docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add docker admin (#17549) 

* add docker admin

Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
This commit is contained in:
Craig Osterhout 2023-06-20 11:08:26 -07:00 committed by GitHub
parent d4ce4b3f53
commit 31e985d01c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
39 changed files with 2856 additions and 449 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
_data/toc.yaml
View File

@ -1902,6 +1902,64 @@ manuals:
- path: /scout/advisory-db-sources/
title: Advisory Database
- sectiontitle: Docker Admin (Early Access)
section:
- path: /admin/
title: Overview
- sectiontitle: Company administration
section:
- path: /admin/company/
title: Overview
- path: /admin/company/organizations/
title: Manage organizations
- path: /admin/company/users/
title: Manage users
- path: /admin/company/owners/
title: Manage company owners
- sectiontitle: Settings
section:
- path: /admin/company/settings/sso/
title: Single Sign-On overview
- path: /admin/company/settings/sso-configuration/
title: Configure Single Sign-On
- path: /admin/company/settings/sso-management/
title: Manage Single Sign-On
- path: /admin/company/settings/scim/
title: SCIM
- path: /admin/company/settings/group-mapping/
title: Group mapping
- path: /admin/company/settings/sso-faq/
title: Single Sign-On FAQs
- sectiontitle: Organization administration
section:
- path: /admin/organization/
title: Overview
- path: /admin/organization/members/
title: Manage members
- path: /admin/organization/activity-logs/
title: Activity logs
- path: /admin/organization/image-access/
title: Image Access Management
- path: /admin/organization/registry-access/
title: Registry Access Management
- path: /admin/organization/general-settings/
title: General settings
- sectiontitle: Security settings
section:
- path: /admin/organization/security-settings/sso/
title: Single Sign-On overview
- path: /admin/organization/security-settings/sso-configuration/
title: Configure Single Sign-On
- path: /admin/organization/security-settings/sso-management/
title: Manage Single Sign-On
- path: /admin/organization/security-settings/scim/
title: SCIM
- path: /admin/organization/security-settings/group-mapping/
title: Group mapping
- path: /admin/organization/security-settings/sso-faq/
title: Single Sign-On FAQs
- sectiontitle: Administration and security
section:
- path: /docker-hub/admin-overview/

15
_includes/admin-company-overview.md Normal file
View File

@ -0,0 +1,15 @@
A company provides a single point of visibility across multiple organizations. This view simplifies the management of Docker organizations and settings. It's available to Docker Business subscribers.
The following diagram depicts the setup of a company and how it relates to associated organizations.
![company-hierarchy](/admin/images/docker-hierarchy-company.svg){: width="700px" }
## Key features
With a company, administrators can:
- View and manage all nested organizations and configure settings centrally.
- Carefully control access to the company and company settings.
- Have up to ten unique users assigned the company owner role without occupying a purchased seat.
- Configure SSO and SCIM for all nested organizations.
- Enforce SSO for all users in the company.

5
_includes/admin-early-access.md Normal file
View File

@ -0,0 +1,5 @@
> **Early Access**
>
> Docker Admin is an [early access](/release-lifecycle#early-access-ea) product.
>
> Docker is releasing it using an incremental roll-out strategy. It's currently available to some company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/).

41
_includes/admin-group-mapping.md Normal file
View File

@ -0,0 +1,41 @@
With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams.
To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team “developers” in Docker.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesnt already exist.
{: .tip}
## How group mapping works
IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the users Docker profile and their associations with organizations and teams on Docker Hub.
Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). The JIT provisioner generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if the IdP shared group mappings while authenticating the user.
a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user is not a member, it adds the user to the default team and organization configured in the SSO connection.
![JIT provisioning](/docker-hub/images/jit.PNG)
## Use group mapping
To take advantage of group mapping, follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP.

48
_includes/admin-org-audit-log-events.md Normal file
View File

@ -0,0 +1,48 @@
## Event definitions
Refer to the following section for a list of events and their descriptions:
### Organization events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Team Created | Activities related to the creation of a team |
| Team Updated | Activities related to the modification of a team |
| Team Deleted | Activities related to the deletion of a team |
| Team Member Added | Details of the member added to your team |
| Team Member Removed | Details of the member removed from your team |
| Team Member Invited | Details of the member invited to your team |
| Organization Member Added | Details of the member added to your organization |
| Organization Member Removed | Details about the member removed from your organization |
| Organization Created | Activities related to the creation of a new organization |
| Organization Settings Updated | Details related to the organization setting that was updated |
| Registry Access Management enabled | Activities related to enabling Registry Access Management |
| Registry Access Management disabled | Activities related to disabling Registry Access Management |
| Registry Access Management registry added | Activities related to the addition of a registry |
| Registry Access Management registry removed | Activities related to the removal of a registry |
| Registry Access Management registry updated | Details related to the registry that was updated |
| Single Sign-On domain added | Details of the single sign-on domain added to your organization |
| Single Sign-On domain removed | Details of the single sign-on domain removed from your organization |
| Single Sign-On domain verified | Details of the single sign-on domain verified for your organization |
### Repository events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Repository Created | Activities related to the creation of a new repository |
| Repository Deleted | Activities related to the deletion of a repository |
| Privacy Changed | Details related to the privacy policies that were updated |
| Tag Pushed | Activities related to the tags pushed |
| Tag Deleted | Activities related to the tags deleted |
### Billing events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Plan Upgraded | Occurs when your organizations billing plan is upgraded to a higher tier plan.|
| Plan Downgraded | Occurs when your organizations billing plan is downgraded to a lower tier plan. |
| Seat Added | Occurs when a seat is added to your organizations billing plan. |
| Seat Removed | Occurs when a seat is removed from your organizations billing plan. |
| Billing Cycle Changed | Occurs when there is a change in the recurring interval that your organization is charged.|
| Plan Downgrade Canceled | Occurs when a scheduled plan downgrade for your organization is canceled.|
| Seat Removal Canceled | Occurs when a scheduled seat removal for an organizations billing plan is canceled. |

16
_includes/admin-org-overview.md Normal file
View File

@ -0,0 +1,16 @@
An organization in Docker is a collection of teams and repositories
that can be managed together. A team is a group of Docker members that belong to an organization.
An organization can have multiple teams.
Docker users become members of an organization
when they are assigned to at least one team in the organization. When you first
create an organization, you have one team, the "owners" team, that has a single member. An organization owner is someone that is part of the
owners team. They can create new teams and add
members to an existing team using their Docker ID or email address and by
selecting a team the user should be part of. An organization owner can also add
additional owners to help them manage users, teams, and repositories in the
organization.
The following diagram depicts the setup of an organization and how it relates to teams.
![organization-hierarchy](/admin/images/docker-hierarchy-org.svg){: width="700px" }

21
_includes/admin-scim.md Normal file
View File

@ -0,0 +1,21 @@
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.
SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker Hub and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization or company.
Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker Hub. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the users first name and last name.
The following provisioning features are supported:
- Creating new users
- Push user profile updates
- Remove users
- Deactivate users
- Re-activate users
- Group mapping
The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
| Attribute | Description
|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
| username | Unique identifier of the user (email) |
| givenName | Users first name |
| familyName |Users surname |

308
_includes/admin-sso-faq.md Normal file
View File

@ -0,0 +1,308 @@
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#tab1">General</a></li>
<li><a data-toggle="tab" data-target="#tab2">SAML</a></li>
<li><a data-toggle="tab" data-target="#tab3">Docker org and Docker ID</a></li>
<li><a data-toggle="tab" data-target="#tab4">Identity providers</a></li>
<li><a data-toggle="tab" data-target="#tab5">Domains</a></li>
<li><a data-toggle="tab" data-target="#tab6">SSO enforcement</a></li>
<li><a data-toggle="tab" data-target="#tab7">Managing users</a></li>
</ul>
<div class="tab-content">
<div id="tab1" class="tab-pane fade in active" markdown="1">
### Is Docker SSO available for all paid subscriptions?
Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO.
### How does Docker SSO work?
Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker supports Azure AD and any SAML 2.0 identity providers. When you enable SSO, users are redirected to your providers authentication page to authenticate using their email and password.
### What SSO flows are supported by Docker?
Docker supports Service Provider Initiated (SP-initiated) SSO flow. This means users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
### Where can I find detailed instructions on how to configure Docker SSO?
You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users.
### Does Docker SSO support multi-factor authentication (MFA)?
When an organization uses SSO, MFA is determined on the IdP level, not on the Docker platform.
### Do I need a specific version of Docker Desktop for SSO?
Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or later. Users on older versions of Docker Desktop will not be able to sign in after SSO is enforced, if the company domain email is used to sign in or as the primary email associated with an existing Docker account. Your users with existing accounts can't sign in with their username and password.
<hr>
</div>
<div id="tab2" class="tab-pane fade" markdown="1">
### Does SAML authentication require additional attributes?
You must provide an email address as an attribute to authenticate through SAML. The Name attribute is optional.
### Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject?
The preferred format is your email address, which should also be your Name ID.
### When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time?
At runtime for Docker Desktop if its configured to require authentication to the organization.
### Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly?
Verify that your users have downloaded the latest version of Docker Desktop. An enhancement in user management observability and capabilities will become available in the future.
<hr>
</div>
<div id="tab3" class="tab-pane fade" markdown="1">
### Whats a Docker ID? Can I retain my Docker ID when using SSO?
For a personal Docker ID, a user is the account owner, its associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
### What if the Docker ID I want for my organization or company is taken?
This depends on the state of the namespace, if trademark claims exist for the organization or company Docker ID, a manual flow for legal review is required.
### What if I want to create more than 3 organizations?
You can create multiple organizations or multiple teams under a single company. SSO is available at the company level.
<hr>
</div>
<div id="tab4" class="tab-pane fade" markdown="1">
### Is it possible to use more than one IdP with Docker SSO?
No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP. Docker supports Azure AD and identity providers that support SAML 2.0.
### Is it possible to change my identity provider after configuring SSO?
Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
### What information do I need from my identity providers to configure SSO?
To enable SSO in Docker, you need the following from your IdP:
* **SAML**: Entity ID, ACS URL, Single Logout URL and the public X.509 certificate
* **Azure AD**: Client ID, Client Secret, AD Domain.
### What happens if my existing certificate expires?
If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. The new certificate must be updated in the SSO configuration settings page on Docker Hub.
### What happens if my IdP goes down when SSO is enabled?
It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization.
### What happens when I turn off SSO for my organization(s) or company?
When you turn off SSO, authentication through your Identity Provider isn't required to access Docker. Users may continue to sign in through Single Sign-On as well as Docker ID and password.
### Q: How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account?
You can add a bot account to your IDP and create an access token for it to replace the other credentials.
### Does Docker plan to release SAML just in time provisioning?
The SSO implementation is already "just in time". Admins don't have to create users accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub.
### Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop?
We currently do not have any plans to enable IdP initiated logins.
### Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg?
Yes, bot accounts needs a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
### Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group?
Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML.
<hr>
</div>
<div id="tab5" class="tab-pane fade" markdown="1">
### Can i add sub-domains?
Yes, you can add sub-domains to your SSO , however all email addresses should also be on that domain. Verify that your DNS provider supports multiple txt fields for the same domain.
### Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently?
They can do it one time to add it to a connection. If they ever change IdPs and have to set up SSO again, they will need to verify again.
### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it?
Adding and verifying a domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that's allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
### If users are using their personal email, do they have to convert to using the Orgs domain before they can be invited to join an Org? Is this just a quick change in their Hub account?
No, they don't. Though they can add multiple emails to a Docker ID if they choose to. However, that email can only be used once across Docker. The other thing to note is that (as of January 2022) SSO will not work for multi domains as an MVP and it will not work for personal emails either.
### Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time?
Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org.
### Do you support IdP-initiated authentication (e.g., Okta tile support)?
We don't support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub.
<hr>
</div>
<div id="tab6" class="tab-pane fade" markdown="1">
### We currently have a Docker Team subscription. How do we enable SSO?
SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing).
### How do service accounts work with SSO?
Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a PAT for CLI and API usage.
### Is DNS verification required to enable SSO?
Yes. You must verify a domain before using it with an SSO connection.
### Does Docker SSO support authenticating through the command line?
Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI.
### How does SSO affect our automation systems and CI/CD pipelines?
Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password.
### I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
If they already have their organization email on their account, then it will be migrated to SSO.
### If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users?
SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced.
### Can I enable SSO and hold off on the domain verification and enforcement options?
Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen.
### SSO is enforced, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening?
They can bypass SSO if the email they're using to sign in doesn't match the organization email being used when SSO is enforced.
### Is there a way to test this functionality in a test tenant with Okta before going to production?
Yes, you can create a test organization. Companies can set up a new 5 seat Business plan on a new organization to test with (making sure to only enable SSO, not enforce it or all domain email users will be forced to sign in to that test tenant).
### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
If SSO is enabled, there is no impact for now. We'll continue to support either username/password or personal access token sign-in.
However, if you **enforce** SSO:
* Service Account domain email addresses must be unaliased and enabled in their IdP
* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
<hr>
</div>
<div id="tab7" class="tab-pane fade" markdown="1">
### How do I manage users when using SSO?
Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Do I need to manually add users to my organization?
No, you dont need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Can users in my organization use different email addresses to authenticate through SSO?
During the SSO setup, youll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
Users with a public domain email address will be added as guests.
### Can Docker org owners/Admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO Is enabled?
Admins, organization owners and company owners can currently approve users by configuring their permissions through their IdP. That's if the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
### How will users be made aware that they're being made a part of a Docker Org?
When SSO is enabled, users will be prompted to authenticate through SSO the next time they try to sign in to Docker Hub or Docker Desktop. The system will see the end-user has a domain email associated with the docker ID they're trying to authenticate with, and prompts them to sign in with SSO email and credentials instead.
If users attempt to sign in through the CLI, they must authenticate using a personal access token (PAT).
### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their companys domain?
Yes. Admins can force users to authenticate with Docker Desktop by provisioning a `registry.json` configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited.
### Is it possible to convert existing users from non-SSO to SSO accounts?
Yes, you can convert existing users to an SSO account. To convert users from a non-SSO account:
* Ensure your users have a company domain email address and they have an account in your IdP
* Verify that all users have Docker Desktop version 4.4.2 or later installed on their machines
* Each user has created a PAT to replace their passwords to allow them to sign in through Docker CLI
* Confirm that all CI/CD pipelines automation systems have replaced their passwords with PATs.
### What impact can users expect once we start onboarding them to SSO accounts?
When SSO is enabled and enforced, your users just have to sign in using the email address and password.
### Is Docker SSO fully synced with Active Directory (AD)?
Docker doesnt currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually remove the user from the organization.
Additionally, you can use our APIs to complete this process.
### What's the best way to provision the Docker Subscription without SSO?
Company or organisation owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
### If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
Yes, if the user is added through email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
### Can someone join an organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned.
### When we send an invitation to the user, will the existing account be consolidated and retained?
Yes, the existing user account will join the organization with all assets retained.
### How can I view, update, and remove multiple email addresses for my users?
We only support one email per user on the Docker platform.
### How can I remove invitees to the org who haven't signed in?
They can go to the invitee list in the org view and remove them.
### How's the flow for service account authentication different from a UI user account?
It isn't; we don't differentiate the two in product.
<hr>
</div>
</div>
.

68
admin/company/index.md Normal file
View File

@ -0,0 +1,68 @@
---
description: Learn about companies.
keywords: company, multiple organizations, manage companies
title: Overview
---
{% include admin-early-access.md %}
{% include admin-company-overview.md %}
To create a company, see [Create a company](../../docker-hub/new-company.md).
Learn how to administer a company using Docker Admin in the following sections.
<div class="component-container">
<!--start row-->
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/organizations/"><img src="/assets/images/note-add.svg" alt="Manage organizations" width="70" height="70"></a>
</div>
<h2 id="mangage-orgs"><a href="/admin/company/organizations/">Manage organizations</a></h2>
<p>Learn how to manage organizations and seats within your company.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/users/"><img src="/assets/images/contact.svg" alt="Manage users" width="70" height="70"></a>
</div>
<h2 id="manage-users"><a href="/admin/company/users/">Manage users</a></h2>
<p>Explore how to manage users in all organizations.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/owners/"><img src="/assets/images/sso.svg" alt="Company owner" width="70" height="70"></a>
</div>
<h2 id="Company owner"><a href="/admin/company/owners/">Manage company owners</a></h2>
<p>Find out more about company owners and how to manage them.</p>
</div>
</div>
</div>
<!--start row-->
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/settings/sso/"><img src="/assets/images/sign-on.svg" alt="Configure company SSO" width="70" height="70"></a>
</div>
<h2 id="company-sso"><a href="/admin/company/settings/sso/">Configure Single Sign-On</a></h2>
<p>Discover how to configure SSO for your entire company.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/settings/scim/"><img src="/assets/images/checklist.svg" alt="company faqs" width="70" height="70"></a>
</div>
<h2 id="company-scim"><a href="/admin/company/settings/scim/">Set up SCIM</a></h2>
<p>Set up SCIM to automatically provision and deprovision users in your company.</p>
</div>
</div>
</div>
</div>

29
admin/company/organizations.md Normal file
View File

@ -0,0 +1,29 @@
---
description: Manage organizations for a company in Docker Admin.
keywords: company, multiple organizations, manage organizations
title: Manage organizations
---
{% include admin-early-access.md %}
## View all organizations
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Under **Organizations**, select **Overview**.
## Add seats to an organization
When you have a [self-serve](../../subscription/details.md#self-serve) subscription that has no pending subscription changes, you can add seats using the following steps.
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Under **Organizations**, select **Overview**.
4. Select the action icon in the organization's card, and then select **Get more seats**.
## Manage an organization
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select the organization that you want to manage.
For more details about managing an organization, see [Organization administration](../organization/index.md).

25
admin/company/owners.md Normal file
View File

@ -0,0 +1,25 @@
---
description: Learn about company owners.
keywords: company, owners
title: Manage company owners
---
{% include admin-early-access.md %}
As a company owner, you can configure [Single Sign-on (SSO)](./settings/sso.md) and [System for Cross-domain Identity Management (SCIM)](./settings/scim.md) for all organizations under the company.
## Add a company owner
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Company Owners**.
4. Select **Add Owner**.
5. Specify the user's Docker ID to search for the user.
6. After you find the user, select **Add Company Owner**.
## Remove a company owner
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Company Owners**.
4. Select the **Action** icon in the row of the company owner that your want to remove.
5. Select **Remove as Company Owner**.

14
admin/company/settings/group-mapping.md Normal file
View File

@ -0,0 +1,14 @@
---
description: Group mapping in Docker Admin
keywords: Group Mapping, SCIM, Docker Admin
title: Group Mapping
---
{% include admin-early-access.md %}
{% include admin-group-mapping.md %}
>**Tip**
>
> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
{: .tip}

36
admin/company/settings/scim.md Normal file
View File

@ -0,0 +1,36 @@
---
description: System for Cross-domain Identity Management
keywords: SCIM, SSO
title: SCIM
---
{% include admin-early-access.md %}
{% include admin-scim.md %}
## Set up SCIM
You must make sure you have [configured SSO](sso.md) before you enable SCIM. Enforcing SSO is not required.
### Step one: Enable SCIM in Docker Admin
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Settings**.
4. In the **Single Sign-On Connection** table, select the **Actions** icon and **Setup SCIM**.
5. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP.
### Step two: Enable SCIM in your IdP
Follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
## Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
1. In the **Single Sign-On Connection** table, select the **Actions** icon.
2. Select **Disable SCIM**.

103
admin/company/settings/sso-configuration.md Normal file
View File

@ -0,0 +1,103 @@
---
description: SSO configuration
keywords: configure, sso, docker admin
title: Configure Single Sign-On
---
{% include admin-early-access.md %}
Follow the steps on this page to configure SSO for your company.
## Step one: Add and verify your domain
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Settings**.
4. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS).
>**Note**
>
> Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. arent permitted. Also, the email domain should be set as the primary email.
5. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions.
## Step two: Create an SSO connection
> **Important**
>
> If your IdP setup requires an Entity ID and the ACS URL, you must select the
> **SAML** tab in the **Authentication Method** section. For example, if your
> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure
> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select
> **Azure AD** as the authentication method. Also, IdP initiated connections
> aren't supported at this time.
{: .important}
1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection.
> **Note**
>
> You have to verify at least one domain before creating the connections.
2. Select an authentication method, **SAML** or **Azure AD (OIDC)**.
3. Copy the following fields and add them to your IdP:
- SAML: **Entity ID**, **ACS URL**
- Azure AD (OIDC): **Redirect URL**
![SAML](../../../docker-hub/images/saml-create-connection.png){: width="500px" }
![Azure AD](../../../docker-hub/images/azure-create-connection.png){: width="500px" }
4. From your IdP, copy and paste the following values into the Docker **Settings** fields:
- SAML: **SAML Sign-on URL**, **x509 Certificate**
- Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain**
5. Select the verified domains you want to apply the connection to.
6. To provision your users, select the organization(s) and/or team(s).
> **Note**
>
> If you are a company owner and have more than one organization, you need to select a default organization.
7. Review your summary and select **Create Connection**.
## Step three: Test your SSO configuration
After youve completed the SSO configuration process in Docker Admin, you can test the configuration when you sign in to Docker Admin using an incognito browser. Sign in to Docker Admin using your domain email address. You are then redirected to your IdP's login page to authenticate.
1. Authenticate through email instead of using your Docker ID, and test the login process.
2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users.
>**Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{: .important}
The SSO connection is now created. You can continue to set up [SCIM](scim.md) without enforcing SSO log-in.
## Optional step four: Enforce SSO
1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**.
When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.
2. Continue with the on-screen instructions and verify that youve completed the tasks.
3. Select **Turn on enforcement** to complete.
Your users must now sign in to Docker with SSO.
> **Important**
>
> If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO.
{: .important}
## What's next?
- [Manage your SSO connections](sso-management.md)
- [Set up SCIM](scim.md)
- [Enable Group mapping](group-mapping.md)

10
admin/company/settings/sso-faq.md Normal file
View File

@ -0,0 +1,10 @@
---
description: Single Sign-on FAQs
keywords: Docker, Docker Admin, SSO FAQs, single sign-on
title: Single Sign-On FAQs
toc_max: 2
---
{% include admin-early-access.md %}
{% include admin-sso-faq.md %}

95
admin/company/settings/sso-management.md Normal file
View File

@ -0,0 +1,95 @@
---
description: Manage SSO
keywords: manage, single sign-on, SSO, sign-on
title: Manage Single Sign-On
---
{% include admin-early-access.md %}
## Manage domains
### Remove a domain from an SSO connection
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where the connected domains are listed.
3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove.
4. Select **Next** to confirm or change the connected organization(s).
5. Select **Next** to confirm or change the default organization and team provisioning selections.
6. Review the **Connection Summary** and select **Save**.
> **Note**
>
> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.
## Manage organizations
### Connect an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select the organization to add to the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
### Remove an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select **Remove** to remove the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
## Manage SSO connections
### Edit a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Edit connection** to edit you connection.
3. Continue with the on-screen instructions.
### Delete a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Delete** and **Delete connection**.
3. Continue with the on-screen instructions.
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
## Manage users
> **Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{: .important}
### Add guest users when SSO is enabled
To add a guest to your organization if they arent verified through your IdP:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Select **Invite**, enter the email address, and select an organization and team from the drop-down lists.
5. Select **Invite** to confirm.
### Remove users from the SSO company
To remove a user from an organization:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Select the action icon next to a users name, and then select **Remove user**.
5. Follow the on-screen instructions to remove the user.
## What's next?
- [Set up SCIM](scim.md)
- [Enable Group mapping](group-mapping.md)

41
admin/company/settings/sso.md Normal file
View File

@ -0,0 +1,41 @@
---
description: Single Sign-on
keywords: Single Sign-on, SSO, sign-on
title: Single Sign-On overview
---
{% include admin-early-access.md %}
SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../../subscription/upgrade.md).
## How it works
When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP.
![SSO architecture](/single-sign-on/images/sso-architecture.png)
## How to set it up
Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
After establishing the connection between the IdP server and Docker, administrators sign in to Docker Admin and complete the SSO enablement process.
When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company and assigned to the company team in the organization.
Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company.
## Prerequisites
* You must first notify your company about the new SSO login procedures.
* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines.
* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../../../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory.
In addition, you should add all email addresses to your IdP.
* Confirm that all CI/CD pipelines have replaced their passwords with PATs.
* For your service accounts, add your additional domains or enable it in your IdP.
## What's next?
- Start [configuring SSO](sso-configuration.md) for your company
- Explore [the FAQs](sso-faq.md)

107
admin/company/users.md Normal file
View File

@ -0,0 +1,107 @@
---
description: Manage company users
keywords: company, company users, users, admin, docker admin
title: Manage company users
---
{% include admin-early-access.md %}
## Invite members
Company owners can invite new members to an organization in the company via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat.
### Invite members via Docker ID or email address
Use the following steps to invite members to an organization in your company via Docker ID or email address. To invite a large amount of members to your company, Docker recommends that you [invite members via CSV file](#invite-members-via-csv-file).
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Select **Invite**.
5. Select **Emails Or Docker IDs**.
6. Enter the Docker IDs or email addresses that you want to invite, up to a maximum of 1000. Separate multiple entries by a comma, semicolon, or space.
7. Select an organization from the drop-down list to add all invited users to that organization.
8. Select a team or type to create a new team. Docker will invite all users to that team.
9. Select **Invite** to confirm.
> **Note**
>
> You can view the pending invitations in the **Users** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation.
### Invite members via CSV file
To invite multiple members to your organization in your company via a CSV file containing email addresses:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Select **Invite**.
5. Select **CSV Upload**.
6. Select an organization from the drop-down list to add all invited users to that organization.
7. Select a team or type to create a new team. Docker will invite all users to that team.
8. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file.
```
email
docker.user-0@example.com
docker.user-1@example.com
```
CSV file requirements:
- The file must contain a header row with at least one heading named `email`. You can add additional columns but the import will ignore them.
- The file can contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file.
9. Create a new CSV file or export a CSV file from another application.
- To export a CSV file from another application, see the applications documentation.
- To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension.
10. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time.
> **Note**
>
> If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you can't continue to invite members. To invite members, you can buy more seats, or remove some email addresses from the CSV file and re-select the new file. To buy more seats, see [Add seats to your subscription](../../subscription/add-seats.md) or [Contact sales](https://www.docker.com/pricing/contact-sales/).
11. After the CSV file upload completes, select **Review**.
Valid email addresses and any email addresses that have issues appear.
Email addresses may have the following issues:
- **Invalid email**: The email address isn't a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file.
- **Already invited**: Docker has already sent an invite email and Docker won't send another invite email.
- **Member**: The user is already a member of your organization and Docker won't send an invite email.
- **Duplicate**: The CSV file has multiple occurrences of the same email address. Docker will send the user only one invite email.
12. Select **Send invites**.
> **Note**
>
> You can view the pending invitations in the **Users** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation.
## Resend invitations
To resend an invitation if the invite is pending or declined:
1. Go to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Locate the invitee, select the action icon in the invitee's row, and then select **Resend invitation**.
5. Select **Invite** to confirm.
## Remove a member or invitee from an organization
To remove a member or invitee from an organization:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Locate the user, select the action icon in the user's row, and then select **Remove user** or **Remove invitee**.
5. Select the organizations to remove the user from.
6. Select **Remove** to confirm.
## Export users
Company owners can export a CSV file containing all of the company's users.
The CSV file contains the following fields:
* **Name**: The user's name.
* **Username**: The user's Docker ID.
* **Email**: The user's email address.
* **Type**: The type of user. For example, **Invitee** for users who haven't accepted the organization's invite, or **User** for users who are members of the organization.
* **Permissions**: The user's organization permissions. For example, **Member** or **Owner**.
* **Teams**: The teams where the user is a member. A team isn't listed for invitees.
* **Date Joined**: The time and date when the user was invited to the organization.
To export a CSV file of the company's users:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your company in the drop-down menu.
3. Select **Users**.
4. Select the action icon next to **Invite**, and then select **Export users as CSV**.

758
admin/images/docker-hierarchy-company.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 83 KiB

356
admin/images/docker-hierarchy-org.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

41
admin/index.md Normal file
View File

@ -0,0 +1,41 @@
---
description: Docker Admin provides administrators with centralized observability, access management, and controls for their company and organizations.
keywords: admin, administration, company, organization
title: Docker Admin overview
---
{% include admin-early-access.md %}
The [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"} console provides administrators with centralized observability, access management, and controls for their company and organizations. To provide these features, Docker uses the following hierarchy and roles.
![Docker hierarchy](./images/docker-hierarchy-company.svg){: width="800px" }
- Company: A company simplifies the management of Docker organizations and settings. Creating a company is optional and only available to Docker Business subscribers.
- Company owner: A company can have multiple owners. Company owners have company-wide observability and can manage company-wide settings that apply to all associated organizations. In addition, company owners have the same access as organization owners for all associated organizations.
- Organization: An organization is a collection of teams and repositories. Docker Team and Business subscribers must have at least one organization.
- Organization owner: An organization can have multiple owners that are members of the owners team. Organization owners have observability into their organization and can manage its users and settings.
- Team: A team is a group of Docker members that belong to an organization. An organization has one team upon creation, the owners team. Organization and company owners can group members into additional teams to configure repository permissions on a per-team basis.
- Member: A member is a Docker user that's a member of at least one team in an organization.
<div class="component-container">
<!--start row-->
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/company/"><img src="/assets/images/engine-networking.svg" alt="Company administration" width="70" height="70"></a>
</div>
<h2 id="set-up-an-org"><a href="/admin/company/">Company administration</a></h2>
<p> Explore how to manage a company in Docker Admin.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/"><img src="/assets/images/contact.svg" alt="Organization administration" width="70" height="70"></a>
</div>
<h2 id="set-up-an-org"><a href="/admin/organization/">Organization administration</a></h2>
<p> Learn about organization administration in Docker Admin.</p>
</div>
</div>
</div>
</div>

44
admin/organization/activity-logs.md Normal file
View File

@ -0,0 +1,44 @@
---
description: Learn about activity logs.
keywords: team, organization, activity, log, audit, activities
title: Activity logs
---
{% include admin-early-access.md %}
Activity logs are a chronological list of activities that occur at organization and repository levels. The feature provides information to organization owners on all their team member activities.
With activity logs, owners can view and track:
- What changes were made
- The date when a change was made
- Who initiated the change
For example, activity logs display activities such as the date when a repository was created or deleted, the team member who created the repository, the name of the repository, and when there was a change to the privacy settings.
Owners can also see the activity logs for their repository if the repository is part of the organization.
## View the activity logs
To view the activity logs:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Activity Logs**.
> **Note**
>
> Docker retains the activity data for a period of three months.
## Customize the activity logs
By default, all activities that occur at organization and repository levels are displayed. Use the calendar option to select a date range and customize your results. After you have selected a date range, Docker Admin displays the activity logs of all the activities that occurred during that period.
> **Note**
>
> Activities created by the Docker Support team as part of resolving customer issues appear in the activity logs as **dockersupport**.
Select the **All Activities** dropdown to view activities that are specific to an organization, repository, or billing.
After choosing **Organization**, **Repository**, or **Billing**, you can further refine the results using the **All Actions** dropdown.
{% include admin-org-audit-log-events.md %}

22
admin/organization/general-settings.md Normal file
View File

@ -0,0 +1,22 @@
---
description: Learn how about general settings for organizations.
keywords: organization, settings
title: General settings
---
{% include admin-early-access.md %}
General organization information appears on your organization landing page in Docker Hub.
This information includes:
- Organization Name
- Company
- Location
- Website
- Avatar
To edit this information:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Under **Organization Settings**, select **General**.

36
admin/organization/image-access.md Normal file
View File

@ -0,0 +1,36 @@
---
description: Image Access Management
keywords: image, access, management
title: Image Access Management
---
{% include admin-early-access.md %}
Image Access Management (IAM) is a feature available to organizations with a Docker Business subscription. Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub.
For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organizations own images, preventing such a risk.
## Configure Image Access Management permissions
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Image Access**.
4. Enable Image Access Management to set the permissions for the following categories of images you can manage:
- **Organization Images**: When Image Access Management is enabled, images from your organization are always allowed. These images can be public or private created by members within your organization.
- **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time.
- **Docker Verified Publisher Images**: Published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain. You can set permissions to **Allowed** or **Restricted**.
- **Community Images**: Images are always disabled when Image Access Management is enabled. These images are not trusted because various Docker Hub users contribute them and pose security risks.
> **Note**
>
> Image Access Management is turned off by default. However, organization owners have access to all images regardless of the settings.
5. Select the category restrictions for your images by selecting **Allowed**.
Once the restrictions are applied, your members can view the organization permissions page in a read-only format.
6. Optional: To ensure that each organization member uses images in a safe and secure environment, [enforce sign-in](../../docker-hub/configure-sign-in.md).
## Verify the restrictions
To confirm that the restrictions are successful, have each organization member attempt to pull different types of images from Docker Hub onto their local computer after signing in to Docker Desktop.
For example, if you enable Image Access Management, your members can only pull an Organization Image, Docker Official Image, or Verified Publisher Image onto their local machine. If you disable the restrictions, your members can pull any image, including community images.

77
admin/organization/index.md Normal file
View File

@ -0,0 +1,77 @@
---
description: Learn about organizations.
keywords: organizations, admin, overview
title: Organization administration overview
---
{% include admin-early-access.md %}
{% include admin-org-overview.md %}
To create an organization, see [Create your organization](../../docker-hub/orgs.md).
Learn how to administer an organization using Docker Admin in the following sections.
<div class="component-container">
<!--start row-->
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/members/"><img src="/assets/images/contact.svg" alt="Manage members" width="70" height="70"></a>
</div>
<h2 id="manage-members"><a href="/admin/organization/members/">Manage members</a></h2>
<p>Explore how to manage members.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/activity-logs/"><img src="/assets/images/engine-logging.svg" alt="Activity logs" width="70" height="70"></a>
</div>
<h2 id="activity-logs"><a href="/admin/organization/activity-logs/">Activity logs</a></h2>
<p>Learn how to audit the activities of your members.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/image-access/"><img src="/assets/images/lock.svg" alt="Image Access Management" width="70" height="70"></a>
</div>
<h2 id="image-access"><a href="/admin/organization/image-access/">Image Access Management</a></h2>
<p>Control which types of images your developers can pull.</p>
</div>
</div>
</div>
<!--start row-->
<div class="row">
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/registry-access/"><img src="/assets/images/secure.svg" alt="Registry Access Management" width="70" height="70"></a>
</div>
<h2 id="registry-access"><a href="/admin/organization/registry-access/">Registry Access Management</a></h2>
<p>Define which registries your developers can access.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<a href="/admin/organization/general-settings/"><img src="/assets/images/engine-configure-daemon.svg" alt="General settings" width="70" height="70"></a>
</div>
<h2 id="general-settings"><a href="/admin/organization/general-settings/">General settings</a></h2>
<p>Configure general information that Docker Hub displays on your organization's landing page.</p>
</div>
</div>
<div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
<div class="component">
<div class="component-icon">
<img src="/assets/images/sign-on.svg" alt="Security settings" width="70" height="70">
</div>
<h2 id="security-settings">Security settings</h2>
<p>Set up <a href="/admin/organization/security-settings/sso/">Single Sign-On</a> and <a href="/admin/organization/security-settings/scim/">SCIM</a> for your organization.</p>
</div>
</div>
</div>
</div>

111
admin/organization/members.md Normal file
View File

@ -0,0 +1,111 @@
---
description: Manage organization members
keywords: members, teams, organizations
title: Manage members
---
{% include admin-early-access.md %}
## Invite members
Organization owners can invite new members to an organization via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat.
### Invite members via Docker ID or email address
Use the following steps to invite members to your organization via Docker ID or email address. To invite a large amount of members to your organization, the recommended method is to [invite members via CSV file](#invite-members-via-csv-file).
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Select **Invite Member**.
5. Select **Emails Or Docker IDs**.
6. Enter the Docker IDs or email addresses that you want to invite, up to a maximum of 1000. Separate multiple entries by a comma, semicolon, or space.
7. Select a team or type to create a new team. Docker will invite all users to that team.
8. Select **Invite** to confirm.
> **Note**
>
> You can view the pending invitations in the **Members** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation.
### Invite members via CSV file
To invite multiple members to your organization via a CSV file containing email addresses:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Select **Invite Member**.
5. Select **CSV Upload**.
6. Select a team or type to create a new team. Docker will invite all users to that team.
7. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file.
```
email
docker.user-0@example.com
docker.user-1@example.com
```
CSV file requirements:
- The file must contain a header row with at least one heading named `email`. Additional columns are allowed but are ignored in the import.
- The file must contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file.
8. Create a new CSV file or export a CSV file from another application.
- To export a CSV file from another application, see the applications documentation.
- To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension.
9. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time.
> **Note**
>
> If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you can't continue to invite members. To invite members, you can buy more seats, or remove some email addresses from the CSV file and re-select the new file. To buy more seats, see [Add seats to your subscription](../../subscription/add-seats.md) or [Contact sales](https://www.docker.com/pricing/contact-sales/).
10. After the CSV file has been uploaded, select **Review**.
Valid email addresses and any email addresses that have issues appear.
Email addresses may have the following issues:
- **Invalid email**: The email address is not a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file.
- **Already invited**: The user has already been sent an invite email and another invite email will not be sent.
- **Member**: The user is already a member of your organization and an invite email will not be sent.
- **Duplicate**: The CSV file has multiple occurrences of the same email address. The user will be sent only one invite email.
11. Select **Send invites**.
> **Note**
>
> You can view the pending invitations in the **Members** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation.
## Add a member to a team
Use Docker Hub to add a member to a team. For more details, see [Add a member to a team](../../docker-hub/members.md#add-a-member-to-a-team).
## Resend invitations
To resend an invitation if the invite is pending or declined:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Locate the invitee, select the action icon in the invitee's row, and then select **Resend invitation**.
5. Select **Invite** to confirm.
## Remove a member or invitee from an organization
To remove a member or invitee from an organization:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Locate the user, select the action icon in the user's row, and then select **Remove member** or **Remove invitee**.
5. Select **Remove** to confirm.
## Export members
Organization owners can export a CSV file containing the organization's members.
The CSV file contains the following fields:
* **Name**: The user's name.
* **Username**: The user's Docker ID.
* **Email**: The user's email address.
* **Type**: The type of user. For example, **Invitee** for users who have not accepted the organization's invite, or **User** for users who are members of the organization.
* **Permissions**: The user's organization permissions. For example, **Member** or **Owner**.
* **Teams**: The teams where the user is a member. A team is not listed for invitees.
* **Date Joined**: The time and date when the user was invited to the organization.
To export a CSV file of the organization's members:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Select **Export members** to download the CSV file.

68
admin/organization/registry-access.md Normal file
View File

@ -0,0 +1,68 @@
---
description: Registry Access Management
keywords: registry, access, management
title: Registry Access Management
---
{% include admin-early-access.md %}
> **Note**
>
> Registry Access Management is available to Docker Business customers only.
With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed.
Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include:
- Docker Hub. This is enabled by default.
- Amazon ECR
- GitHub Container Registry
- Google Container Registry
- Nexus
- Artifactory
## Prerequisites
You need to [configure a registry.json to enforce sign-in](../../docker-hub/configure-sign-in.md). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization.
## Configure Registry Access Management permissions
To configure Registry Access Management permissions:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Registry Access**.
4. Toggle on Registry Access Management to set the permissions for your registry.
> **Note**
>
> When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers.
5. To add registries to your list, select **Add** and enter your registry details in the applicable fields, then select **Create**.
6. Verify that the registry appears in your list and select **Save & Apply**.
> **Note**
>
> Once you add a registry, it takes up to 24 hours for the changes to be enforced on your developers machines. If you want to apply the changes sooner, you must force a Docker logout on your developers machine and have the developers re-authenticate for Docker Desktop.
> **Tip**
>
> Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization.
{: .tip}
## Verify the restrictions
The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry.
## Caveats
There are certain limitations when using Registry Access Management:
- Windows image pulls, and image builds are not restricted
- Builds such as `docker buildx` using a Kubernetes driver are not restricted
- Builds such as `docker buildx` using a custom docker-container driver are not restricted
- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull”
- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
- Not currently supported on Hyper-V Windows Containers
Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Docker Desktop does not support blocking these forms of manipulation.

14
admin/organization/security-settings/group-mapping.md Normal file
View File

@ -0,0 +1,14 @@
---
description: Group mapping in Docker Admin
keywords: Group Mapping, SCIM, Docker Admin
title: Group Mapping
---
{% include admin-early-access.md %}
{% include admin-group-mapping.md %}
>**Tip**
>
> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
{: .tip}

36
admin/organization/security-settings/scim.md Normal file
View File

@ -0,0 +1,36 @@
---
description: System for Cross-domain Identity Management
keywords: SCIM, SSO
title: SCIM
---
{% include admin-early-access.md %}
{% include admin-scim.md %}
## Set up SCIM
You must make sure you have [configured SSO](sso.md) before you enable SCIM. Enforcing SSO is not required.
### Step one: Enable SCIM in Docker Admin
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Security**.
4. In the **Single Sign-On Connection** table, select the **Actions** icon and **Setup SCIM**.
5. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP.
### Step two: Enable SCIM in your IdP
Follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
## Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
1. In the **Single Sign-On Connection** table, select the **Actions** icon.
2. Select **Disable SCIM**.

99
admin/organization/security-settings/sso-configuration.md Normal file
View File

@ -0,0 +1,99 @@
---
description: SSO configuration
keywords: configure, sso, docker admin
title: Configure Single Sign-On
---
{% include admin-early-access.md %}
Follow the steps on this page to configure SSO for your organization.
## Step one: Add and verify your domain
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Security**.
4. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS).
>**Note**
>
> Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. arent permitted. Also, the email domain should be set as the primary email.
5. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions.
## Step two: Create an SSO connection
> **Important**
>
> If your IdP setup requires an Entity ID and the ACS URL, you must select the
> **SAML** tab in the **Authentication Method** section. For example, if your
> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure
> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select
> **Azure AD** as the authentication method. Also, IdP initiated connections
> aren't supported at this time.
{: .important}
1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection.
> **Note**
>
> You have to verify at least one domain before creating the connections.
2. Select an authentication method, **SAML** or **Azure AD (OIDC)**.
3. Copy the following fields and add them to your IdP:
- SAML: **Entity ID**, **ACS URL**
- Azure AD (OIDC): **Redirect URL**
![SAML](../../../docker-hub/images/saml-create-connection.png){: width="500px" }
![Azure AD](../../../docker-hub/images/azure-create-connection.png){: width="500px" }
4. From your IdP, copy and paste the following values into the Docker **Settings** fields:
- SAML: **SAML Sign-on URL**, **x509 Certificate**
- Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain**
5. Select the verified domains you want to apply the connection to.
6. To provision your users, select the organization(s) and/or team(s).
7. Review your summary and select **Create Connection**.
## Step three: Test your SSO configuration
After youve completed the SSO configuration process in Docker Admin, you can test the configuration when you sign in to Docker Admin using an incognito browser. Sign in to Docker Admin using your domain email address. You are then redirected to your IdP's login page to authenticate.
1. Authenticate through email instead of using your Docker ID, and test the login process.
2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users.
>**Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{: .important}
The SSO connection is now created. You can continue to set up [SCIM](scim.md) without enforcing SSO log-in.
## Optional step four: Enforce SSO
1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**.
When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.
2. Continue with the on-screen instructions and verify that youve completed the tasks.
3. Select **Turn on enforcement** to complete.
Your users must now sign in to Docker with SSO.
> **Important**
>
> If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO.
{: .important}
## What's next?
- [Manage you SSO connections](sso-management.md)
- [Set up SCIM](scim.md)
- [Enable Group mapping](group-mapping.md)

10
admin/organization/security-settings/sso-faq.md Normal file
View File

@ -0,0 +1,10 @@
---
description: Single Sign-on FAQs
keywords: Docker, Docker Admin, SSO FAQs, single sign-on
title: Single Sign-On FAQs
toc_max: 2
---
{% include admin-early-access.md %}
{% include admin-sso-faq.md %}

95
admin/organization/security-settings/sso-management.md Normal file
View File

@ -0,0 +1,95 @@
---
description: Manage SSO
keywords: manage, single sign-on, SSO, sign-on
title: Manage Single Sign-On
---
{% include admin-early-access.md %}
## Manage domains
### Remove a domain from an SSO connection
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where the connected domains are listed.
3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove.
4. Select **Next** to confirm or change the connected organization(s).
5. Select **Next** to confirm or change the default organization and team provisioning selections.
6. Review the **Connection Summary** and select **Save**.
> **Note**
>
> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.
## Manage organizations
### Connect an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select the organization to add to the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
### Remove an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select **Remove** to remove the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
## Manage SSO connections
### Edit a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Edit connection** to edit you connection.
3. Continue with the on-screen instructions.
### Delete a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Delete** and **Delete connection**.
3. Continue with the on-screen instructions.
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
## Manage users
> **Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{: .important}
### Add guest users when SSO is enabled
To add a guest to your organization if they arent verified through your IdP:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your organization in the drop-down menu.
3. Select **Members**.
4. Select **Invite**, enter the email address, and select an organization and team from the drop-down lists.
5. Select **Invite** to confirm.
### Remove users from the SSO company
To remove a user from an organization:
1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}.
2. In the left navigation, select your oranization in the drop-down menu.
3. Select **Members**.
4. Select the action icon next to a users name, and then select **Remove member**.
5. Follow the on-screen instructions to remove the user.
## What's next?
- [Set up SCIM](scim.md)
- [Enable Group mapping](group-mapping.md)

41
admin/organization/security-settings/sso.md Normal file
View File

@ -0,0 +1,41 @@
---
description: Single sign-on overview
keywords: Single sign-on, SSO, sign-on
title: Single Sign-On overview
---
{% include admin-early-access.md %}
SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../../subscription/upgrade.md).
## How it works
When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP.
![SSO architecture](/single-sign-on/images/sso-architecture.png)
## How to set it up
Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
After establishing the connection between the IdP server and Docker, administrators sign in to Docker Admin and complete the SSO enablement process.
When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company and assigned to the company team in the organization.
Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company.
## Prerequisites
* You must first notify your company about the new SSO login procedures.
* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines.
* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../../../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory.
In addition, you should add all email addresses to your IdP.
* Confirm that all CI/CD pipelines have replaced their passwords with PATs.
* For your service accounts, add your additional domains or enable it in your IdP.
## What's next?
- Start [configuring SSO](sso-configuration.md) for your organization
- Explore [the FAQs](sso-faq.md)

49
docker-hub/audit-log.md
View File

@ -46,51 +46,4 @@ Select the **All Activities** dropdown to view activities that are specific to a
After choosing **Organization**, **Repository**, or **Billing**, you can further refine the results using the **All Actions** dropdown.
## Audit logs event definitions
Refer to the following section for a list of events and their descriptions:
### Organization events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Team Created | Activities related to the creation of a team |
| Team Updated | Activities related to the modification of a team |
| Team Deleted | Activities related to the deletion of a team |
| Team Member Added | Details of the member added to your team |
| Team Member Removed | Details of the member removed from your team |
| Team Member Invited | Details of the member invited to your team |
| Organization Member Added | Details of the member added to your organization |
| Organization Member Removed | Details about the member removed from your organization |
| Organization Created | Activities related to the creation of a new organization |
| Organization Settings Updated | Details related to the organization setting that was updated |
| Registry Access Management enabled | Activities related to enabling Registry Access Management |
| Registry Access Management disabled | Activities related to disabling Registry Access Management |
| Registry Access Management registry added | Activities related to the addition of a registry |
| Registry Access Management registry removed | Activities related to the removal of a registry |
| Registry Access Management registry updated | Details related to the registry that was updated |
| Single Sign-On domain added | Details of the single sign-on domain added to your organization |
| Single Sign-On domain removed | Details of the single sign-on domain removed from your organization |
| Single Sign-On domain verified | Details of the single sign-on domain verified for your organization |
### Repository events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Repository Created | Activities related to the creation of a new repository |
| Repository Deleted | Activities related to the deletion of a repository |
| Privacy Changed | Details related to the privacy policies that were updated |
| Tag Pushed | Activities related to the tags pushed |
| Tag Deleted | Activities related to the tags deleted |
### Billing events
| Event | Description |
|:------------------------------------------------------------------|:------------------------------------------------|
| Plan Upgraded | Occurs when your organizations billing plan is upgraded to a higher tier plan.|
| Plan Downgraded | Occurs when your organizations billing plan is downgraded to a lower tier plan. |
| Seat Added | Occurs when a seat is added to your organizations billing plan. |
| Seat Removed | Occurs when a seat is removed from your organizations billing plan. |
| Billing Cycle Changed | Occurs when there is a change in the recurring interval that your organization is charged.|
| Plan Downgrade Canceled | Occurs when a scheduled plan downgrade for your organization is canceled.|
| Seat Removal Canceled | Occurs when a scheduled seat removal for an organizations billing plan is canceled. |
{% include admin-org-audit-log-events.md %}

16
docker-hub/creating-companies.md
View File

@ -4,21 +4,7 @@ keywords: company, multiple organizations, manage companies
title: Overview
---
A company provides a single point of visibility across multiple organizations. Docker introduced this new view to simplify the management of Docker organizations and settings. It's available to Docker Business subscribers.
The following diagram depicts the set up of a company and how it relates to associated organizations.
![company-process](images/company-process-diagram.png){: width="700px" }
## Key features
With a company, administrators can:
- View and manage all nested organizations and configure settings centrally.
- Carefully control access to the company and company settings.
- Have up to ten unique users assigned the company owner role without occupying a purchased seat.
- Configure SSO and SCIM for all nested organizations.
- Enforce SSO log-in for all users in the company.
{% include admin-company-overview.md %}
<div class="component-container">
<!--start row-->

42
docker-hub/group-mapping.md
View File

@ -4,47 +4,7 @@ keywords: Group Mapping, SCIM, Docker Hub
title: Group Mapping
---
With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams.
To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team “developers” in Docker.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesnt already exist.
{: .tip}
## How group mapping works
IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the users Docker profile and their associations with organizations and teams on Docker Hub.
Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). The JIT provisioner generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if the IdP shared group mappings while authenticating the user.
a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user is not a member, it adds the user to the default team and organization configured in the SSO connection.
![JIT provisioning](images/jit.PNG)
## Use group mapping
To take advantage of group mapping, follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP.
{% include admin-company-overview.md %}
>**Tip**
>

13
docker-hub/orgs.md
View File

@ -6,18 +6,7 @@ redirect_from:
- /docker-cloud/orgs/
---
An organization in Docker Hub is a collection of teams and repositories
that can be managed together. A team is a group of Docker members that belong to an organization.
An organization can have multiple teams.
Docker users become members of an organization
when they are assigned to at least one team in the organization. When you first
create an organization, you have one team, the "owners" team, that has a single member. An organization owner is someone that is part of the
owners team. They can create new teams and add
members to an existing team using their Docker ID or email address and by
selecting a team the user should be part of. An organization owner can also add
additional owners to help them manage users, teams, and repositories in the
organization.
{% include admin-org-overview.md %}
## Create an organization

24
docker-hub/scim.md
View File

@ -6,27 +6,7 @@ direct_from:
- /docker-hub/company-scim/
---
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.
SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker Hub and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization or company.
Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker Hub. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the users first name and last name.
The following provisioning features are supported:
- Creating new users
- Push user profile updates
- Remove users
- Deactivate users
- Re-activate users
- Group mapping
The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
| Attribute | Description
|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
| username | Unique identifier of the user (email) |
| givenName | Users first name |
| familyName |Users surname |
{% include admin-scim.md %}
## Set up SCIM
@ -51,5 +31,5 @@ Follow the instructions provided by your IdP:
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
1. In the **Single Sign-On Connection** table, select the **Actions** icon
1. In the **Single Sign-On Connection** table, select the **Actions** icon.
2. Select **Disable SCIM**.

311
single-sign-on/faqs.md
View File

@ -5,313 +5,4 @@ title: Single Sign-on FAQs
toc_max: 2
---
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#tab1">General</a></li>
<li><a data-toggle="tab" data-target="#tab2">SAML</a></li>
<li><a data-toggle="tab" data-target="#tab3">Docker org and Docker ID</a></li>
<li><a data-toggle="tab" data-target="#tab4">Identity providers</a></li>
<li><a data-toggle="tab" data-target="#tab5">Domains</a></li>
<li><a data-toggle="tab" data-target="#tab6">SSO enforcement</a></li>
<li><a data-toggle="tab" data-target="#tab7">Managing users</a></li>
</ul>
<div class="tab-content">
<div id="tab1" class="tab-pane fade in active" markdown="1">
### Is Docker SSO available for all paid subscriptions?
Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO.
### How does Docker SSO work?
Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker supports Azure AD and any SAML 2.0 identity providers. When you enable SSO, users are redirected to your providers authentication page to authenticate using their email and password.
### What SSO flows are supported by Docker?
Docker supports Service Provider Initiated (SP-initiated) SSO flow. This means users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
### Where can I find detailed instructions on how to configure Docker SSO?
You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](index.md).
### Does Docker SSO support multi-factor authentication (MFA)?
When an organization uses SSO, MFA is determined on the IdP level, not on the Docker platform.
### Do I need a specific version of Docker Desktop for SSO?
Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or later. Users on older versions of Docker Desktop will not be able to sign in after SSO is enforced, if the company domain email is used to sign in or as the primary email associated with an existing Docker account. Your users with existing accounts can't sign in with their username and password.
<hr>
</div>
<div id="tab2" class="tab-pane fade" markdown="1">
### Does SAML authentication require additional attributes?
You must provide an email address as an attribute to authenticate through SAML. The Name attribute is optional.
### Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject?
The preferred format is your email address, which should also be your Name ID.
### When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time?
At runtime for Docker Desktop if its configured to require authentication to the organization.
### Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly?
Verify that your users have downloaded the latest version of Docker Desktop. An enhancement in user management observability and capabilities will become available in the future.
<hr>
</div>
<div id="tab3" class="tab-pane fade" markdown="1">
### Whats a Docker ID? Can I retain my Docker ID when using SSO?
For a personal Docker ID, a user is the account owner, its associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
### What if the Docker ID I want for my organization or company is taken?
This depends on the state of the namespace, if trademark claims exist for the organization or company Docker ID, a manual flow for legal review is required.
### What if I want to create more than 3 organizations?
You can create multiple organizations or multiple teams under a single company. SSO is available at the company level.
<hr>
</div>
<div id="tab4" class="tab-pane fade" markdown="1">
### Is it possible to use more than one IdP with Docker SSO?
No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP. Docker supports Azure AD and identity providers that support SAML 2.0.
### Is it possible to change my identity provider after configuring SSO?
Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
### What information do I need from my identity providers to configure SSO?
To enable SSO in Docker, you need the following from your IdP:
* **SAML**: Entity ID, ACS URL, Single Logout URL and the public X.509 certificate
* **Azure AD**: Client ID, Client Secret, AD Domain.
### What happens if my existing certificate expires?
If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. The new certificate must be updated in the SSO configuration settings page on Docker Hub.
### What happens if my IdP goes down when SSO is enabled?
It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization.
### What happens when I turn off SSO for my organization(s) or company?
When you turn off SSO, authentication through your Identity Provider isn't required to access Docker. Users may continue to sign in through Single Sign-On as well as Docker ID and password.
### Q: How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account?
You can add a bot account to your IDP and create an access token for it to replace the other credentials.
### Does Docker plan to release SAML just in time provisioning?
The SSO implementation is already "just in time". Admins don't have to create users accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub.
### Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop?
We currently do not have any plans to enable IdP initiated logins.
### Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg?
Yes, bot accounts needs a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
### Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group?
Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML.
<hr>
</div>
<div id="tab5" class="tab-pane fade" markdown="1">
### Can i add sub-domains?
Yes, you can add sub-domains to your SSO , however all email addresses should also be on that domain. Verify that your DNS provider supports multiple txt fields for the same domain.
### Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently?
They can do it one time to add it to a connection. If they ever change IdPs and have to set up SSO again, they will need to verify again.
### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it?
Adding and verifying a domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that's allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
### If users are using their personal email, do they have to convert to using the Orgs domain before they can be invited to join an Org? Is this just a quick change in their Hub account?
No, they don't. Though they can add multiple emails to a Docker ID if they choose to. However, that email can only be used once across Docker. The other thing to note is that (as of January 2022) SSO will not work for multi domains as an MVP and it will not work for personal emails either.
### Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time?
Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org.
### Do you support IdP-initiated authentication (e.g., Okta tile support)?
We don't support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub.
<hr>
</div>
<div id="tab6" class="tab-pane fade" markdown="1">
### We currently have a Docker Team subscription. How do we enable SSO?
SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing).
### How do service accounts work with SSO?
Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a PAT for CLI and API usage.
### Is DNS verification required to enable SSO?
Yes. You must verify a domain before using it with an SSO connection.
### Does Docker SSO support authenticating through the command line?
Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../docker-hub/access-tokens.md).
### How does SSO affect our automation systems and CI/CD pipelines?
Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password.
### I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
If they already have their organization email on their account, then it will be migrated to SSO.
### If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users?
SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced.
### Can I enable SSO and hold off on the domain verification and enforcement options?
Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen.
### SSO is enforced, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening?
They can bypass SSO if the email they're using to sign in doesn't match the organization email being used when SSO is enforced.
### Is there a way to test this functionality in a test tenant with Okta before going to production?
Yes, you can create a test organization. Companies can set up a new 5 seat Business plan on a new organization to test with (making sure to only enable SSO, not enforce it or all domain email users will be forced to sign in to that test tenant).
### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
If SSO is enabled, there is no impact for now. We'll continue to support either username/password or personal access token sign-in.
However, if you **enforce** SSO:
* Service Account domain email addresses must be unaliased and enabled in their IdP
* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
<hr>
</div>
<div id="tab7" class="tab-pane fade" markdown="1">
### How do I manage users when using SSO?
Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Do I need to manually add users to my organization?
No, you dont need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Can users in my organization use different email addresses to authenticate through SSO?
During the SSO setup, youll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
Users with a public domain email address will be added as guests.
### Can Docker org owners/Admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO Is enabled?
Admins, organization owners and company owners can currently approve users by configuring their permissions through their IdP. That's if the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
### How will users be made aware that they're being made a part of a Docker Org?
When SSO is enabled, users will be prompted to authenticate through SSO the next time they try to sign in to Docker Hub or Docker Desktop. The system will see the end-user has a domain email associated with the docker ID they're trying to authenticate with, and prompts them to sign in with SSO email and credentials instead.
If users attempt to sign in through the CLI, they must authenticate using a personal access token (PAT).
### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their companys domain?
Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../docker-hub/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
Once SSO enforcement is set up on their Docker Business organisation or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited.
### Is it possible to convert existing users from non-SSO to SSO accounts?
Yes, you can convert existing users to an SSO account. To convert users from a non-SSO account:
* Ensure your users have a company domain email address and they have an account in your IdP
* Verify that all users have Docker Desktop version 4.4.2 or later installed on their machines
* Each user has created a PAT to replace their passwords to allow them to sign in through Docker CLI
* Confirm that all CI/CD pipelines automation systems have replaced their passwords with PATs.
For detailed prerequisites and instructions on how to enable SSO, see [Configure Single Sign-on](index.md).
### What impact can users expect once we start onboarding them to SSO accounts?
When SSO is enabled and enforced, your users just have to sign in using the email address and password.
### Is Docker SSO fully synced with Active Directory (AD)?
Docker doesnt currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../docker-hub/members.md#remove-members) from the organization.
Additionally, you can use our APIs to complete this process.
### What's the best way to provision the Docker Subscription without SSO?
Company or organisation owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
### If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
Yes, if the user is added through email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
### Can someone join an organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned.
### When we send an invitation to the user, will the existing account be consolidated and retained?
Yes, the existing user account will join the organization with all assets retained.
### How can I view, update, and remove multiple email addresses for my users?
We only support one email per user on the Docker platform.
### How can I remove invitees to the org who haven't signed in?
They can go to the invitee list in the org view and remove them.
### How's the flow for service account authentication different from a UI user account?
It isn't; we don't differentiate the two in product.
<hr>
</div>
</div>
.
{% include admin-sso-faq.md %}