diff --git a/compose/cli-command.md b/compose/cli-command.md index 8012e353fe..fe42561ff3 100644 --- a/compose/cli-command.md +++ b/compose/cli-command.md @@ -104,7 +104,7 @@ from the [project release page](https://github.com/docker/compose/releases){:tar To install Compose Switch automatically, run: ```console -$ curl -fL https://raw.githubusercontent.com/docker/compose-cli/main/scripts/install/install_linux.sh | sh +$ curl -fL https://raw.githubusercontent.com/docker/compose-switch/master/install_on_linux.sh | sh ``` To install Compose Switch manually: diff --git a/compose/install.md b/compose/install.md index e60204b5f3..264c6ef507 100644 --- a/compose/install.md +++ b/compose/install.md @@ -149,16 +149,15 @@ also included below. $ sudo chmod +x /usr/local/bin/docker-compose ``` -> **Note**: -> -> If the command `docker-compose` fails after installation, check your path. -> You can also create a symbolic link to `/usr/bin` or any other directory in your path. - -For example: - -```console -$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose -``` + > **Note**: + > + > If the command `docker-compose` fails after installation, check your path. + > You can also create a symbolic link to `/usr/bin` or any other directory in your path. + > + > For example: + > ```console + > $ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose + > ``` 3. Optionally, install [command completion](completion.md) for the `bash` and `zsh` shell. diff --git a/desktop/dev-environments.md b/desktop/dev-environments.md index be3989e3d6..b50cd2108b 100644 --- a/desktop/dev-environments.md +++ b/desktop/dev-environments.md @@ -253,6 +253,22 @@ In this preview, Dev Environments support a JSON file which allows you to specif } ``` +Next, you have to define the dependencies you want to include in your `Dockerfile.devenv`, alongside the following requisites: + +While some images or Dockerfiles will include a non-root user, many base images and Dockerfiles do not. Fortunately, you can add a non-root user named `vscode`. If you were to include the Docker tooling (e.g. `docker` cli, `docker compose`, etc.) in the `Dockerfile.devenv`, you would need the `vscode` user to be included in the `docker` group. + +```dockerfile +# syntax=docker/dockerfile:1 + +FROM + +RUN useradd -s /bin/bash -m vscode \ + && groupadd docker \ + && usermod -aG docker vscode + +USER vscode +``` + ## Specify a base image If you already have an image built, you can specify it as a base image to define your Dev Environment. You must include this as part of the `.docker` folder and then add it as a `config.json` file. For example, to use the Jekyll base image, add: diff --git a/desktop/windows/release-notes/index.md b/desktop/windows/release-notes/index.md index 1f91651108..44d1b4f8e7 100644 --- a/desktop/windows/release-notes/index.md +++ b/desktop/windows/release-notes/index.md @@ -23,8 +23,8 @@ This page contains information about the new features, improvements, known issue Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next. -## Docker Desktop 4.5.0 -2022-02-10 +## Docker Desktop 4.5.1 +2022-02-15 > Download Docker Desktop > @@ -32,6 +32,17 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro > Windows](https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64){: > .button .primary-btn } +### Bug fixes and minor changes + +- Fixed an issue that caused new installations to default to the Hyper-V backend instead of WSL 2. +- Fixed a crash in the Docker Dashboard which would make the systray menu disappear. + +If you are running Docker Desktop on Windows Home, installing 4.5.1 will switch it back to WSL 2 automatically. If you are running another version of Windows, and you want Docker Desktop to use the WSL 2 backend, you must manually switch by enabling the **Use the WSL 2 based engine** option in the **Settings > General** section. +Alternatively, you can edit the Docker Desktop settings file located at `%APPDATA%\Docker\settings.json` and manually switch the value of the `wslEngineEnabled` field to `true`. + +## Docker Desktop 4.5.0 +2022-02-10 + ### New - Docker Desktop 4.5.0 introduces a new version of the Docker menu which creates a consistent user experience across all operating systems. For more information, see the blog post [New Docker Menu & Improved Release Highlights with Docker Desktop 4.5](https://www.docker.com/blog/new-docker-menu-improved-release-highlights-with-docker-desktop-4-5/){: target="_blank" rel="noopener" class="_"} @@ -47,6 +58,10 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro - Fixed an issue related to compose app started with version 2, but the dashboard only deals with version 1 - Fixed an issue where Docker Desktop incorrectly prompted users to sign in after they quit Docker Desktop and start the application. +### Known issues + +Installing Docker Desktop 4.5.0 from scratch has a bug which defaults Docker Desktop to use the Hyper-V backend instead of WSL 2. This means, Windows Home users will not be able to start Docker Desktop as WSL 2 is the only supported backend. To work around this issue, you must uninstall 4.5.0 from your machine and then download and install Docker Desktop 4.5.1 or a higher version. Alternatively, you can edit the Docker Desktop settings.json file located at `%APPDATA%\Docker\settings.json` and manually switch the value of the `wslEngineEnabled` field to `true`. + ## Docker Desktop 4.4.4 2022-01-24 diff --git a/network/ipvlan.md b/network/ipvlan.md index 3abf14c751..169f87a8fb 100644 --- a/network/ipvlan.md +++ b/network/ipvlan.md @@ -388,7 +388,7 @@ unless the upstream network is explicitly routing it on VLAN `139`. ```console # Create a v6 network $ docker network create -d ipvlan \ - --subnet=2001:db8:abc2::/64 --gateway=2001:db8:abc2::22 \ + --ipv6 --subnet=2001:db8:abc2::/64 --gateway=2001:db8:abc2::22 \ -o parent=eth0.139 v6ipvlan139 # Start a container on the network diff --git a/single-sign-on/faqs.md b/single-sign-on/faqs.md index 94d22b0ac0..7462bee1d0 100644 --- a/single-sign-on/faqs.md +++ b/single-sign-on/faqs.md @@ -5,15 +5,154 @@ title: Single Sign-on FAQs toc_max: 2 --- -## General +## General SSO overview + +### Q: Is Docker SSO available for all paid subscriptions? + +Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO. ### Q: How does Docker SSO work? -Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports Azure AD and identity providers that support SAML 2.0. When you enable SSO, users are redirected to your provider’s authentication page to authenticate using their email and password. +Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports Azure AD and any SAML 2.0 identity providers. When you enable SSO, users are redirected to your provider’s authentication page to authenticate using their email and password. ### Q: What SSO flows are supported by Docker? -Docker currently supports Service Provider Initiated (SP-initiated) SSO flow. This means, users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. +Docker currently supports Service Provider Initiated (SP-initiated) SSO flow. This means users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. + +### Q: Where can I find detailed instructions on how to configure Docker SSO? + +You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to SSO enforcement for your users. For detailed step-by-step instructions on how to configure Docker SSO, see [Single Sign-on](index.md). + +### Q: Does Docker SSO support multi-factor authentication (MFA)? + +When an organization uses SSO, MFA is determined on the IdP level, not on the Docker platform. + +### Q: Do I need a specific version of Docker Desktop for SSO? + +Yes, all users in your organization must upgrade to Docker Desktop version 4.4.0 or higher. Users on older versions of Docker Desktop will not be able to sign in after enforcing SSO if the company domain email is used to log in or as the primary email associated with an existing Docker account Your users with existing accounts cannot sign in with their username and password. + +### Q: Is there a way to test this functionality in a test tenant with Okta before going to production? + +You can create a test organization. Companies can set up a new five-seat Business Plan on a new organization to test with (making sure you enable SSO only, if you enforce it, all domain email users will be forced to sign in to that test tenant). + +## SAML SSO + +### Q: Does SAML authentication require additional attributes? + +You must provide an email address as an attribute to authenticate via SAML. The ‘Name’ attribute is currently optional. + +### Q: Does the application recognize the NameID/Unique Identifier in the SAMLResponse Subject? + +The preferred format is your email address, which should also be your Name ID. + +### Q: When SAML SSO is enforced, at what stage is the login required to be tracked through SAML? At runtime or install time? + +At runtime for Docker Desktop if it’s configured to require authentication to the organization. + +### Q: How long is the grace-period for using regular user id and password for the docker desktop itself regardless of the enforced SSO? + +Currently, we do not have a date on when the grace-period will end. + +### Q: Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we are handling the licensing correctly? + +Verify that your users have downloaded the latest version of Docker Desktop. We will be enhancing user management observability and capabilities in the near future. + +## Docker org and Docker ID + +### Q: What’s a Docker ID? Can I retain my Docker ID when using SSO? + +For a personal Docker ID, a user is the account owner, it’s associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when SSO is enforced, the account will be tied to the organization account. Alternatively, when SSO is enforced for a company organization, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created. + +### Q: What if the Docker ID I want for my org is taken? + +This depends on the state of the namespace, if trademark claims exist for the Organization Docker ID, a manual flow for legal review is required. + +### Q: What if I want to create more than 3 organizations? + +You can create multiple organizations or multiple teams under a single organization. If you intend to enforce SSO, SSO is currently only available for a single org with a single identity provider. + +### Q: If I have multiple orgs how will that affect my org if they are all connected to the same domain? + +We are currently limited in supporting such a setup, and would recommend setting up different teams under the same org if you plan to enforce SSO and only have one email domain. + +## Identity providers + +### Q: Is it possible to use more than one IdP with Docker SSO? + +No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP. Docker currently supports Azure AD and identity providers that support SAML 2.0. + +### Q Is it possible to change my identity provider after configuring SSO? + +Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection. + +### Q: What information do I need from my Identity providers to configure SSO? + +To enable SSO in Docker, you need the following from your IdP: + +* **SAML**: Entity ID, ACS URL, Single Logout URL and the public X.509 certificate + +* **Azure AD**: Client ID, Client Secret, AD Domain. + +### Q: What happens if my existing certificate expires? + +If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. The new certificate must be updated in the SSO configuration settings page on Docker Hub. + +### Q: What happens if my IdP goes down when SSO is enabled? + +It is not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization. + +### Q: What happens when I turn off SSO for my organization? + +When you turn off SSO, authentication through your Identity Provider will no longer be required to access Docker. Users may continue to log in through Single Sign-On as well as Docker ID and password. + +### Q: How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account? + +You can add a bot account to your IDP and create an access token for it to replace the other credentials. + +### Q: Does Docker plan to release SAML just in time provisioning? + +Our SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users log in via their domain email on Hub. + +### Q: Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop? + +We currently do have any plans to enable IdP initiated logins. + +### Q: Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg? + +Yes, generally bot accounts need to be a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub. + +### Q: Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group? + +Yes, Azure AD is supported with SSO for Docker Business, both via a direct integration and via SAML. + +## Adding domain and domain verification + +### Q: What should I do if I reach the character limits when adding the txt record for my domain? + +Yes, you can add sub-domains to your SSO , however all email addresses should also be on that domain. Verify that your DNS provider supports multiple txt fields for the same domain. + +### Q: Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently? + +They can do it one time to add it to a connection. If they ever change idPs and have to set up SSO again, they will need to verify again. + + +### Q: Is adding Domain required to configure SSO? What domains should I be adding? And how do I add it? + +Adding and verifying Domain is required to enable and enforce SSO. Click Add Domain and specify the email domains that are allowed to authenticate via your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email. + +### Q: If users are using their personal email, do they have to convert to using the Org’s domain before they can be invited to join an Org? Is this just a quick change in their Hub account? + +No, they do not. Though they can add multiple emails to a Docker ID if they choose to. However, that email can only be used once across Docker. The other thing to note is that (as of January 2022) SSO will not work for multi domains as an MVP and it will not work for personal emails either. + +### Q: Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time? + +Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org. + +### Q: Do you support IdP-initiated authentication (e.g., Okta tile support)? + +We do not support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub. + +## SSO enforcement ### Q: Can I enable SSO in all organizations? @@ -21,41 +160,12 @@ You can enable SSO on organizations that are part of the Docker Business subscri ### Q: We currently have a Docker Team subscription. How do we enable SSO? -Docker SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](/subscription/upgrade/){:target="blank" rel="noopener" class=""}. - -### Q: Where can I find detailed instructions on how to configure Docker SSO? - -For step by step instructions, see [Configure Single Sign-on](index.md). - -### Q: Is it possible to use more than one IdP with Docker SSO? - -No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP.Docker currently supports Azure AD and identity providers that support SAML 2.0 - -### Q: Is it possible to change my identity provider after configuring SSO? - -Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to [configure SSO](index.md) using your IdP. - -### Q: Is Docker SSO available for all paid subscriptions? - -Docker SSO is only available with the Docker Business subscription. [Upgrade](/subscription/upgrade/){:target="blank" rel="noopener" class=""} your existing subscription to start using Docker SSO. - -### Q: Does Docker SSO support multi-factor authentication (MFA)? - -When SSO is being used by an organization, MFA is determined at the idP level and not the Docker system. - -### Q: How does service accounts work with SSO? - -Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a [PAT](/docker-hub/access-tokens/) for CLI and API usage. +Docker SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing). -## Configuration +### Q: How do service accounts work with SSO? -### Q: What information do I need from my Identity providers to configure SSO? - -To enable SSO in Docker, you need the following from your IdP: - -* **SAML 2.0**: Entity ID, ACS URL, Single Logout URL and Certificate Download URL -* **Azure AD**: Client ID, Client Secret, AD Domain +Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a PAT for CLI and API usage. ### Q: Is DNS verification required to enable SSO? @@ -63,25 +173,40 @@ Yes. You must verify a domain before using it with an SSO connection. ### Q: Does Docker SSO support authenticating through the command line? -Yes. When SSO is enabled, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Managing access tokens](/docker-hub/access-tokens/). Before we transition to PATs, CLI can continue logging in using their personal credentials until early next year to mitigate the risk of interrupting CI/CD pipelines. +Yes. When SSO is enabled, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../docker-hub/access-tokens.md). Before we transition to PATs, CLI users can continue logging in using their personal credentials until early next year to mitigate the risk of interrupting CI/CD pipelines. -### Q: How does SSO affect our automation systems and CI/CD pipelines? +### Q: How does SSO affect our automation systems and CI/CD pipelines? Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password. -When SSO is enforced, password-based authentication no longer works on your automation systems and CI/CD pipelines. +### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO via Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account? -### Q: Do I need a specific version of Docker Desktop for SSO? +If they already have their organization email on their account, then it will be migrated to SSO. -Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or higher. Users on older versions of Docker Desktop will not be able to sign in after enforcing SSO. +### Q: If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs will not be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users? -### Q: Does SAML authentication require additional attributes? +SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced. -You must provide an email address as an attribute to authenticate via SAML. The ‘Name’ attribute is currently optional. +### Q: Can I enable SSO and hold off on the domain verification and enforcement options? -### Q: When SAML SSO is enforced, at what stage is the login required to be tracked through SAML? At runtime or install time? +Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen. -Runtime for Docker Desktop if it’s configured to require authentication to the organization. +### Q: We have enforced SSO, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login via userid and password. Why is this happening? + +They can bypass SSO if the email they are using to log in doesn't match the organization email being used when SSO is enforced. + +### Q: Is there a way to test this functionality in a test tenant with Okta before going to production? + +Yes, you can create a test organization. Companies can set up a new 5 seat Business plan on a new organization to test with (making sure to only enable SSO, not enforce it or all domain email users will be forced to sign in to that test tenant). + +### Q: Once we enable SSO for Docker Desktop, what is the impact to the flow for Build systems that use service accounts? + +If SSO is enabled, there is no impact for now. We'll continue to support either username/password or personal access token sign-in. +However, if you **enforce** SSO: + +* Service Account domain email addresses must be unaliased and enabled in their IdP +* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts) +* Those who know the IdP credentials can sign in as that Service Account via SSO on Hub and create or change the personal access token for that service account. ## Managing users @@ -91,7 +216,7 @@ Users are managed through organizations in Docker Hub. When you configure SSO in ### Q: Do I need to manually add users to my organization? -No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP and then invite them to your organization using the **Invite Member** option in Docker Hub. +No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP and then invite them to your organization using the Invite Member option in Docker Hub. When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. @@ -113,11 +238,11 @@ If users attempt to log in through the CLI, they must authenticate using a perso ### Q: Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain? -Yes. Admins can force users to authenticate with Docker Desktop by provisioning a registry.json configuration file. The registry.json file will force users to authenticate as a user that is configured in the **allowedOrgs** list in the **registry.json file**. +Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../docker-hub/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that is configured in the `allowedOrgs` list in the `registry.json` file. -Once SSO enforcement is set up on their DB org on Hub, when the user is forced to auth with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password). +Once SSO enforcement is set up on their Docker Business org on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password). -Users may still be able to authenticate as a "guest" account to the organization using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited to the organization by the organization owner +Users may still be able to authenticate as a "guest" account to the organization using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited to the organization by the organization owner. ### Q: Is it possible to convert existing users from non-SSO to SSO accounts? @@ -128,7 +253,7 @@ Yes, you can convert existing users to an SSO account. To convert users from a n * Each user has created a PAT to replace their passwords to allow them to log in through Docker CLI * Confirm that all CI/CD pipelines automation systems have replaced their passwords with PATs. -For detailed prerequisites and for instructions on how to enable SSO, see [Configure Single Sign-on](index.md). +For detailed prerequisites and instructions on how to enable SSO, see [Configure Single Sign-on](index.md). ### Q: What impact can users expect once we start onboarding them to SSO accounts? @@ -136,27 +261,35 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Q: Is Docker SSO fully synced with Active Directory (AD)? -Docker doesn’t currently support a full sync with AD. That is, if a user leaves the organization, administrators must sign in to Docker Hub and manually remove the user from the organization. +Docker doesn’t currently support a full sync with AD. That is, if a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../docker-hub/orgs.md#remove-team-members) from the organization. Additionally, you can use our APIs to complete this process. +### Q: What is the best way to provision the Docker Subscription without SSO? -## Troubleshooting +Admins in the Owners group in the orgs can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already). -### Q: What happens if my IdP goes down when SSO is enabled? +### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link via email? For example, max.mustermann@zeiss.com. -It is not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization. +Yes, if the user is added via email address to an org, they will receive an email invite. If invited via docker ID as an existing user instead, they'll be added to the organization automatically. We'll be adding a new invite flow in the near future that will require an email invite in this situation as well (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider). -### Q: What happens when I turn off SSO for my organization? +### Q: Can someone join the organization without an invitation? Is it possible to put specific users to an organization with existing email accounts? -When you turn off SSO, authentication through your Identity Provider will no longer be required to access Docker. Users may continue to log in through Single Sign-On as well as Docker ID and password. +Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned. -### Q: What happens if my existing certificate expires? +### Q: When we send an invitation to the user, will the existing account be consolidated and retained? -If your existing certificate has expired, you need to contact your identity provider to generate a new x509 certificate. The new certificate must be added to the SSO configuration settings page on Docker Hub. +Yes, the existing user account will join the organization with all assets retained. +### Q: How can I view, update, and remove multiple email addresses for my users? +We only support one email per user on the Docker platform. +### Q: How can I remove invitees to the org who have not signed in? +They can go to the invitee list in the org view and remove them. +### Q: How is the flow for service account authentication different from a UI user account? + +It isn't; we don't differentiate the two in product.