-hub/domain-audit/)" }} {{ if eq (.Get "product") "admin" }} - {{ $sso_link = "[Configure SSO](/admin/organization/security-settings/sso/)" }} - {{ $scim_link = "[Configure SCIM](/admin/organization/security-settings/scim/)" }} + {{ $sso_link = "[Configure SSO](/security/for-admins/single-sign-on/)" }} + {{ $scim_link = "[Configure SCIM](/security/for-admins/scim/)" }} {{ $members_link = "[Invite members](/admin/organization/members/)" }} {{ $audit_link = "[Audit your domains](/admin/organization/security-settings/domains/)" }} {{ end }} diff --git a/layouts/shortcodes/admin-scim.html b/layouts/shortcodes/admin-scim.html index 7d947ab0fa..cf08570f50 100644 --- a/layouts/shortcodes/admin-scim.html +++ b/layouts/shortcodes/admin-scim.html @@ -1,50 +1,12 @@ {{ $product_link := "[Docker Hub](https://hub.docker.com)" }} -{{ $sso_link := "[configured SSO](/single-sign-on/configure/)" }} {{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - Company: Select **Organizations**, your company, and then **Settings**.` }} -{{ $group_link := "[Group mapping](/docker-hub/group-mapping)"}} {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} -{{ $sso_link = "[configured SSO](/admin/organization/security-settings/sso-configuration/)" }} -{{ $sso_navigation = "Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} -{{ $group_link = "[Group mapping](/admin/organization/security-settings/group-mapping/)"}} -{{ if eq (.Get "layer") "company" }} -{{ $sso_link = "[configured SSO](/admin/company/settings/sso-configuration/)" }} -{{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} -{{ $group_link = "[Group mapping](/admin/company/settings/group-mapping)"}} +{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} {{ end }} -{{ end }} - -This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers. - -SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company. - -Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. - -The following provisioning features are supported: - - Creating new users - - Push user profile updates - - Remove users - - Deactivate users - - Re-activate users - - Group mapping - -The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members. - -| Attribute | Description -|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| -| userName | User's primary email address. This is used as the unique identifier of the user. | -| name.givenName | User’s first name | -| name.familyName | User’s surname | -| active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. | - -For additional details about supported attributes and SCIM, see [Docker Hub API SCIM reference](/docker-hub/api/latest/#tag/scim). - -## Set up SCIM - -You must make sure you have {{ $sso_link }} before you enable SCIM. Enforcing SSO is not required. ### Step one: Enable SCIM in Docker @@ -63,7 +25,7 @@ Follow the instructions provided by your IdP: ## Set up role mapping -You can assign [roles](/docker-hub/roles-and-permissions/) to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection. +You can assign [roles](/security/for-admins/roles-and-permissions/) to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection. > **Note** > @@ -73,9 +35,9 @@ The following table lists the supported optional user-level attributes. | Attribute | Possible values | Considerations | | --------- | ------------------ | -------------- | -| `dockerRole` | `member`, `editor`, or `owner`. For a list of permissions for each role, see [Roles and permissions](/docker-hub/roles-and-permissions/). | If you don't assign a role in the IdP, the value of the `dockerRole` attribute defaults to `member`. When you set the attribute, this overrides the default value. | +| `dockerRole` | `member`, `editor`, or `owner`. For a list of permissions for each role, see [Roles and permissions](/security/for-admins/roles-and-permissions/). | If you don't assign a role in the IdP, the value of the `dockerRole` attribute defaults to `member`. When you set the attribute, this overrides the default value. | | `dockerOrg` | `organizationName`. For example, an organization named "moby" would be `moby`. | Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and `dockerTeam` is also set, this provisions the user to the team within that org. | -| `dockerTeam` | `teamName`. For example, a team named "developers" would be `developers`. | Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See {{ $group_link }}. | +| `dockerTeam` | `teamName`. For example, a team named "developers" would be `developers`. | Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See [Group mapping](/security/for-admins/group-mapping/). | After you set the role in the IdP, you need to sync to push the changes to Docker. diff --git a/layouts/shortcodes/admin-sso-config.md b/layouts/shortcodes/admin-sso-config.md index b603c1fa8f..5345e0f6ac 100644 --- a/layouts/shortcodes/admin-sso-config.md +++ b/layouts/shortcodes/admin-sso-config.md @@ -2,39 +2,11 @@ {{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - Company: Select **Organizations**, your company, and then **Settings**.` }} -{{ $domain_navigation := `Navigate to the domain settings page for your organization or company. - - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - - Company: Select **Organizations**, your company, and then **Settings**.` }} -{{ $member_navigation := "Select **Organizations, your organization, and then **Members**." }} -{{ $invite_button := "**Invite members**" }} -{{ $remove_button := "**Remove member**" }} -{{ $scim_link := "[Set up SCIM](/docker-hub/scim/)" }} -{{ $mapping_link := "[Enable Group mapping](/docker-hub/group-mapping/)" }} -{{ $sso_mgmt_link := "[Manage your SSO connections](/single-sign-on/manage/)" }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} - {{ $invite_button = "**Invite**" }} - {{ $remove_button = "**Remove member**" }} - {{ $sso_navigation = "Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} - {{ $member_navigation = "Select your organization in the left navigation drop-down menu, and then select **Members**." }} - {{ $domain_navigation = "Select your organization in the left navigation drop-down menu, and then select **Domain management**." }} - {{ $remove_button = "**Remove member**" }} - {{ $scim_link = "[Set up SCIM](/admin/organization/security-settings/scim/)" }} - {{ $mapping_link = "[Enable Group mapping](/admin/organization/security-settings/group-mapping/)" }} - {{ $sso_mgmt_link = "[Manage your SSO connections](/admin/organization/security-settings/sso-management/)" }} -{{ if eq (.Get "layer") "company" }} - {{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} - {{ $domain_navigation = "Select your company in the left navigation drop-down menu, and then select **Domain management**." }} - {{ $member_navigation = "Select your organization in the left navigation drop-down menu, and then select **Users**." }} - {{ $remove_button = "**Remove user**" }} - {{ $scim_link = "[Set up SCIM](/admin/company/settings/scim/)" }} - {{ $mapping_link = "[Enable Group mapping](/admin/company/settings/group-mapping/)" }} - {{ $sso_mgmt_link = "[Manage your SSO connections](/admin/company/settings/sso-management/)" }} + {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }} {{ end }} -{{ end }} - -## Step two: Create an SSO connection > **Important** > @@ -92,7 +64,7 @@ After you’ve completed the SSO configuration process in Docker, you can test t > - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) { .important} -The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see {{ $scim_link }}. +The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see [Set up SCIM](/security/for-admins/scim/). ## Optional step four: Enforce SSO @@ -112,14 +84,3 @@ Your users must now sign in to Docker with SSO. > If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. { .important} -## More resources - -The following video provides an overview of configuring SSO with SAML in Entra ID (formerly Azure AD). - - - -## What's next? - -- {{ $sso_mgmt_link }} -- {{ $scim_link }} -- {{ $mapping_link }} diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md index 88b4d9a8eb..a79f73b038 100644 --- a/layouts/shortcodes/admin-sso-management.md +++ b/layouts/shortcodes/admin-sso-management.md @@ -5,27 +5,16 @@ {{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }} {{ $invite_button := "**Invite members**" }} {{ $remove_button := "**Remove member**" }} -{{ $scim_link := "[Set up SCIM](/docker-hub/scim/)" }} -{{ $mapping_link := "[Enable Group mapping](/docker-hub/group-mapping/)" }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} {{ $invite_button = "**Invite**" }} - {{ $sso_navigation = "Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM**." }} - {{ $member_navigation = "Select your organization in the left navigation drop-down menu, and then select **Members**." }} - {{ $remove_button = "**Remove member**" }} - {{ $scim_link = "[Set up SCIM](/admin/organization/security-settings/scim/)" }} - {{ $mapping_link = "[Enable Group mapping](/admin/organization/security-settings/group-mapping/)" }} -{{ if eq (.Get "layer") "company" }} - {{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} - {{ $member_navigation = "Select your organization in the left navigation drop-down menu, and then select **Users**." }} - {{ $remove_button = "**Remove user**" }} - {{ $scim_link = "[Set up SCIM](/admin/company/settings/scim/)" }} - {{ $mapping_link = "[Enable Group mapping](/admin/company/settings/group-mapping/)" }} + {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }} + {{ $member_navigation := `Navigate to the user management page for your organization or company. + - Organization: Select your organization in the left navigation drop-down menu, and then select **Members**. + - Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }} + {{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, is you're a company" }} {{ end }} -{{ end }} - -## Manage domains ### Remove a domain from an SSO connection @@ -93,8 +82,3 @@ To remove a user: 2. {{ $member_navigation }} 3. Select the action icon next to a user’s name, and then select {{ $remove_button }}. 4. Follow the on-screen instructions to remove the user. - -## What's next? - -- {{ $scim_link }} -- {{ $mapping_link }} diff --git a/layouts/shortcodes/admin-users.html b/layouts/shortcodes/admin-users.html index 20fa48c7ba..24937f97f1 100644 --- a/layouts/shortcodes/admin-users.html +++ b/layouts/shortcodes/admin-users.html @@ -4,7 +4,7 @@ {{ $remove_button := "**Remove member**" }} {{ $product_link := "[Docker Hub](https://hub.docker.com)" }} {{ $update_role := "Select the role you want to assign, then select **Save**." }} -{{ $role_mapping_link := "[SCIM for role mapping](docker-hub/scim.md#set-up-role-mapping)" }} +{{ $role_mapping_link := "[SCIM for role mapping](/security/for-admins/scim/)" }} {{ $export_fields := `The CSV file for an organization contains the following fields: * **Name**: The user's name. * **Username**: The user's Docker ID. @@ -21,7 +21,7 @@ {{ $member_navigation := "Select your organization in the left navigation drop-down menu, and then select *Members**." }} {{ $remove_button = "**Remove member**" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} -{{ $role_mapping_link = "[SCIM for role mapping](admin/organization/security-settings/scim.md#set-up-role-mapping)" }} +{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/scim/)" }} {{ if eq (.Get "layer") "company" }} {{ $export_fields = `The CSV file for a company contains the following fields: * **Name**: The user's name. @@ -33,7 +33,7 @@ {{ $member_navigation = "Select your company in the left navigation drop-down menu, and then select **Users**." }} {{ $remove_button = "**Remove user**" }} {{ $update_role = "Select their organization, select the role you want to assign, and then select **Save**." }} -{{ $role_mapping_link = "[SCIM for role mapping](admin/company/settings/scim.md#set-up-role-mapping)"}} +{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/scim/)"}} {{ end }} {{ end }} @@ -59,7 +59,7 @@ of members to your organization via CSV file, see the next section. > **Note** > > When you invite members, you assign them a role. - > See [Roles and permissions](/docker-hub/roles-and-permissions/) + > See [Roles and permissions](/security/for-admins/roles-and-permissions/) > for details about the access permissions for each role. Pending invitations appear in the table. The invitees receive an email with a link to Docker Hub where they can accept @@ -123,7 +123,7 @@ To invite multiple members to an organization via a CSV file containing email ad > **Note** > > When you invite members, you assign them a role. - > See [Roles and permissions](/docker-hub/roles-and-permissions/) + > See [Roles and permissions](/security/for-admins/roles-and-permissions/) > for details about the access permissions for each role. Pending invitations appear in the table. The invitees receive an email with a link to Docker Hub where they can accept @@ -149,7 +149,7 @@ To remove a member from an organization: ## Update a member role -Organization owners can manage [roles](/docker-hub/roles-and-permissions/) +Organization owners can manage [roles](/security/for-admins/roles-and-permissions/) within an organization. If an organization is part of a company, the company owner can also manage that organization's roles. If you have SSO enabled, you can use {{ $role_mapping_link }}.