mirror of https://github.com/docker/docs.git
updated configure sso
This commit is contained in:
Jerae Duffin
parent
c82853feb5
commit
84d268dec0
|
|
@ -39,7 +39,7 @@ You can create a test organization. Companies can set up a new five-seat Busines
|
|||
|
||||
### Q: Does SAML authentication require additional attributes?
|
||||
|
||||
You must provide an email address as an attribute to authenticate via SAML. The ‘Name’ attribute is currently optional.
|
||||
You must provide an email address as an attribute to authenticate through SAML. The ‘Name’ attribute is currently optional.
|
||||
|
||||
### Q: Does the application recognize the NameID/Unique Identifier in the SAMLResponse Subject?
|
||||
|
||||
|
|
@ -111,7 +111,7 @@ You can add a bot account to your IDP and create an access token for it to repla
|
|||
|
||||
### Q: Does Docker plan to release SAML just in time provisioning?
|
||||
|
||||
Our SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users log in via their domain email on Hub.
|
||||
Our SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users log in through their domain email on Hub.
|
||||
|
||||
### Q: Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop?
|
||||
|
||||
|
|
@ -123,7 +123,7 @@ Yes, generally bot accounts need to be a seat, similar to a regular end user, ha
|
|||
|
||||
### Q: Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group?
|
||||
|
||||
Yes, Azure AD is supported with SSO for Docker Business, both via a direct integration and via SAML.
|
||||
Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML.
|
||||
|
||||
## Adding domain and domain verification
|
||||
|
||||
|
|
@ -138,7 +138,7 @@ They can do it one time to add it to a connection. If they ever change idPs and
|
|||
|
||||
### Q: Is adding Domain required to configure SSO? What domains should I be adding? And how do I add it?
|
||||
|
||||
Adding and verifying Domain is required to enable and enforce SSO. Click Add Domain and specify the email domains that are allowed to authenticate via your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
|
||||
Adding and verifying Domain is required to enable and enforce SSO. Click Add Domain and specify the email domains that are allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
|
||||
|
||||
### Q: If users are using their personal email, do they have to convert to using the Org’s domain before they can be invited to join an Org? Is this just a quick change in their Hub account?
|
||||
|
||||
|
|
@ -179,7 +179,7 @@ Yes. When SSO is enabled, you can access the Docker CLI through Personal Access
|
|||
|
||||
Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password.
|
||||
|
||||
### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO via Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
|
||||
### Q: I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
|
||||
|
||||
If they already have their organization email on their account, then it will be migrated to SSO.
|
||||
|
||||
|
|
@ -191,7 +191,7 @@ SSO enforcement will apply to any domain email user, and automatically add that
|
|||
|
||||
Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen.
|
||||
|
||||
### Q: We have enforced SSO, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login via userid and password. Why is this happening?
|
||||
### Q: We have enforced SSO, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening?
|
||||
|
||||
They can bypass SSO if the email they are using to log in doesn't match the organization email being used when SSO is enforced.
|
||||
|
||||
|
|
@ -206,21 +206,21 @@ However, if you **enforce** SSO:
|
|||
|
||||
* Service Account domain email addresses must be unaliased and enabled in their IdP
|
||||
* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
|
||||
* Those who know the IdP credentials can sign in as that Service Account via SSO on Hub and create or change the personal access token for that service account.
|
||||
* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
|
||||
|
||||
## Managing users
|
||||
|
||||
### Q: How do I manage users when using SSO?
|
||||
|
||||
Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
|
||||
Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
|
||||
|
||||
### Q: Do I need to manually add users to my organization?
|
||||
|
||||
No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP and then invite them to your organization using the Invite Member option in Docker Hub.
|
||||
No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
|
||||
|
||||
When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
|
||||
|
||||
### Q: Can users in my organization use different email addresses to authenticate via SSO?
|
||||
### Q: Can users in my organization use different email addresses to authenticate through SSO?
|
||||
|
||||
During the SSO setup, you’ll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
|
||||
|
||||
|
|
@ -269,9 +269,9 @@ Additionally, you can use our APIs to complete this process.
|
|||
|
||||
Admins in the Owners group in the orgs can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
|
||||
|
||||
### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link via email? For example, max.mustermann@zeiss.com.
|
||||
### Q: If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
|
||||
|
||||
Yes, if the user is added via email address to an org, they will receive an email invite. If invited via docker ID as an existing user instead, they'll be added to the organization automatically. We'll be adding a new invite flow in the near future that will require an email invite in this situation as well (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
|
||||
Yes, if the user is added through email address to an org, they will receive an email invite. If invited through docker ID as an existing user instead, they'll be added to the organization automatically. We'll be adding a new invite flow in the near future that will require an email invite in this situation as well (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
|
||||
|
||||
### Q: Can someone join the organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
|
||||
|
||||
|
|
|
|||
|
|
@ -3,11 +3,11 @@ description: Single Sign-on
|
|||
keywords: Single Sign-on, SSO, sign-on
|
||||
title: Configure Single Sign-on
|
||||
---
|
||||
This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports SAML 2.0 and Azure AD IdPs through Auth0. You can enable SSO on organization's that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
|
||||
This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. Docker currently supports SAML 2.0 and Azure AD authentication methods. You can enable SSO on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}.
|
||||
|
||||
When SSO is enabled, users are redirected to your provider’s authentication page to authenticate using SSO. They cannot authenticate using their personal login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign into Docker Hub or Docker Desktop to initiate the SSO authentication process.
|
||||
When SSO is enabled, users are redirected to your provider’s authentication page to log in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign into Docker Hub or Docker Desktop to initiate the SSO authentication process.
|
||||
|
||||
Before enabling SSO in Docker Hub, administrators must work with their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
|
||||
Before enabling SSO in Docker Hub, administrators must configure their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub.
|
||||
|
||||
After establishing the connection between the IdP server and Docker Hub, administrators log into the organization in Docker Hub and complete the SSO enablement process. See the section **Enable SSO in Docker Hub** for detailed instructions.
|
||||
|
||||
|
|
@ -16,7 +16,7 @@ To enable SSO in Docker Hub, you need the following information from your identi
|
|||
* **SAML 2.0**: Single Sign-On URL and the X.509 signing certificate
|
||||
* **Azure AD**: Client ID (a unique identifier for your registered AD application), Client Secret (a string used to gain access to your registered Azure AD application), and AD Domain details
|
||||
|
||||
We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests.
|
||||
We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests. Guests will continue to authenticate through Docker with their Docker login credentials (Docker ID and password).
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
|
@ -145,8 +145,8 @@ To verify ownership of a domain, add a TXT record to your Domain Name System (DN
|
|||
|
||||
After you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you log into Docker Hub using an incognito browser. Login using your domain email address and IdP password. You will then get redirected to your identity provider’s login page to authenticate.
|
||||
|
||||
1. Authenticate via email instead of using your Docker ID, and test the login process.
|
||||
2. To authenticate via CLI, your users must have a PAT before you enforce SSO for CLI users.
|
||||
1. Authenticate through email instead of using your Docker ID, and test the login process.
|
||||
2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users.
|
||||
|
||||
## Enforce SSO in Docker Hub
|
||||
|
||||
|
|
@ -169,9 +169,7 @@ Admins can force users to authenticate with Docker Desktop by provisioning a reg
|
|||
|
||||
## Manage users when SSO is enabled
|
||||
|
||||
To add a member to your organization:
|
||||
1. Create an account for your members in your IdP.
|
||||
2. Add and invite your members to your organization.
|
||||
You don’t need to add users to your organization in Docker Hub manually. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
|
||||
|
||||
> **Note:**
|
||||
>
|
||||
|
|
|
|||
Loading…
Reference in New Issue