docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21274 from sarahsanders-docker/ENGDOCS-2270 

Update Manage SSO guide
This commit is contained in:
Sarah Sanders 2024-11-04 14:11:19 -08:00 committed by GitHub
parent 9338e19d93 08283b6228
commit 3015d2c4da
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 34 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
content/manuals/security/for-admins/single-sign-on/manage.md
View File

@ -54,24 +54,39 @@ aliases:
## Manage users
{{< tabs >}}
{{< tab name="Admin Console" >}}
> [!IMPORTANT]
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
>
> Alternatively, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide.
{{< include "admin-early-access.md" >}}
{{% admin-sso-management-users product="admin" %}}
### Add guest users when SSO is enabled
{{< /tab >}}
{{< tab name="Docker Hub" >}}
To add a guest that isn't verified through your IdP:
{{% admin-sso-management-users product="hub" %}}
1. Sign in to the [Admin Console](https://app.docker.com/admin).
2. Select **Organizations**, your organization, and then **Members**.
3. Select **Invite**.
4. Follow the on-screen instructions to invite the user.
{{< /tab >}}
{{< /tabs >}}
### Remove users from the SSO company
To remove a user:
1. Sign in to [Admin Console](https://app.docker.com/admin).
2. Select **Organizations**, your organization, and then **Members**.
3. Select the action icon next to a users name, and then select **Remove member**, if you're an organization, or **Remove user**, if you're a company.
4. Follow the on-screen instructions to remove the user.
## Manage provisioning
Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) [Just-in-Time](/manuals/security/for-admins/provisioning/just-in-time.md) guides.
Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide.
## What's next?

6
layouts/shortcodes/admin-sso-management-connections.md
View File

@ -2,7 +2,7 @@
{{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**. Note that when an organization is part of a company, you must select the company and configure SSO for that organization at the company level. Each organization can have its own SSO configuration and domain, but it must be configured at the company level." }}
{{ end }}
@ -11,7 +11,7 @@
1. Sign in to {{ $product_link }}.
2. {{ $sso_navigation }}
3. In the SSO connections table, select the **Action** icon.
4. Select **Edit connection** to edit your connection.
4. Select **Edit connection**.
5. Follow the on-screen instructions to edit the connection.
### Delete a connection
@ -24,4 +24,4 @@
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. If an SSO connection is deleted, Docker users must authenticate with their Docker ID and password.

6
layouts/shortcodes/admin-sso-management-orgs.md
View File

@ -1,7 +1,7 @@
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $sso_navigation := "Select **Organizations**, your company, and then **Settings**." }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
{{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO and SCIM**." }}
{{ end }}
@ -13,7 +13,7 @@
4. Select **Next** to navigate to the section where connected organizations are listed.
5. In the **Organizations** drop-down, select the organization to add to the connection.
6. Select **Next** to confirm or change the default organization and team provisioning.
7. Review the **Connection Summary** and select **Save**.
7. Review the **Connection Summary** and select **Update connection**.
### Remove an organization
@ -23,4 +23,4 @@
4. Select **Next** to navigate to the section where connected organizations are listed.
5. In the **Organizations** drop-down, select **Remove** to remove the connection.
6. Select **Next** to confirm or change the default organization and team provisioning.
7. Review the **Connection Summary** and select **Save**.
7. Review the **Connection Summary** and select **Update connection**.

48
layouts/shortcodes/admin-sso-management-users.md
View File

@ -1,48 +0,0 @@
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
- Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
- Company: Select **Organizations**, your company, and then **Settings**.` }}
{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }}
{{ $invite_button := "**Invite members**" }}
{{ $remove_button := "**Remove member**" }}
{{ $provisioning_steps := "This feature is only available in the Admin Console."}}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $invite_button = "**Invite**" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }}
{{ $member_navigation = `Navigate to the user management page for your organization or company.
- Organization: Select your organization in the left navigation drop-down menu, and then select **Members**.
- Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }}
{{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, if you're a company" }}
> [!IMPORTANT]
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
>
> Alternatively, see [Manage how users are provisioned](/manuals/security/for-admins/single-sign-on/manage.md).
### Add guest users when SSO is enabled
To add a guest that isn't verified through your IdP:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select {{ $invite_button }}.
4. Follow the on-screen instructions to invite the user.
### Remove users from the SSO company
To remove a user:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select the action icon next to a users name, and then select {{ $remove_button }}.
4. Follow the on-screen instructions to remove the user.
{{ end }}

6
layouts/shortcodes/admin-sso-management.md
View File

@ -2,7 +2,7 @@
{{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }}
{{ end }}
@ -15,8 +15,8 @@
5. In the **Domain** drop-down, select the **x** icon next to the domain that you want to remove.
6. Select **Next** to confirm or change the connected organization(s).
7. Select **Next** to confirm or change the default organization and team provisioning selections.
8. Review the **Connection Summary** and select **Save**.
8. Review the **Connection Summary** and select **Update connection**.
> **Note**
> [!Note]
>
> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.