Cleanups

content/security/faqs/single-sign-on/enforcement-faqs.md

@@ -38,9 +38,9 @@ Ensure your users have their organization email on their account, so that the ac
 
 Yes, you can choose to not enforce, and users have the option to use either Docker ID (standard email and password) or domain-verified email address (SSO) at the sign-in screen.
 
-### SSO is enforced, but one of our users is connected to several organizations (and several email addresses) and is able to bypass SSO and sign in through username and password. Why is this happening?
+### SSO is enforced, but one of our users is able to sign in through username and password. Why is this happening?
 
-Users can bypass SSO if the email they're using to sign in doesn't match the organization email that's used for SSO enforcement. TODO: review
+Guest users who are not part of your registered domain but have been invited to your organization do not login through your SSO Identity Provider. SSO Enforcement only requires that users which _do_ belong to your domain must go through the SSO IdP.
 
 ### Is there a way to test this functionality in a test tenant with Okta before going to production?
 

content/security/faqs/single-sign-on/idp-faqs.md

@@ -30,7 +30,9 @@ If your existing certificate has expired, you may need to contact your identity
 
 ### What happens if my IdP goes down when SSO is enabled?
 
-It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token.
+If SSO is enforced, then it is not possible to access Docker Hub when your IdP is down. You can still access Docker Hub images from the CLI using your Personal Access Token.
+
+If SSO is enabled but not enforced, then users could fallback to authenticate with username/password and trigger a reset password flow (if necessary).
 
 ### How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account?
 

content/security/for-admins/single-sign-on/_index.md

@@ -16,7 +16,6 @@ When you enable SSO, your users can't authenticate using their Docker login cred
 
 The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP.
 
-[fixme: this url is broken]::
 ![SSO architecture](images/SSO.png)
 
 ## How to set it up
@@ -30,8 +29,8 @@ The following diagram shows how SSO operates and is managed in Docker Hub and Do
 
 * You must first notify your company about the new SSO login procedures.
 * Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines.
-* If your organization has SSO enforced, members using the Docker CLI will be required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in instead of with a username and password. Docker plans to deprecate signing in to the CLI with a username and password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced)).
-* Ensure all email addresses of allowed users are added to your IdP.
+* If your organization is planning to [enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso), members using the Docker CLI will be required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in instead of with a username and password. Docker plans to deprecate signing in to the CLI with a password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced).
+* Ensure all your Docker users have a valid user on your IDP with the same email address as their Unique Primary Identifier (UPN)
 * Confirm that all CI/CD pipelines have replaced their passwords with PATs.
 * For your service accounts, add your additional domains or enable it in your IdP.
 

content/security/security-announcements.md

@@ -10,11 +10,11 @@ toc_max: 2
 
 _Last updated July, 2024_
 
-When [SSO Enforcement](/security/for-admins/single-sign-on/connect/#optional-enforce-sso) was first introduced, Docker provided a grace period to continue to allow passwords to be used on the Docker CLI when authenticating to Docker Hub. This was allowed to provide organizations easier adoption of the SSO Enforcement feature. Admins configuring SSO have been recommended that users [switch over to Personal Access Tokens](/security/for-admins/single-sign-on/#prerequisites) in anticipation of this grace period ending.
+When [SSO Enforcement](/security/for-admins/single-sign-on/connect/#optional-enforce-sso) was first introduced, Docker provided a grace period to continue to allow passwords to be used on the Docker CLI when authenticating to Docker Hub. This was allowed to provide organizations easier adoption of the SSO Enforcement feature. Admins configuring SSO have been recommended that users using the CLI [switch over to Personal Access Tokens](/security/for-admins/single-sign-on/#prerequisites) in anticipation of this grace period ending.
 
 On September 16, 2024 the grace period will end and passwords will no longer be able to authenticate to Docker Hub via the Docker CLI when SSO is enforced. Affected users are required to switch over to using PATs to continue logging in.
 
-At Docker, we want the experience to be the most secure for our developers and organizations and this deprectation is an essential step in that direction.
+At Docker, we want the experience to be the most secure for our developers and organizations and this deprecation is an essential step in that direction.
 
 ## Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby