Merge pull request #14104 from docker/master

Publish updates from master

_data/toc.yaml

@@ -1355,9 +1355,9 @@ manuals:
       - sectiontitle: Single-Sign-on
         section:
           -  path: /single-sign-on/
-             title: Configure Single Sign-on
+             title: Configure
           -  path: /single-sign-on/faqs/
-             title: Single Sign-on Faqs
+             title: FAQs
   - path: /docker-hub/download-rate-limit/
     title: Download rate limit
   - sectiontitle: Administration

desktop/mac/release-notes/index.md

@@ -19,8 +19,8 @@ This page contains information about the new features, improvements, known issue
 
 Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next.
 
-## Docker Desktop 4.3.2
+## Docker Desktop 4.4.2
-2021-12-21
+2022-01-13
 
 > Download Docker Desktop
 >
@@ -29,6 +29,52 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
 > chip](https://desktop.docker.com/mac/main/arm64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-mac-arm64){:
 > .button .primary-btn }
 
+### Security
+
+- Fixed [CVE-2021-45449](https://docs.docker.com/security/#cve-2021-45449) that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.
+
+Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login.
+This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.
+
+### New
+
+- Easy, Secure sign in with Auth0 and Single Sign-on
+  - Single Sign-on: Users with a Docker Business subscription can now configure SSO to authenticate using their identity providers (IdPs) to access Docker. For more information, see [Single Sign-on](../../../single-sign-on/index.md).
+  - Signing in to Docker Desktop now takes you through the browser so that you get all the benefits of auto-filling from password managers.
+
+### Upgrades
+
+- [Docker Engine v20.10.12](https://docs.docker.com/engine/release-notes/#201012)
+- [Compose v2.2.3](https://github.com/docker/compose/releases/tag/v2.2.3)
+- [Kubernetes 1.22.5](https://github.com/kubernetes/kubernetes/releases/tag/v1.22.5)
+
+### Bug fixes and minor changes
+
+- Docker Desktop displays an error if `registry.json` contains more than one organization in the `allowedOrgs` field. If you are using multiple organizations for different groups of developers, you must provision a separate `registry.json` file for each group.
+- Fixed the memory statistics for containers in the Dashboard. Fixes [docker/for-mac/#4774](https://github.com/docker/for-mac/issues/6076).
+- Added a deprecated option to `settings.json`: `"deprecatedCgroupsv1": true`, which switches the Linux environment back to cgroups v1. This option will be removed in future releases. If your software requires cgroups v1, you must update it to be compatible with cgroups v2.
+- Fixed a regression in Compose that reverted the container name separator from `-` to `_`. Fixes [docker/compose-switch](https://github.com/docker/compose-switch/issues/24).
+- Fixed an issue where putting the machine to Sleep mode after pausing Docker Desktop results in Docker Desktop not being able to resume from pause after the machine comes out of Sleep mode. Fixes [for-mac#6058](https://github.com/docker/for-mac/issues/6058).
+
+### Known issues
+
+- The tips of the week show on top of the mandatory login dialog when an organization restriction is enabled via a `registry.json` file.
+
+## Docker Desktop 4.3.2
+2021-12-21
+
+> Download Docker Desktop
+>
+> [Mac with Intel chip](https://desktop.docker.com/mac/main/amd64/72729/Docker.dmg) |
+> [Mac with Apple chip](https://desktop.docker.com/mac/main/arm64/72729/Docker.dmg)
+
+### Security
+
+- Fixed [CVE-2021-45449](https://docs.docker.com/security/#cve-2021-45449) that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.
+
+Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login.
+This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.
+
 ### Upgrades
 
 [docker scan v0.14.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.14.0){: target="_blank" rel="noopener" class="_"}

desktop/windows/release-notes/index.md

@@ -19,8 +19,8 @@ This page contains information about the new features, improvements, known issue
 
 Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1){: target="_blank" rel="noopener" class="_"} to see what's coming next.
 
-## Docker Desktop 4.3.2
+## Docker Desktop 4.4.2
-2021-12-21
+2022-01-13
 
 > Download Docker Desktop
 >
@@ -28,6 +28,52 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro
 > Windows](https://desktop.docker.com/win/main/amd64/Docker%20Desktop%20Installer.exe?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-win-amd64){:
 > .button .primary-btn }
 
+### Security
+
+- Fixed [CVE-2021-45449](https://docs.docker.com/security/#cve-2021-45449) that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.
+
+Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login.
+This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.
+
+### New
+
+- Easy, Secure sign in with Auth0 and Single Sign-on
+  - Single Sign-on: Users with a Docker Business subscription can now configure SSO to authenticate using their identity providers (IdPs) to access Docker. For more information, see [Single Sign-on](../../../single-sign-on/index.md).
+  - Signing in to Docker Desktop now takes you through the browser so that you get all the benefits of auto-filling from password managers.
+
+### Upgrades
+
+- [Docker Engine v20.10.12](https://docs.docker.com/engine/release-notes/#201012)
+- [Compose v2.2.3](https://github.com/docker/compose/releases/tag/v2.2.3)
+- [Kubernetes 1.22.5](https://github.com/kubernetes/kubernetes/releases/tag/v1.22.5)
+
+### Bug fixes and minor changes
+
+- Docker Desktop displays an error if `registry.json` contains more than one organization in the `allowedOrgs` field. If you are using multiple organizations for different groups of developers, you must provision a separate `registry.json` file for each group.
+- Fixed a regression in Compose that reverted the container name separator from `-` to `_`. Fixes [docker/compose-switch](https://github.com/docker/compose-switch/issues/24).
+- Doing a `Reset to factory defaults` no longer shuts down Docker Desktop.
+
+### Known issues
+
+- Clicking «Proceed to Desktop» after logging in in the browser, sometimes does not bring the Dashboard to the front.
+- After logging in, when the Dashboard receives focus, it sometimes stays in the foreground even when clicking a background window. As a workaround you need to click the Dashboard before clicking another application window.
+- The tips of the week show on top of the mandatory login dialog when an organization restriction is enabled via a `registry.json` file.
+- When the Dashboard is open, even if it does not have focus or is minimized, it will still catch keyboard shortcuts (e.g. ctrl-r for Restart)
+
+## Docker Desktop 4.3.2
+2021-12-21
+
+> Download Docker Desktop
+>
+> [For Windows](https://desktop.docker.com/win/main/amd64/72729/Docker%20Desktop%20Installer.exe)
+
+### Security
+
+- Fixed [CVE-2021-45449](https://docs.docker.com/security/#cve-2021-45449) that affects users currently on Docker Desktop version 4.3.0 or 4.3.1.
+
+Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login.
+This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.
+
 ### Upgrades
 
 [docker scan v0.14.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.14.0){: target="_blank" rel="noopener" class="_"}

single-sign-on/index.md

@@ -1,20 +1,15 @@
 ---
 description: Single Sign-on
 keywords: Single Sign-on, SSO, sign-on
-title: Configure Single Sign-on for Administrators
+title: Configure Single Sign-on
 ---
-> **Update to Single Sign-on**
+This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs)  to access Docker. Docker currently supports SAML 2.0 and Azure AD IdPs through Auth0. You can enable SSO on organization's that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
->
->Single Sign-on (SSO) will be available for General Availability (GA) starting mid-January 2022.
-{: .important}
-
-Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports SAML 2.0 and Azure AD IdPs through Auth0. You can enable SSO on organization's that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
 
 When SSO is enabled, users are redirected to your provider’s authentication page to authenticate using SSO. They cannot authenticate using their personal login credentials (Docker ID and password).
 
 Before enabling SSO in Docker Hub, administrators must work with their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
 
-After establishing the connection between the IdP server and Docker Hub, administrators log into the organization in Docker Hub and complete the SSO enablement process. See the section Enable SSO in Docker Hub for detailed instructions.
+After establishing the connection between the IdP server and Docker Hub, administrators log into the organization in Docker Hub and complete the SSO enablement process. See the section **Enable SSO in Docker Hub** for detailed instructions.
 
 To enable SSO in Docker Hub, you need the following:
 
@@ -23,46 +18,81 @@ To enable SSO in Docker Hub, you need the following:
 
 We currently support enabling SSO on a single organization. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests.
 
-## SSO prerequisites
+## Prerequisites
 
-* You must first notify your company about the new SSO login procedures. Some of your users may want to maintain a different account for their personal projects.
+* You must first notify your company about the new SSO login procedures
-* Verify that your org members have Docker Desktop version 4.4.0 installed on their machines.
+* Verify that your org members have Docker Desktop version 4.4.0 installed on their machines
-* Each org member must [create a Personal Access Token] (PAT)  to replace their passwords.
+* Each org member must create a Personal Access Token (PAT) to replace their passwords
-* Confirm that all CI/CD pipelines have replaced their passwords with PATs.
+* Confirm that all CI/CD pipelines have replaced their passwords with PATs
-* Test SSO using your domain email address and IdP password to successfully log in and log out of Docker Hub.
+* For your service accounts, add your additional domains or enable it in your IdP
+* Test SSO using your domain email address and IdP password to successfully log in and log out of Docker Hub
 
-## Creating a Personal Access Token (PAT)
+## Create a Personal Access Token (PAT)
 
 Before you configure SSO for your organization, each member of your organization must [create an access token](../docker-hub/access-tokens.md). There is currently a grace period, which will expire in the near future. Before enforcing the usage of PATs, your users will be able to log in from Docker Desktop CLI using their previous credentials during this transition period.
 In addition, all email addresses should be added to your IdP.
 
-## Configure SSO
+## Configure
 
 To configure SSO, log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} to obtain the **ACS URL** and **Entity IDs** to complete the IdP server configuration process. You can only configure SSO with a single IdP.  When this is complete, log back into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} and complete the SSO enablement process.
 
-### Identity provider configuration
+### SAML 2.0 IdP configuration
+
+1. Log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to **Organizations** and select the organization that you want to enable SSO on.
+2. Click **Settings** and select the **Security** tab.
+3. Select an authentication method for **SAML 2.0**.
+
+    ![SSO SAML1](images/sso-saml1.png){:width="500px"}
+
+4. In the Identity Provider Set Up, copy the **Entity ID**, **ACS URL** and **Certificate Download URL**.
+
+    ![SSO SAML2](images/sso-saml2.png){:width="500px"}
 
-1. Log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to Organizations and select the organization that you want to enable SSO on.
-2. Click **Settings** and select the Security tab.
-3. Select an authentication method based on your identity provider. Docker currently supports **SAML 2.0** and **Azure AD**.
-4. Copy the ID and/or URL in the **Identity Provider Set Up**.
-    For SAML 2.0, copy the **Entity ID** and **ACS URL**. For Azure AD, copy your **Redirect URL/Reply URL**.
 5. Log into your IdP to complete the IdP server configuration process. Refer to your IdP documentation for detailed instructions.
+
+    > **Note:**
+    > the NameID is your email address and is set as the default.
+    > For example, <Subject><NameID>yourname@mycompany.com</NameID>.
+
 6. Complete the fields in the **Configuration Settings** section and click **Save**. If you want to change your IdP, you must delete your existing provider and configure SSO with your new IdP.
 
-![SSO SAML](images/sso-saml.png){:width="500px"}
+    ![SSO SAML3](images/sso-saml3.png){:width="500px"}
+
+### Azure AD IdP configuration
+
+1. Log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator and navigate to **Organizations** and select the organization that you want to enable SSO on.
+2. Click **Settings** and select the **Security** tab.
+3. Select an authentication method for **Azure AD**.
+
+    ![SSO Azure1](images/sso-azure1.png){:width="500px"}
+
+4. In the Identity Provider Set Up, copy the **Redirect URL / Reply URL**.
+
+    ![SSO Azure2](images/sso-azure2.png){:width="500px"}
+
+5. Log into your IdP to complete the IdP server configuration process. Refer to your IdP documentation for detailed instructions.
+
+    > **Note:**
+    > the NameID is your email address and is set as the default.
+    > For example: <Subject><NameID>yourname@mycompany.com</NameID>.
+
+6. Complete the fields in the **Configuration Settings** section and click **Save**. If you want to change your IdP, you must delete your existing provider and configure SSO with your new IdP.
+
+    ![SSO Azure3](images/sso-azure3.png){:width="500px"}
 
 ### Domain control
 
-Click Add Domain and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com.
+Click **Add Domain** and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com.
 
 > **Note**
-   >
+>
-   > This should include all email domains and sub-domains users will use to access Docker.
+> This should include all email domains and sub-domains users will use to access Docker.
-   > Public domains are not permitted, such as gmail.com, outlook.com, etc.
+> Public domains such as gmail.com, outlook.com, etc are not permitted.
-   > Also, the email domain should be set as the primary email.
+> Also, the email domain should be set as the primary email.
 
-## Domain verfication
+![SSO Domain](images/sso-domain.png){:width="500px"}
+
+### Domain verification
 
 To verify ownership of a domain, add a TXT record to your Domain Name System (DNS) settings.
 
@@ -76,10 +106,15 @@ To verify ownership of a domain, add a TXT record to your Domain Name System (DN
 
 3. After you have updated the fields, click **Save**.
 
-    Note: It can take up to 72 hours for DNS changes to take effect,  depending on your DNS host. The Domains table will have an Unverified status during this time.
+    > **Note:**
+    >
+    > It can take up to 72 hours for DNS changes to take effect, depending on
+    > your DNS host. The Domains table will have an Unverified status during
+    > this time.
+
 4. In the Security section of your Docker organization, click **Verify** next to the domain you want to verify after 72 hours.
 
-### Test your SSO configuration
+## Test your SSO configuration
 
 After you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you log into Docker Hub using an incognito browser. Login using your domain email address and IdP password.  You will then get redirected to your identity provider’s login page to authenticate.
 
@@ -89,22 +124,32 @@ After you’ve completed the SSO configuration process in Docker Hub, you can te
 ## Enforce SSO in Docker Hub
 
 Before you enforce SSO in Docker Hub, you must complete the following:
-Test SSO by logging in and out successfully, confirm that all members in your org have upgraded to Docker Desktop version 4.4.0, PATs are created for each member, CI/CD passwords are converted to PAT.
+Test SSO by logging in and out successfully, confirm that all members in your org have upgraded to Docker Desktop version 4.4.2, PATs are created for each member, CI/CD passwords are converted to PAT. Also, when using Docker partner products (for example, VS Code), you must use a PAT when you enforce SSO. For your service accounts add your additional domains in **Add Domains** or enable the accounts in your IdP.
 
 Admins can force users to authenticate with Docker Desktop by provisioning a registry.json configuration file. The registry.json file will force users to authenticate as a user that is configured in the allowedOrgs list in the registry.json file. For info on how to configure a registry.json file see Configure registry.json.
 
 1. On the Single Sign-On page in Docker Hub, click **Turn ON Enforcement** to enable your SSO.
 2. When SSO is enforced, your members are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.
-    Note: If you want to turn off SSO and revert back to Docker’s built-in authentication, click **Turn OFF Enforcement**. Your members aren’t forced to authenticate through your IdP and can log into Docker using their personal credentials.
 
-    ![Enforced](images/sso-enforce.png){:width="500px"}
+> **Note:**
+>
+> If you want to turn off SSO and revert back to Docker’s built-in
+> authentication, click **Turn OFF Enforcement**. Your members aren’t
+> forced to authenticate through your IdP and can log into Docker using
+> their personal credentials.
 
-## Managing users when SSO is enabled
+![SSO Enforced](images/sso-enforce.png){:width="500px"}
+
+## Manage users when SSO is enabled
 
 To add a member to your organization:
 1. Create an account for your members in your IdP.
 2. Add and invite your members to your organization.
-    Note: when the first-time user logs into Docker using their domain email address, they are then added to your organization.
+
+ > **Note:**
+ >
+ > when the first-time user logs into Docker using their domain email
+ > address, they are then added to your organization.
 
 To add a guest to your organization in Docker Hub if they aren’t verified through your IdP:
 
@@ -116,11 +161,15 @@ To add a guest to your organization in Docker Hub if they aren’t verified thro
 
 To remove a member from an organization:
 
-1. Log into Docker Hub as an administrator of your organization.
+1. Log into [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an administrator of your organization.
-Select the organization from the list. The organization page displays a list of members.
+2. Select the organization from the list. The organization page displays a list of members.
 2. Click the **x** next to a member’s name to remove them from all the teams in the organization.
 3. Click **Remove** to confirm. The member will receive an email notification confirming the removal.
-    Note: when you remove a member from an SSO organization, they are unable to log in using their email address.
+
+> **Note:**
+>
+> when you remove a member from an SSO organization, they are unable to log
+> in using their email address.
 
 ## FAQs
 To learn more see our [FAQs](faqs.md).