From 8fd8ea1c426d6e70e281f9668bf6f41c5d14ab92 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Wed, 3 May 2023 17:42:26 +0100 Subject: [PATCH] ENGDOCS-1332 (#17245) * ENGDOCS-1332 * remove from toc --- _data/toc.yaml | 2 -- single-sign-on/configure/index.md | 19 ++++++++++++++++--- single-sign-on/index.md | 12 ++++++++++-- single-sign-on/manage/index.md | 4 ++++ single-sign-on/requirements/index.md | 19 ------------------- 5 files changed, 30 insertions(+), 26 deletions(-) delete mode 100644 single-sign-on/requirements/index.md diff --git a/_data/toc.yaml b/_data/toc.yaml index 3144f743a9..1e3449131f 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1913,8 +1913,6 @@ manuals: section: - path: /single-sign-on/ title: Overview - - path: /single-sign-on/requirements/ - title: Requirements - path: /single-sign-on/configure/ title: Configure - path: /single-sign-on/manage/ diff --git a/single-sign-on/configure/index.md b/single-sign-on/configure/index.md index a40296d51b..9e708085b0 100644 --- a/single-sign-on/configure/index.md +++ b/single-sign-on/configure/index.md @@ -68,15 +68,22 @@ Follow the steps on this page to configure SSO for your organization or company. 7. Review your summary and select **Create Connection**. -The SSO connection is now created. You can continue to set up [SSO Group Mapping and SCIM](../../docker-hub/scim.md) without enforcing SSO log-in. - -## Optional step three: Test your SSO configuration +## Step three: Test your SSO configuration After you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you sign in to Docker Hub using an incognito browser. Sign in to Docker Hub using your domain email address. You are then redirected to your IdP's login page to authenticate. 1. Authenticate through email instead of using your Docker ID, and test the login process. 2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. +>**Important** +> +> SSO has Just-In-Time (JIT) Provisioning enabled by default, but this can be changed on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: +> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) +> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) +{: .important} + +The SSO connection is now created. You can continue to set up [SCIM](../../docker-hub/scim.md) without enforcing SSO log-in. + ## Optional step four: Enforce SSO 1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**. @@ -90,3 +97,9 @@ Your users must now sign in to Docker with SSO. > >If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. {: .important} + +## What's next? + +- [Manage you SSO connections](../manage/index.md) +- [Set up SCIM](../../docker-hub/scim.md) +- [Enable Group mapping](../../docker-hub/group-mapping.md) diff --git a/single-sign-on/index.md b/single-sign-on/index.md index 7142c7290d..43aa22b5a6 100644 --- a/single-sign-on/index.md +++ b/single-sign-on/index.md @@ -24,8 +24,16 @@ When you enable SSO for your organization or company, a first-time user can sign Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual organization or company. +## Prerequisites + +* You must first notify your company about the new SSO login procedures. +* Verify that your org members have Docker Desktop version 4.4.2, or later, installed on their machines. +* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. +In addition, you should add all email addresses to your IdP. +* Confirm that all CI/CD pipelines have replaced their passwords with PATs. +* For your service accounts, add your additional domains or enable it in your IdP. + ## What's next? -- Check [the prerequisites](requirements/index.md) +- Start [configuring SSO](configure/index.md) for your organization or company - Explore [the FAQs](faqs.md) -- Start [configuring SSO](configure/index.md) for your organization or company \ No newline at end of file diff --git a/single-sign-on/manage/index.md b/single-sign-on/manage/index.md index ed2b3afe83..325238e9a9 100644 --- a/single-sign-on/manage/index.md +++ b/single-sign-on/manage/index.md @@ -84,3 +84,7 @@ To remove a user from an organization: 2. From the **Members** tab, select the **x** next to a member’s name to remove them from all the teams in the organization. 3. Select **Remove** to confirm. The member receives an email notification confirming the removal. +## What's next? + +- [Set up SCIM](../../docker-hub/scim.md) +- [Enable Group mapping](../../docker-hub/group-mapping.md) diff --git a/single-sign-on/requirements/index.md b/single-sign-on/requirements/index.md deleted file mode 100644 index 314bb6de27..0000000000 --- a/single-sign-on/requirements/index.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -description: Single Sign-on requirements -keywords: Single Sign-on, SSO, sign-on, requirements -title: Requirements ---- - -## Prerequisites - -* You must first notify your company about the new SSO login procedures -* Verify that your org members have Docker Desktop version 4.4.2, or later, installed on their machines -* New org members must create a Personal Access Token (PAT) to sign in to the CLI, however existing users can use their username and password during the grace period as specified below -* Confirm that all CI/CD pipelines have replaced their passwords with PATs -* For your service accounts, add your additional domains or enable it in your IdP -* Test SSO using your domain email address and IdP password to successfully sign in and log out of Docker Hub - -## Create a Personal Access Token (PAT) - -Before you configure SSO for your organization, new members of your organization must [create an access token](../../docker-hub/access-tokens.md) to sign in to the CLI. There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users will be able to sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. -In addition, you should add all email addresses to your IdP.