* remove ea banner

* adjust company faqs

* remove outdated SSO video

* AG-1762

* sso updates

* SSO faqs

* improve flow

* fix build

* scim

* fix build

* group mapping

* tidy-up

* fix build

* tidy up

* update link

* code review updates

* feedback from serj and amanda
This commit is contained in:
Allie Sadler 2023-03-07 18:06:47 +00:00 committed by GitHub
parent d5a99d103e
commit 3eebeb3315
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 312 additions and 758 deletions

View File

@ -1836,17 +1836,7 @@ manuals:
- path: /docker-hub/creating-companies/
title: Overview
- path: /docker-hub/company-owner/
title: Company owners
- path: /docker-hub/domains/
title: Domains
- path: /docker-hub/sso-connection/
title: SSO connection
- path: /docker-hub/group-mapping/
title: Group mapping
- path: /docker-hub/company-scim/
title: SCIM
- path: /docker-hub/enforcing-sso/
title: Enforce SSO Login
title: Manage company owners
- path: /docker-hub/company-faqs/
title: FAQs
- path: /docker-hub/orgs/

View File

@ -10,15 +10,15 @@ Contact your designated CSM team member or Docker Support.
### Are existing subscriptions affected when a company is created and organizations are added to the company?
Subscriptions and related billing details will continue to be managed at the organization level at this time.
Subscriptions and related billing details continue to be managed at the organization level at this time.
### Some of my organizations dont have a Docker Business subscription. Can I still use a parent company?
Yes, but only organizations with a Docker Business subscription are placed under a company.
Yes, but only organizations with a Docker Business subscription can be placed under a company.
### What happens if one of my organizations downgrades from Docker Business, but I still need access as a company owner?
To access and manage child organizations, the organization must have a Docker Business subscription. If the organization isn't a part of this subscription, the owner of the organization must manage the org from the company.
To access and manage child organizations, the organization must have a Docker Business subscription. If the organization isnt included in this subscription, the owner of the organization must manage the organization outside of the company.
### Does my organization need to prepare for downtime during the migration process?
@ -30,9 +30,9 @@ A maximum of 10 company owners can be added to a single company account.
### What permission does the company owner have in the associated/nested organizations?
Company owners can navigate to the **Organization** page, view/edit organization members, change SSO/SCIM settings that may impact all users in each organization under the company. However, a company owner can't change any organization repositories.
Company owners can navigate to the **Organizations** page to view all their nested organizations in a single location. They can also view or edit organization members and change SSO and SCIM settings. Changes to company settings impact all users in each organization under the company.
### What features are supported at the company level? Will this change over time?
### What features are supported at the company level?
Domain verification, Single Sign-on, and System for Cross-domain Identity Management (SCIM) are supported at the company level. The following aren't supported:
@ -51,20 +51,13 @@ Contact your designated CSM team member or Docker Support with a list of the Doc
### How does a company owner manage SSO/SCIM settings from my new parent company?
See Manage your [SCIM](../docker-hub/company-scim.md) and [SSO](../docker-hub/sso-connection.md) settings.
See your [SCIM](scim.md) and [SSO](../single-sign-on/configure/index.md) settings.
### How does a company owner enable group mapping in my IdP?
See [group mapping](../docker-hub/group-mapping.md) for your IdP.
See [SCIM](scim.md) for more information.
### What's the definition of a company vs an organization?
A company is a collection of organizations that's managed together. An organization is a collection of repositories and teams that's managed together.
A company is a collection of organizations that are managed together. An organization is a collection of repositories and teams that are managed together.
### What are the different permissions for an organization owner?
Organization owners can create, view, push, and pull repositories from their organization. As a company owner, you dont have these privileges.
### If an organization isn't part of a company, would SSO or SCIM settings change?
No, the SSO or SCIM settings won't change for that organization.

View File

@ -1,28 +1,12 @@
---
description: company owners
keywords: company, owners
title: Company owners
title: Manage company owners
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
To navigate to the company page:
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"} to view your company and organizations.
2. On the **Organizations** page, select your company to access the **Overview** tab. For example, the company listed below is **dockerinc** and the organization is **docker**.
![org-page](images/org-page.png){: width="700px" }
## Manage company owners
As a company owner, you can configure [Single Sign-on (SSO)](../single-sign-on/configure/index.md) and [System for Cross-domain Identity Management (SCIM)](../docker-hub/scim.md) for all organizations under the company. This is only visible if your organization has a Docker Business subscription. If you want to upgrade your subscription to include the organization under the company, see [upgrade your subscription](../subscription/upgrade.md).
The SSO configuration updates all domain mappings for your organizations to a single domain so you can manage multiple organizations using one domain for your company. Group management is also available if your IdP supports group assignment.
### Add a company owner
## Add a company owner
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"}, navigate to the **Organizations** page, and select your company.
2. In the **Overview** tab, select **Add owner** and enter their Docker ID or email address.
@ -30,9 +14,7 @@ The SSO configuration updates all domain mappings for your organizations to a si
![company-overview](images/company-overview.png){: width="700px" }
![add-owner](images/add-owner.png){: width="700px" }
### Remove a company owner
## Remove a company owner
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"}, navigate to the **Organizations** page, and select your company.
2. In the **Overview** tab, find the **Company Owner** you want to remove.

View File

@ -1,57 +0,0 @@
---
description: company scim
keywords: scim, company
title: SCIM
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
SCIM is a provisioning system that lets you manage users within your identity provider (IdP). You can enable SCIM on organizations that are part of the Docker Business subscription.
### Enable SCIM
1. In the **Single Sign-On Connections**, select the **Actions** icon and **Setup SCIM**.
> **Note**
>
> Establishing the SSO connection lets you set up SCIM. However, this doesnt enforce SSO. To continue, see [Enforcing SSO](../docker-hub/enforcing-sso.md).
2. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP.
![provision-scim](images/provision-scim.png){: width="700px" }
3. Continue to configure SCIM for Okta, Azure AD, or Onelogin.
### Enable SCIM group mapping
#### Okta
If users are signing in via SSO and SCIM, theyre also provisioned via SCIM.
1. Navigate to Okta, select the **Provisioning** tab in the Docker application.
2. In **Settings**, select **Integration**, and **Edit**.
3. Enable **Push Groups**, and select **Save**.
> **Note**
>
> You can also enable **Import Groups** as an option if you want to import all Docker Hub teams into Okta groups.
![okta-provisioning](images/okta-provisioning.png){: width="700px" }
#### Azure AD
1. Navigate to Azure AD and select your Docker application.
2. Select the **Provisioning** tab and **Edit provisioning**.
3. In **Mappings**, select **Provision Azure Active Directory Groups**, and select **Yes** to enable your mapping.
4. In the **Target Object Actions**, select **Create, **Update, and Delete***.
5. In the **Attribute Mappings**, confirm that the **displayName**, **objectid**, and **members** are added.
![azure-provisioning](images/azure-provisioning.png){: width="700px" }
6. Select **Save** and continue with the on-screen instructions.
> **Note**
>
> You can view **Mappings** to see that provisioning is enabled.

View File

@ -14,11 +14,11 @@ You can convert an existing user account to an organization. You might want to d
Before you convert a user account to an organization, ensure that you have completed the following steps:
1. The user account that you wish to convert must not be a member of any teams or organizations. You must remove the account from all teams and organizations.
1. The user account that you wish to convert must not be a member of a company or any teams or organizations. You must remove the account from all teams, organizations, or the company.
Go to **Organizations**, select an organization from the list, and then click the Leave organization arrow next to your username in the members list.
If the user account is the sole owner of any organization, add someone to the "owners" team and then remove yourself from the organization.
If the user account is the sole owner of any organization or company, add someone to the "owners" team and then remove yourself from the organization or company.
2. You must have a separate Docker ID ready to assign it as the owner of the organization during conversion.
@ -26,7 +26,7 @@ Before you convert a user account to an organization, ensure that you have compl
## Convert a Community account into an organization
1. Ensure you have removed your user account from all teams and organizations and that you have a new Docker ID before you convert an account. See the [Prerequisites](#prerequisites) section for details.
1. Ensure you have removed your user account from any company or teams or organizations. Also make sure that you have a new Docker ID before you convert an account. See the [Prerequisites](#prerequisites) section for details.
2. Click on your account name in the top navigation, then go to your **Account Settings**.
@ -48,7 +48,7 @@ Before you convert a user account to an organization, ensure that you have compl
will be migrated to a Team plan and will be charged $35 per month for 5 seats. For more information,
see [Docker Pricing](https://www.docker.com/pricing){: target="_blank" rel="noopener" class="_"}.
1. Ensure you have removed your user account from all teams and organizations and that you have a new Docker ID before you convert an account. See the [Prerequisites](#prerequisites) section for details.
1. Ensure you have removed your user account from any company or teams or organizations. Also make sure that you have a new Docker ID before you convert an account. See the [Prerequisites](#prerequisites) section for details.
2. Click on your account name in the top navigation bar, then go to your **Account Settings**.

View File

@ -4,32 +4,26 @@ keywords: company, multiple organizations, manage companies
title: Overview
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
A company provides a single point of visibility across multiple organizations. Docker introduced this new view to simplify the management of Docker organizations and settings. It's available to Docker Business subscribers.
The following diagram depicts the set up of a company and how it relates to associated organizations.
To simplify the management of Docker organizations and settings, Docker has introduced a new view that provides a single point of visibility across multiple organizations called a Company. A company can become a parent to nested child organizations. A company lets Docker Business subscribers manage their organizations and configure settings centrally. With the new company owner role, you can control access to the company and company settings. These settings can affect all the organizations nested under the company. You can assign up to ten unique users to a company owner role without occupying a purchased seat.
![company-process](images/company-process-diagram.png){: width="700px" }
Docker will work with your current Docker organization owners to create the company, associate your Docker Business organizations, and identify your company owner(s). Once created, users with a company owner role can navigate to a new page that displays the company name, organizations associated with the company, a list of company owners, and settings that include your Domain verification, Single Sign-on (SSO) connection to your identity provider, System for Cross-domain Identity Management (SCIM) setup.
## Key features
With a company, administrators can:
![company-process](images/company-process-diagram.png){: width="700px" }
When a company owner makes adjustments to user management settings at the company level, this will affect all organizations associated with the company.
The company owner can:
- View all nested organizations.
- Configure SSO and SCIM for all nested organizations, including SCIM Group mapping.
- View and manage all nested organizations and configure settings centrally.
- Carefully control access to the company and company settings.
- Have up to ten unique users assigned the company owner role without occupying a purchased seat.
- Configure SSO and SCIM for all nested organizations.
- Enforce SSO log-in for all users in the company.
- Verify a domain separately from the organization namespace.
- Add and remove up to 10 company owners.
A company owner role is only available if your organization has a Docker Business subscription. If you don't have a Docker Business subscription, you must first [upgrade your subscription](../subscription/upgrade.md).
## Get started
Docker will work with your current Docker organization owners to create the company, associate your organizations, and identify your company owner(s).
Youll need to send the following information to your CSM Docker team member to set up your company:
- The name of your company. For example, Docker uses the company name **dockerinc**.
@ -37,11 +31,13 @@ Youll need to send the following information to your CSM Docker team member t
- The verified domains you want to move to the company level.
- Confirm if you want to migrate one of your organizations SSO and SCIM settings to the company. Migrating SSO settings will also migrate verified domains from the organization to the parent company.
## Company overview and settings
Once created, users with a company owner role can navigate to the **Overview** page in Docker Hub that displays the company name and organizations associated with the company.
To navigate to the company page:
![org-page](images/org-page.png){: width="700px" }
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"} to view your company and organizations.
2. On the **Organizations** page, select your company to access the **Overview** tab. For example, the company listed below is **dockerinc** and the organization is **docker**.
## What's next?
![org-page](images/org-page.png){: width="700px" }
- [Configure SSO](../single-sign-on/configure/index.md)
- [Manage SSO](../single-sign-on/manage/index.md)
- [Manage company owners](company-owner.md)
- [Explore FAQs](company-faqs.md)

View File

@ -15,7 +15,7 @@ Before deactivating your Docker Hub account, please complete the following:
2. If you belong to any organizations, remove your account from all of them.
3. If you are the sole owner of any organization, either add someone to the **owners** team and then remove yourself from the organization, or deactivate the organization.
3. If you are the sole owner of an organization, either add someone to the **owners** team and then remove yourself from the organization, or deactivate the organization. Similarly, if you are the sole owner of a company, either add someone else as a company owner and then remove yourself, or deactivate the company.
4. If you have an active subscription, downgrade it to the **Docker Personal** subscription.

View File

@ -23,7 +23,7 @@ Although domain audit can't identify all Docker users in your environment, you c
Before you audit your domains, the following prerequisites are required:
* Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade.md).
* Single sign-on must be configured for your organization. To configure single sign-on, see [Configure Single Sign-on](../single-sign-on/configure/index.md).
* You must add and verify your domains. To add and verify a domain, see [Domain control](../single-sign-on/configure/index.md/#domain-control).
* You must add and verify your domains. To add and verify a domain, see [Domain control](../single-sign-on/configure/index.md#step-one-add-and-verify-your-domain).
To audit your domains:

View File

@ -1,50 +0,0 @@
---
description: domains
keywords: domains, company, multi-orgs
title: Manage domains
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
## Add a domain
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"}, navigate to the **Organization** page and select your company.
2. Select **Settings** to access the **Domain** and **SSO Connections**.
![company-settings](images/company-settings.png){: width="700px" }
3. Select **Add Domain** and continue with the on-screen instructions to add the **TXT Record Value** to your domain name system (DNS).
>**Note**
>
> Format your domains without protocol or www information, for example, yourcompany.com. This should include all email domains and subdomains users will use to access Docker. Public domains such as gmail.com, outlook.com, etc arent permitted. Also, the email domain should be set as the primary email.
![add-domain](images/add-domain.png){: width="700px" }
## Verify a domain
You must wait up to 72 hours for the TXT Record verification.
1. Sign in to [Docker Hub](https://hub.docker.com/){: target="_blank" rel="noopener" class="_"} and navigate to the **Organization** page and select your company.
2. Select **Settings** to access the **Domain** and **SSO Connections**.
3. Select **Verify** next to the domain in the domain table.
![verify-domain](images/verify-domain.png){: width="700px" }
## Delete a domain
If a verified domain is already associated with an established [SSO connection](../docker-hub/sso-connection.md), you must remove the domain from the connection setting before you can delete the domain from the company.
If the domain isn't associated with an existing connection, follow these steps:
1. Navigate to the **Domain** section.
2. Select the **Action** icon for the domain.
3. Select **Delete** and **Delete Domain** to confirm.
>**Note**
>
>If you want to add this domain again, a new TXT record value is assigned. You must complete the verification steps with the new TXT record value.

View File

@ -1,18 +0,0 @@
---
description: enforcing sso
keywords: sso, enforce
title: Enforce SSO Login
---
Without SSO enforcement, users can continue to sign in using Docker username and password. If users login with your Domain email, they will authenticate through your identity provider instead.
You must test your SSO connection first if youd like to enforce SSO log-in. All users must authenticate with an email address instead of their Docker ID if SSO is enforced
1. In the **Single Sign-On Connections** table, select the Action icon and **Enforce Single Sign-on**.
> **Note**
>
> When you enforce SSO, all members of your organization with a matching domain must authenticate through your IdP.
2. Continue with the on-screen instructions and verify that youve completed the tasks.
3. Select **Turn on enforcement** to complete.

View File

@ -1,53 +0,0 @@
---
description: group mapping
keywords: group, comapping
title: Enable group mapping
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
## Okta SSO group mapping
Use directory groups to team provisioning from your identity provider, and these updates will sync with your Docker organizations and teams.
To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern <organization>:<team>. For example, if you want to manage provisioning for the team “developers” in Docker, and your organization name is “moby,” you must create a group in your IDP with the name “moby:developers”. Once you enable group mappings in your connection, users assigned to that group in your IDP will automatically be added to the team “developers” in Docker.
> **Note**
>
> Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesn't already exist.
1. In **Okta**, navigate to the directory and select **Group**.
2. Select **Add Group**, and type the name of your organization and team.
> **Note**
>
> For example, **auacatenet:platform** (your organization:your team). This connects all of your teams in Docker to your groups in Okta.
![okta-add-group](images/okta-add-group.png){: width="700px" }
![add-group](images/add-group.png){: width="500px" }
3. In your group, select **Assign people** to add your users to the group.
![assign-people](images/assign-people.png){: width="700px" }
4. Navigate to **Applications**, configure your application and select **General**.
5. Select **Next** and update the value for **Group Attribute Statements** (optional) and filter for **Group Attribute Statements**. Note it's recommended to specify a filter, so the groups relevant to your Docker organization and teams are shared with the Docker app.
![group-attribute-statement](images/group-attribute-statement.png){: width="700px" }
6. Select **Next** and **Finish** to complete the configuration.
> **Note**
>
> Once completed, when your user signs in to Docker through SSO, the user is automatically added to the organizations and teams mapped in the group attributes.
## Azure AD SSO group mapping
1. Navigate to **Enterprise application**, and select your application.
2. Select **Single-sign on** and **Attributes and Claims**.
3. Select **Add a group claim** and select groups assigned to the application.
4. In the **Source attribute**, select **Cloud-only group display name (Preview)** and **Save**. Note, you can filter the groups you want to share with the application as an option.
![azure-group](images/azure-group.png){: width="700px" }

View File

@ -2,15 +2,27 @@
description: System for Cross-domain Identity Management
keywords: SCIM, SSO
title: SCIM
direct_from:
- /docker-hub/company-scim/
- /docker-hub/group-mapping/
---
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. SCIM is a provisioning system that lets you manage users within your identity provider (IdP). You can enable SCIM on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade.md){:target="blank" rel="noopener" class=""}.
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.
SCIM provides automated user provisioning and de-provisioning for your Docker organization through your identity provider (IdP). Once you enable SCIM in your IdP, any user assigned to the Docker application in the IdP, is automatically provisioned in Docker Hub and added to the organization. Also, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization in Docker Hub. SCIM also synchronizes changes made to users attributes in the IdP, for instance the users first name and last name.
SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker Hub and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization or company.
The following provisioning features are supported: creating new users, push user profile updates, remove users, deactivate users and reactivate users. Group management is not supported.
Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker Hub. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the users first name and last name.
The table below lists the supported attributes. Note, that your attribute mappings must match for SSO to prevent duplicating your members.
The following provisioning features are supported:
- Creating new users
- Push user profile updates
- Remove users
- Deactivate users
- Re-activate users.
Group management is not supported.
The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
| Attribute | Description
|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
@ -18,159 +30,36 @@ The table below lists the supported attributes. Note, that your attribute mappin
| givenName | Users first name |
| familyName |Users surname |
## Configure
## Set up SCIM
SSO must be set up and be functional for your organization before you start configuring automated provisioning. In addition, you must verify your company domain and have the appropriate connectors in your IdP. Your user email domain must be the same company domain you use for Single Sign-on (SSO). Enforcing SSO is not required to enable SCIM. However, you must [configure SSO](../single-sign-on/index.md){: target="_blank" rel="noopener" class="_"} before you enable SCIM.
You must make sure you have [configured SSO](../single-sign-on/index.md) before you enable SCIM. Enforcing SSO is not required.
Before you make SCIM configuration changes in your IdP, navigate to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} and select **Organizations** > **Settings** > **Security**. SCIM is locked until you complete the SSO configuration and verify your company domain. Enable SCIM and access your Base URL and API Token. You can also generate a new API token.
### Step one: Enable SCIM in Docker Hub
![SCIM provisioning view](images/scim-provisioning.png){:width="700px"}
1. Sign in to Docker Hub, navigate to the **Organizations** page and select your organization or company.
2. Select **Settings**. If you are setting up SCIM for an organization you then need to select **Security**.
3. n the **Single Sign-On Connection** table, select the **Actions** icon and **Setup SCIM**.
4. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP.
### Okta
### Step two: Enable SCIM in your IdP
1. In Okta, navigate to your SAML or SWA Docker app integration and [add SCIM provisioning](https://help.okta.com/oie/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm).
2. In the **Provisioning** tab, edit the SCIM Connection and complete the following:
Follow the instructions provided by your IdP:
* **SCIM connector base URL**: SCIM Base URL from Docker Hub
* **Unique identifier field for users**: enter **email**
* **Supported Provisioning actions**: select **Push New Users**, **Push Profile Updates**
* **Authorization/Bearer**: SCIM API Token from Docker Hub
- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
![SCIM app provisioning options](images/scim-app-provisioning.png){:width="700px"}
### Optional step
You also have the option to use group mapping within your IdP. To take advantage of group mapping, follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-about-group-push.htm){: target="_blank" rel="noopener" class="_" }
- [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes){: target="_blank" rel="noopener" class="_" }
- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" }
3. Click **Test Connection Configuration** to complete the configuration and **Save**.
4. Once configured, you must enable synchronization. Navigate to **Provisioning** > **To App** > **Edit**, and enable **Create Users**, **Update User Attributes** and **Deactivates Users**, and **Save**.
Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP.
![Enable synchronization](images/provisioning-to-app.png){:width="700px"}
5. Remove all fields that aren't supported from your **Docker Hub Attributes Mappings**.
![Docker Hub attributes mappings view](images/scim-attributes.png){:width="700px"}
The synchronization of user data is now automated, and the members in your Docker organization will now be automatically provisioned, updated, and de-provisioned based on the access control managed through your identity provider, Okta.
#### Generate a full-sync
You must run a full-sync after enabling SCIM, if you already have users assigned to the Docker Hub app. This provisions the users that are assigned in the IdP Directory to Docker Hub.
1. Navigate to **Applications** > **Applications** and select the Docker Hub app.
2. In the **Assignments** tab, select **Provision User** if you have pending users.
3. Click **Apply to All** > **Reapply Mappings** and **Confirm**.
> **Note**
>
> This will generate a full-sync and any user that wasn't previously provisioned is now provisioned in Docker Hub.
![provision-user](images/provision-user.png){:width="700px"}
### Azure AD
1. Navigate to Azure AD and select **AzureAD admin**.
2. In the **Default Directory**, select **Add** > **Enterprise Application** > **Create your own application**.
> **Note**
>
> When you create an Enterprise Application you can configure SCIM with
> Security Assertion Markup Language (SAML).
3. Type **Docker** for application name, select **non-gallery**, and **Create**.
4. In your Docker application, navigate to **Provisioning**, and select **Get Started**.
5. Select **Automatic** for the provisioning mode and enter your SCIM credentials.
> **Note**
>
> You can access and copy your SCIM URL (Tenant URL) and API Token (Secret
> Token) in Docker Hub.
6. Select **Test Connection** to enable and authorize the provisioning.
7. In **Mappings**, select **Provision Azure Active Directory Groups** to disable Groups and **Save**.
> **Note**
>
> You must turn off group sync to avoid having your configuration
> quarantined.
8. Select **Provision Azure Active Directory Users**, in **Attribute Mappings**, and keep the **userName**, **Active**, **givenName**, **familyName**. Delete the other attributes listed.
![attribute-mapping](images/attribute-mapping.png){:width="700px"}
9. Select **Start Provisioning** to begin the full synchronization.
> **Note**
>
> It can take up to 30 minutes to begin provisioning. You can also
> provision on demand provisioning with one user that's already assigned
> to the application.
### Onelogin
1. In Onelogin, navigate to **Applications** > **Applications** > **Add app**.
2. In the search field, enter **SCIM Provisioner with SAML (SCIM v2 Core)** and select the item in the results.
3. Enter **Docker Hub** as the display name and **Save**.
4. Navigate to the left navigation, and select **Configuration**.
5. In a separate tab, navigate to **Docker Hub** > **Settings** > **Security** > **SSO** > **SAML**.
6. Copy the following fields from Docker Hub, in to OneLogin:
* Entity ID: SAML Audience URL
* ACS URL: SAML Consumer URL
* SCIM Base URL: SCIM Base URL
* Custom Headers:
```console
Content-Type: application/scim+json
User-Agent: OneLogin SCIM
```
* SCIM Bearer Token: SCIM Bearer Token
* SCIM JSON Template:
```console
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "{$parameters.scimusername}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"emails": [
{
"value": "{$user.email}",
"primary": true
}
]
}
```
![application-details](images/application-details.png){:width="700px"}
7. Select **API Connection** > **Enable** and **Save**.
8. Navigate to the **Parameters** tab, click **scimusername**, select **Email** and **Save**.
![parameters-tab](images/parameters-tab.png){:width="700px"}
9. Navigate to the SSO tab, and copy the **SAML 2.0 Endpoint (HTTP)** url and paste it in to [**Docker Hub**](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} > **Settings** > **Security** > **SSO** > **SAML Sign-in URL**.
10. In the **X.509 Certificate** field, click **View Details**.
11. Copy the **PEM certificate**, and paste it in to [**Docker Hub**](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} > **Settings** > **Security** > **SSO** > **Key x509 Certificate** and **Save**.
12. In Onelogin, navigate to the **Access** tab, enable the app for `ol_role` that was already created and **Save**.
13. Navigate to the **Provisioning** tab and select **Enable provisioning**, and deselect the other options.
14. In the drop-down, select **Suspend** and **Save**.
#### Generate a full-sync
1. In Onelogin, navigate to **Applications** and select the Docker Hub application.
2. In **Users**, click **Apply to All** and **Reapply Mappings**.
3. Select **Confirm** to provision your users in Docker Hub.
> **Note**
>
> This creates a full-sync and any user that was not previously
> provisioned is now provisioned in Docker Hub.
![scim-okta-button](images/scim-provisioner-saml.png){:width="700px"}
## Disabling SCIM
## Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
![scim-disable](images/scim-disable.png){:width="700px"}
1. In the **Single Sign-On Connection** table, select the **Actions** icon
2. Select **Disable SCIM**.

View File

@ -1,108 +0,0 @@
---
description: sso connection
keywords: sso, connection
title: Single Sign-on connection
---
> **Note**
>
> The following features are only available to [Early Access](../release-lifecycle.md/#early-access-ea) participants.
## Create a connection
1. Once your domain is verified, continue to **Single Sign-on Connections** and select **Create Connections**, and create a name for the connection.
> **Note**
>
> You have to verify at least one domain before creating the connections.
![create-connection](images/create-connection.png){: width="700px" }
2. Select an authentication method, **SAML** or **Azure AD (OIDC)**.
3. Copy the following fields and add them to your IdP:
- SAML: **Entity ID**, **ACS URL**
- Azure AD (OIDC): **Redirect URL**
![idp-create-connection](images/idp-create-connection.png){: width="700px" }
4. From your IdP, copy and paste the following values into the Docker **Settings** fields:
- SAML: **SAML Sign-on URL**, **x509 Certificate**
- Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain**
![idp-sso-connection](images/idp-sso-connection.png){: width="700px" }
5. Select the Docker organization and verified domains you want to apply the connection.
![verified-domains](images/verified-domains.png){: width="700px" }
6. Select the organization and team you want to provision your users.
> **Note**
>
> This is the default organization if you have more than one organization in your SSO connection. Users are added to the specified organization and team.
7. Review your summary and select **Create Connection**.
**SSO connection is now created**. You can continue to set up SSO Group Mapping and SCIM without enforcing SSO log-in.
## Connect a domain
1. In the **Single Sign-on Connections** section, select the **Action** icon and **Edit**.
2. Select **Next** to navigate to the section where connected domains are listed.
3. In the **Domain** drop-down, select the domain you want to add to the connection.
![verified-domains](images/verified-domains.png){: width="700px" }
4. Select **Next** to confirm or change the connected organizations.
5. Select **Next** to confirm or change the default organization and team provisioning selections.
![default-connection](images/default-connection.png){: width="700px" }
6. Review the connection summary and select **Create Connection**.
## Connect an organization
You must have a company to connect an organization.
1. In the **Single Sign-on Connections** section, select the **Action** icon and **Edit**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select the organization to add to the connection.
![org-connection](images/org-connection.png){: width="700px" }
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
![review-connection](images/review-connection.png){: width="700px" }
## Delete a connection
1. In the **Single Sign-On Connections**, select the **Action** icon.
2. Select **Delete** and **Delete Connection**.
3. Continue with the on-screen instructions.
## Edit a connection
1. In the **Single Sign-On Connections**, select the **Action** icon.
2. Select **Edit Connection** to edit you connection.
3. Continue with the on-screen instructions.
![edit-connection](images/edit-connection.png){: width="700px" }
## Remove a domain
1. In the **Single Sign-On Connection**, select the **Action** icon and **Edit**.
2. Select **Next** to navigate to the section where the connected domains are listed.
3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove.
4. Select **Next** to confirm or change the connected organizations.
5. Select **Next** to confirm or change the default organization and team provisioning selections.
6. Review the **Connection Summary** and select **Save**.
## Remove an organization
1. In the **Single Sign-on Connection** section, select the **Action** icon and **Edit**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select **Remove** to remove the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.

View File

@ -2,9 +2,29 @@
description: SSO configuration
keywords: configure, sso, docker hub, hub
title: Configure
redirect_from:
- /docker-hub/domains/
- /docker-hub/sso-connection/
- /docker-hub/enforcing-sso/
---
To configure SSO, sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} to complete the IdP server configuration process. You can only configure SSO with a single IdP. When this is complete, log back in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} and complete the SSO enablement process.
Follow the steps on this page to configure SSO for your organization or company.
## Step one: Add and verify your domain
1. Sign in to Docker Hub, navigate to the **Organizations** page and select your organization or company.
2. Select **Settings**. If you are setting up SSO for an organization you then need to select **Security**.
3. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS).
>**Note**
>
> Format your domains without protocol or www information, for example, yourcompany.com. This should include all email domains and subdomains users will use to access Docker. Public domains such as gmail.com, outlook.com, etc arent permitted. Also, the email domain should be set as the primary email.
4. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions.
![verify-domain](../images/verify-domain.png){: width="700px" }
## Step two: Create an SSO connection
> **Important**
>
@ -16,143 +36,48 @@ To configure SSO, sign in to [Docker Hub](https://hub.docker.com){: target="_bla
> aren't supported at this time.
{: .important}
The following video walks you through the process of configuring SSO.
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/QY0j02ggf64" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
### Configuring your IdP
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#saml-2">SAML 2.0</a></li>
<li><a data-toggle="tab" data-target="#azure-ad">Azure AD (OIDC)</a></li>
</ul>
<div class="tab-content">
<div id="saml-2" class="tab-pane fade in active" markdown="1">
#### SAML 2.0
1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to **Organizations** and select the organization that you want to enable SSO on.
2. Select **Settings** and select the **Security** tab.
3. Select an authentication method for **SAML 2.0**.
![SSO SAML1](/single-sign-on/images/sso-saml1.png){:width="500px"}
4. In the Identity Provider Set Up, copy the **Entity ID**, **ACS URL** and **Certificate Download URL**.
![SSO SAML2](/single-sign-on/images/sso-saml2.png){:width="500px"}
5. Sign in to your IdP to complete the IdP server configuration process. Refer to your IdP documentation for detailed instructions.
1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection.
> **Note**
>
> The NameID is your email address and is set as the default.
> For example, yourname@mycompany.com. The optional `name` attribute is also supported. This attribute name must be lower-cased. _The following is an example of this attribute in Okta._
> You have to verify at least one domain before creating the connections.
![SSO Attribute](/single-sign-on/images/sso-attribute.png){:width="500px"}
2. Select an authentication method, **SAML** or **Azure AD (OIDC)**.
3. Copy the following fields and add them to your IdP:
6. Complete the fields in the **Configuration Settings** section and select **Save**. If you want to change your IdP, you must delete your existing provider and configure SSO with your new IdP.
- SAML: **Entity ID**, **ACS URL**
- Azure AD (OIDC): **Redirect URL**
![SSO SAML3](/single-sign-on/images/sso-saml3.png){:width="500px"}
4. From your IdP, copy and paste the following values into the Docker **Settings** fields:
7. Proceed to **add your domain** before you test and enforce SSO.
- SAML: **SAML Sign-on URL**, **x509 Certificate**
- Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain**
<hr>
</div>
5. Select the verified domains you want to apply the connection to.
<div id="azure-ad" class="tab-pane fade" markdown="1">
### Azure AD (OIDC)
>**Note**
>
> This section is for users who only want to configure Open ID Connect with
> Azure AD. This connection is a basic OIDC connection, and there are no
> special customizations available when using it.
1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to **Organizations** and select the organization that you want to enable SSO on.
2. Select **Settings** and select the **Security** tab.
3. Select an authentication method for **Azure AD**.
4. In the Identity Provider Set Up, copy the **Redirect URL / Reply URL**.
![SSO Azure AD OIDC](/single-sign-on/images/sso-azure-oidc.png){:width="500px"}
5. Sign in to your IdP to complete the IdP server configuration process. Refer to your IdP documentation for detailed instructions.
6. To provision your users, select the organization(s) and/or team(s).
> **Note**
>
> The NameID is your email address and is set as the default.
> For example: yourname@mycompany.com.
> If you are a company owner and have more than one organization, you need to select a default organization.
6. Complete the fields in the **Configuration Settings** section and click **Save**. If you want to change your IdP, you must delete your existing provider and configure SSO with your new IdP.
7. Review your summary and select **Create Connection**.
![SSO Azure3](/single-sign-on/images/sso-azure3.png){:width="500px"}
The SSO connection is now created. You can continue to set up [SSO Group Mapping and SCIM](../../docker-hub/scim.md) without enforcing SSO log-in.
7. Proceed to **add your domain** before you test and enforce SSO.
## Optional step three: Test your SSO configuration
<hr>
</div></div>
## Domain control
Select **Add Domain** and specify the corporate domain youd like to manage with SSO. Format your domains without protocol or www information, for example, yourcompany.com. Docker supports multiple domains that are part of your IdP. Make sure that your domain is reachable through email.
> **Note**
>
> This should include all email domains and sub-domains users will use to access Docker.
> Public domains such as gmail.com, outlook.com, etc aren't permitted.
> Also, the email domain should be set as the primary email.
![SSO Domain](/single-sign-on/images/sso-domain.png){:width="500px"}
## Domain verification
To verify ownership of a domain, add a TXT record to your Domain Name System (DNS) settings.
1. Copy the provided TXT record value and navigate to your DNS host and locate the **Settings** page to add a new record.
2. Select the option to add a new record and paste the TXT record value into the applicable field. For example, the **Value**, **Answer** or **Description** field.
Your DNS record may have the following fields:
* Record type: enter your 'TXT' record value
* Name/Host/Alias: leave the default (@ or blank)
* Time to live (TTL): enter **86400**
3. After you have updated the fields, select **Save**.
> **Note**
>
> It can take up to 72 hours for DNS changes to take effect, depending on
> your DNS host. The Domains table will have an Unverified status during
> this time.
4. In the Security section of your Docker organization, select **Verify** next to the domain you want to verify after 72 hours.
> **Note**
>
> Once you've verified your domain, you can move forward to test your
> configuration and enforce SSO, or you can configure your [System Cross-domain Identity Management (SCIM)](../../docker-hub/scim.md).
## Test your SSO configuration
After youve completed the SSO configuration process in Docker Hub, you can test the configuration when you sign in to Docker Hub using an incognito browser. Login using your domain email address. You will then get redirected to your identity providers login page to authenticate.
After youve completed the SSO configuration process in Docker Hub, you can test the configuration when you sign in to Docker Hub using an incognito browser. Log in to Docker Hub using your domain email address. You are then redirected to your IdP's login page to authenticate.
1. Authenticate through email instead of using your Docker ID, and test the login process.
2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users.
## Enforce SSO in Docker Hub
## Optional step four: Enforce SSO log-in in Docker Hub
Before you enforce SSO in Docker Hub, you must complete the following:
Test SSO by logging in and out successfully, confirm that all members in your org have upgraded to Docker Desktop version 4.4.2, PATs are created for each member, CI/CD passwords are converted to PAT. Also, when using Docker partner products (for example, VS Code), you must use a PAT when you enforce SSO. For your service accounts add your additional domains in **Add Domains** or enable the accounts in your IdP.
1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**.
When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.
2. Continue with the on-screen instructions and verify that youve completed the tasks.
3. Select **Turn on enforcement** to complete.
Admins can force users to authenticate with Docker Desktop by provisioning a registry.json configuration file. The registry.json file will force users to authenticate as a user that's configured in the allowedOrgs list in the registry.json file. For info on how to configure a registry.json file see [Configure registry.json](../../docker-hub/image-access-management.md#enforce-authentication)
1. On the Single Sign-On page in Docker Hub, select **Turn ON Enforcement** to enable your SSO.
2. When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.
> **Note**
>
> If you want to turn off SSO and revert back to Dockers built-in
> authentication, select **Turn OFF Enforcement**. Your users arent
> forced to authenticate through your IdP and can sign in to Docker using
> their personal credentials.
![SSO Enforced](/single-sign-on/images/sso-enforce.png){:width="500px"}
To enforce SSO log-in for Docker Desktop, see [Enforce sign-in](../../docker-hub/configure-sign-in.md).

View File

@ -5,83 +5,90 @@ title: Single Sign-on FAQs
toc_max: 2
---
## General SSO overview
<ul class="nav nav-tabs">
<li class="active"><a data-toggle="tab" data-target="#tab1">General</a></li>
<li><a data-toggle="tab" data-target="#tab2">SAML</a></li>
<li><a data-toggle="tab" data-target="#tab3">Docker org and Docker ID</a></li>
<li><a data-toggle="tab" data-target="#tab4">Identity providers</a></li>
<li><a data-toggle="tab" data-target="#tab5">Domains</a></li>
<li><a data-toggle="tab" data-target="#tab6">SSO enforcement</a></li>
<li><a data-toggle="tab" data-target="#tab7">Managing users</a></li>
</ul>
<div class="tab-content">
<div id="tab1" class="tab-pane fade in active" markdown="1">
### Q: Is Docker SSO available for all paid subscriptions?
### Is Docker SSO available for all paid subscriptions?
Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO.
### Q: How does Docker SSO work?
### How does Docker SSO work?
Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker supports Azure AD and any SAML 2.0 identity providers. When you enable SSO, users are redirected to your providers authentication page to authenticate using their email and password.
### Q: What SSO flows are supported by Docker?
### What SSO flows are supported by Docker?
Docker supports Service Provider Initiated (SP-initiated) SSO flow. This means users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
### Q: Where can I find detailed instructions on how to configure Docker SSO?
### Where can I find detailed instructions on how to configure Docker SSO?
You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to SSO enforcement for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](index.md).
You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](index.md).
### Q: Does Docker SSO support multi-factor authentication (MFA)?
### Does Docker SSO support multi-factor authentication (MFA)?
When an organization uses SSO, MFA is determined on the IdP level, not on the Docker platform.
### Q: Do I need a specific version of Docker Desktop for SSO?
### Do I need a specific version of Docker Desktop for SSO?
Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or later. Users on older versions of Docker Desktop will not be able to sign in after enforcing SSO if the company domain email is used to sign in or as the primary email associated with an existing Docker account Your users with existing accounts can't sign in with their username and password.
Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or later. Users on older versions of Docker Desktop will not be able to sign in after SSO is enforced, if the company domain email is used to sign in or as the primary email associated with an existing Docker account. Your users with existing accounts can't sign in with their username and password.
## SAML SSO
<hr>
</div>
<div id="tab2" class="tab-pane fade" markdown="1">
### Q: Does SAML authentication require additional attributes?
### Does SAML authentication require additional attributes?
You must provide an email address as an attribute to authenticate through SAML. The Name attribute is optional.
### Q: Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject?
### Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject?
The preferred format is your email address, which should also be your Name ID.
### Q: When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time?
### When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time?
At runtime for Docker Desktop if its configured to require authentication to the organization.
### Q: How long is the grace-period for using regular user id and password for the Docker Desktop itself regardless of the enforced SSO?
We don't have a date on when the grace-period will end.
### Q: Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly?
### Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly?
Verify that your users have downloaded the latest version of Docker Desktop. An enhancement in user management observability and capabilities will become available in the future.
<hr>
</div>
<div id="tab3" class="tab-pane fade" markdown="1">
## Docker org and Docker ID
### Whats a Docker ID? Can I retain my Docker ID when using SSO?
### Q: Whats a Docker ID? Can I retain my Docker ID when using SSO?
For a personal Docker ID, a user is the account owner, its associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
For a personal Docker ID, a user is the account owner, its associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when enforcing SSO, the account is connected to the organization account. When enforcing SSO for a company organization, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
### What if the Docker ID I want for my organization or company is taken?
### Q: What if the Docker ID I want for my org is taken?
This depends on the state of the namespace, if trademark claims exist for the organization or company Docker ID, a manual flow for legal review is required.
This depends on the state of the namespace, if trademark claims exist for the Organization Docker ID, a manual flow for legal review is required.
### What if I want to create more than 3 organizations?
### Q: What if I want to create more than 3 organizations?
You can create multiple organizations or multiple teams under a single company. SSO is available at the company level.
You can create multiple organizations or multiple teams under a single organization. If you intend to enforce SSO, it's only available for a single org with a single identity provider.
<hr>
</div>
<div id="tab4" class="tab-pane fade" markdown="1">
### Q: If I have multiple orgs how will that affect my org if they're all connected to the same domain?
We're currently limited in supporting such a setup, and would recommend setting up different teams under the same org if you plan to enforce SSO and only have one email domain.
## Identity providers
### Q: Is it possible to use more than one IdP with Docker SSO?
### Is it possible to use more than one IdP with Docker SSO?
No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP. Docker supports Azure AD and identity providers that support SAML 2.0.
### Q Is it possible to change my identity provider after configuring SSO?
### Is it possible to change my identity provider after configuring SSO?
Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
### Q: What information do I need from my Identity providers to configure SSO?
### What information do I need from my identity providers to configure SSO?
To enable SSO in Docker, you need the following from your IdP:
@ -89,15 +96,15 @@ To enable SSO in Docker, you need the following from your IdP:
* **Azure AD**: Client ID, Client Secret, AD Domain.
### Q: What happens if my existing certificate expires?
### What happens if my existing certificate expires?
If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. The new certificate must be updated in the SSO configuration settings page on Docker Hub.
### Q: What happens if my IdP goes down when SSO is enabled?
### What happens if my IdP goes down when SSO is enabled?
It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization.
### Q: What happens when I turn off SSO for my organization?
### What happens when I turn off SSO for my organization(s) or company?
When you turn off SSO, authentication through your Identity Provider isn't required to access Docker. Users may continue to sign in through Single Sign-On as well as Docker ID and password.
@ -105,97 +112,96 @@ When you turn off SSO, authentication through your Identity Provider isn't requi
You can add a bot account to your IDP and create an access token for it to replace the other credentials.
### Q: Does Docker plan to release SAML just in time provisioning?
### Does Docker plan to release SAML just in time provisioning?
The SSO implementation is already "just in time". Admins don't have to create users accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub.
### Q: Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop?
### Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop?
We currently do have any plans to enable IdP initiated logins.
### Q: Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg?
### Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg?
Yes, bot accounts needs a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
### Q: Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group?
### Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group?
Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML.
## Adding domain and domain verification
<hr>
</div>
<div id="tab5" class="tab-pane fade" markdown="1">
### Q: What should I do if I reach the character limits when adding the txt record for my domain?
### Can i add sub-domains?
Yes, you can add sub-domains to your SSO , however all email addresses should also be on that domain. Verify that your DNS provider supports multiple txt fields for the same domain.
### Q: Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently?
### Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently?
They can do it one time to add it to a connection. If they ever change idPs and have to set up SSO again, they will need to verify again.
They can do it one time to add it to a connection. If they ever change IdPs and have to set up SSO again, they will need to verify again.
### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it?
### Q: Is adding Domain required to configure SSO? What domains should I be adding? And how do I add it?
Adding and verifying a domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that's allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
Adding and verifying Domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that's allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
### Q: If users are using their personal email, do they have to convert to using the Orgs domain before they can be invited to join an Org? Is this just a quick change in their Hub account?
### If users are using their personal email, do they have to convert to using the Orgs domain before they can be invited to join an Org? Is this just a quick change in their Hub account?
No, they don't. Though they can add multiple emails to a Docker ID if they choose to. However, that email can only be used once across Docker. The other thing to note is that (as of January 2022) SSO will not work for multi domains as an MVP and it will not work for personal emails either.
### Q: Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time?
### Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time?
Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org.
### Q: Do you support IdP-initiated authentication (e.g., Okta tile support)?
### Do you support IdP-initiated authentication (e.g., Okta tile support)?
We don't support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub.
## SSO enforcement
### Q: Can I enable SSO in all organizations?
<hr>
</div>
<div id="tab6" class="tab-pane fade" markdown="1">
You can enable SSO on organizations that are part of the Docker Business subscription.
### We currently have a Docker Team subscription. How do we enable SSO?
### Q: We currently have a Docker Team subscription. How do we enable SSO?
SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing).
Docker SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing).
### Q: How do service accounts work with SSO?
### How do service accounts work with SSO?
Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a PAT for CLI and API usage.
### Q: Is DNS verification required to enable SSO?
### Is DNS verification required to enable SSO?
Yes. You must verify a domain before using it with an SSO connection.
### Q: Does Docker SSO support authenticating through the command line?
### Does Docker SSO support authenticating through the command line?
Yes. When SSO is enabled, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../docker-hub/access-tokens.md). Before we transition to PATs, CLI users can continue logging in using their personal credentials until early next year to mitigate the risk of interrupting CI/CD pipelines.
### Q: How does SSO affect our automation systems and CI/CD pipelines?
### How does SSO affect our automation systems and CI/CD pipelines?
Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password.
### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
### I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
If they already have their organization email on their account, then it will be migrated to SSO.
### Q: If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users?
### If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users?
SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced.
### Q: Can I enable SSO and hold off on the domain verification and enforcement options?
### Can I enable SSO and hold off on the domain verification and enforcement options?
Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen.
### Q: SSO is enforced, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening?
### SSO is enforced, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening?
They can bypass SSO if the email they're using to sign in doesn't match the organization email being used when SSO is enforced.
### Q: Is there a way to test this functionality in a test tenant with Okta before going to production?
### Is there a way to test this functionality in a test tenant with Okta before going to production?
Yes, you can create a test organization. Companies can set up a new 5 seat Business plan on a new organization to test with (making sure to only enable SSO, not enforce it or all domain email users will be forced to sign in to that test tenant).
### Q: Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
If SSO is enabled, there is no impact for now. We'll continue to support either username/password or personal access token sign-in.
However, if you **enforce** SSO:
@ -204,43 +210,45 @@ However, if you **enforce** SSO:
* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
## Managing users
<hr>
</div>
<div id="tab7" class="tab-pane fade" markdown="1">
### Q: How do I manage users when using SSO?
### How do I manage users when using SSO?
Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Q: Do I need to manually add users to my organization?
### Do I need to manually add users to my organization?
No, you dont need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Q: Can users in my organization use different email addresses to authenticate through SSO?
### Can users in my organization use different email addresses to authenticate through SSO?
During the SSO setup, youll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
Users with a public domain email address will be added as guests.
### Q: Can Docker Org Owners/Admins approve users to an organization and use a seat, rather than having them automatically added when SSO Is enabled?
### Can Docker org owners/Admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO Is enabled?
Admins and organization owners can currently approve users by configuring their permissions through their IdP. That's if the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
Admins, organization owners and company owners can currently approve users by configuring their permissions through their IdP. That's if the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
### Q: How will users be made aware that they're being made a part of a Docker Org?
### How will users be made aware that they're being made a part of a Docker Org?
When SSO is enabled, users will be prompted to authenticate through SSO the next time they try to sign in to Docker Hub or Docker Desktop. The system will see the end-user has a domain email associated with the docker ID they're trying to authenticate with, and prompts them to sign in with SSO email and credentials instead.
If users attempt to sign in through the CLI, they must authenticate using a personal access token (PAT).
### Q: Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their companys domain?
### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their companys domain?
Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../docker-hub/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
Once SSO enforcement is set up on their Docker Business org on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Once SSO enforcement is set up on their Docker Business organisation or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Users may still be able to authenticate as a "guest" account to the organization using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited to the organization by the organization owner.
Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited.
### Q: Is it possible to convert existing users from non-SSO to SSO accounts?
### Is it possible to convert existing users from non-SSO to SSO accounts?
Yes, you can convert existing users to an SSO account. To convert users from a non-SSO account:
@ -251,41 +259,59 @@ Yes, you can convert existing users to an SSO account. To convert users from a n
For detailed prerequisites and instructions on how to enable SSO, see [Configure Single Sign-on](index.md).
### Q: What impact can users expect once we start onboarding them to SSO accounts?
### What impact can users expect once we start onboarding them to SSO accounts?
When SSO is enabled and enforced, your users just have to sign in using the email address and password.
### Q: Is Docker SSO fully synced with Active Directory (AD)?
### Is Docker SSO fully synced with Active Directory (AD)?
Docker doesnt currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../docker-hub/members.md#remove-members) from the organization.
Additionally, you can use our APIs to complete this process.
### Q: What's the best way to provision the Docker Subscription without SSO?
### What's the best way to provision the Docker Subscription without SSO?
Admins in the Owners group in the orgs can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
Company or organisation owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
### If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
Yes, if the user is added through email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
### Q: Can someone join the organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
### Can someone join an organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned.
### Q: When we send an invitation to the user, will the existing account be consolidated and retained?
### When we send an invitation to the user, will the existing account be consolidated and retained?
Yes, the existing user account will join the organization with all assets retained.
### Q: How can I view, update, and remove multiple email addresses for my users?
### How can I view, update, and remove multiple email addresses for my users?
We only support one email per user on the Docker platform.
### Q: How can I remove invitees to the org who haven't signed in?
### How can I remove invitees to the org who haven't signed in?
They can go to the invitee list in the org view and remove them.
### Q: How's the flow for service account authentication different from a UI user account?
### How's the flow for service account authentication different from a UI user account?
It isn't; we don't differentiate the two in product.
<hr>
</div>
</div>
.

View File

Before

Width:  |  Height:  |  Size: 29 KiB

After

Width:  |  Height:  |  Size: 29 KiB

View File

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 30 KiB

View File

@ -4,24 +4,28 @@ keywords: Single Sign-on, SSO, sign-on
title: Overview
---
This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. You can enable SSO on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
When SSO is enabled, users are redirected to your providers authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
## How it works
Before enabling SSO in Docker Hub, administrators must configure their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.
After establishing the connection between the IdP server and Docker Hub, administrators sign in to the organization in Docker Hub and complete the SSO enablement process. See the section **Enable SSO in Docker Hub** for detailed instructions.
To enable SSO in Docker Hub, you need the following information from your identity provider:
* **SAML 2.0**: Single Sign-On URL and the X.509 signing certificate
* **Azure AD**: Client ID (a unique identifier for your registered AD application), Client Secret (a string used to gain access to your registered Azure AD application), and AD Domain details
Currently, enabling SSO on a single organization is supported. However, single logout isn't supported. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests. Guests will continue to authenticate through Docker with their Docker login credentials (Docker ID and password).
## Single Sign-on architecture flow
The following diagram shows how Single Sign-on (SSO) operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdPs.
The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP.
[![SSO architecture](images/sso-architecture.png)](images/sso-architecture.png){: target="_blank" rel="noopener" class="_"}
## How to set it up
Before enabling SSO in Docker Hub, administrators must first configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
After establishing the connection between the IdP server and Docker Hub, administrators sign in to the organization in Docker Hub and complete the SSO enablement process.
When you enable SSO for your organization or company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your organization and assigned to your company's team.
Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual organization or company.
## What's next?
- Check [the prerequisites](requirements/index.md)
- Explore [the FAQs](faqs.md)
- Start [configuring SSO](configure/index.md) for your organization or company

View File

@ -4,13 +4,64 @@ keywords: manage, single sign-on, SSO, sign-on
title: Manage SSO
---
## Manage users when SSO is enabled
## Manage domains
You dont need to add users to your organization in Docker Hub manually. You just need to make sure an account for your users exists in your IdP.
### Remove a domain from an SSO connection
> **Note**
>
> When you enable SSO for your organization, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your organization and assigned to your company's team.
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where the connected domains are listed.
3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove.
4. Select **Next** to confirm or change the connected organization(s).
5. Select **Next** to confirm or change the default organization and team provisioning selections.
6. Review the **Connection Summary** and select **Save**.
>**Note**
>
>If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.
## Manage organizations
>**Note**
>
>You must have a [company](../../docker-hub/creating-companies.md) to manage more than one organization.
### Connect an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select the organization to add to the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
### Remove an organization
1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**.
2. Select **Next** to navigate to the section where connected organizations are listed.
3. In the **Organizations** drop-down, select **Remove** to remove the connection.
4. Select **Next** to confirm or change the default organization and team provisioning.
5. Review the **Connection Summary** and select **Save**.
## Manage SSO connections
### Edit a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Edit connection** to edit you connection.
3. Continue with the on-screen instructions.
### Delete a connection
1. In the **Single Sign-On Connection** table, select the **Action** icon.
2. Select **Delete** and **Delete connection**.
3. Continue with the on-screen instructions.
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
## Manage users
### Add guest users when SSO is enabled
To add a guest to your organization in Docker Hub if they arent verified through your IdP:
@ -18,27 +69,11 @@ To add a guest to your organization in Docker Hub if they arent verified thro
2. Select **Add Member**, enter the email address, and select a team from the drop-down list.
3. Select **Add** to confirm.
## Remove users from the SSO organization
### Remove users from the SSO organization
To remove a user from an organization:
1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator of your organization.
2. Select the organization from the list. The organization page displays a list of user.
3. Select the **x** next to a members name to remove them from all the teams in the organization.
4. Select **Remove** to confirm. The member will receive an email notification confirming the removal.
1. Go to **Organizations** in Docker Hub, and select your organization.
2. From the **Members** tab, select the **x** next to a members name to remove them from all the teams in the organization.
3. Select **Remove** to confirm. The member receives an email notification confirming the removal.
> **Note**
>
> When you remove a member from an SSO organization, they're unable to log
> in using their email address.
## Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
![Delete SSO view](/single-sign-on/images/delete-sso.png){:width="500px"}
## FAQs
To learn more see [FAQs](../faqs.md).

View File

@ -7,7 +7,7 @@ title: Requirements
## Prerequisites
* You must first notify your company about the new SSO login procedures
* Verify that your org members have the latest Docker Desktop version 4.4.2, or later, installed on their machines
* Verify that your org members have Docker Desktop version 4.4.2, or later, installed on their machines
* New org members must create a Personal Access Token (PAT) to sign in to the CLI, however existing users can use their username and password during the grace period as specified below
* Confirm that all CI/CD pipelines have replaced their passwords with PATs
* For your service accounts, add your additional domains or enable it in your IdP