diff --git a/_data/toc.yaml b/_data/toc.yaml index 6fd964f097..6267735725 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1146,7 +1146,7 @@ manuals: title: FAQs and known issues - path: /desktop/hardened-desktop/registry-access-management/ title: Registry Access Management - - path: /docker-hub/image-access-management/ + - path: /desktop/hardened-desktop/image-access-management/ title: Image Access Management - sectiontitle: Dev Environments (Beta) section: @@ -1957,7 +1957,9 @@ manuals: title: Manage users - path: /admin/company/owners/ title: Manage company owners - - sectiontitle: Settings + - path: /admin/company/settings/domains/ + title: Domain management + - sectiontitle: SSO & SCIM section: - path: /admin/company/settings/sso/ title: Single Sign-On overview @@ -1969,8 +1971,7 @@ manuals: title: SCIM - path: /admin/company/settings/group-mapping/ title: Group mapping - - path: /admin/company/settings/sso-faq/ - title: Single Sign-On FAQs + - sectiontitle: Organization administration section: - path: /admin/organization/ @@ -1985,7 +1986,9 @@ manuals: title: Registry Access Management - path: /admin/organization/general-settings/ title: General settings - - sectiontitle: Security settings + - path: /admin/organization/security-settings/domains/ + title: Domain management + - sectiontitle: SSO & SCIM section: - path: /admin/organization/security-settings/sso/ title: Single Sign-On overview @@ -1997,9 +2000,6 @@ manuals: title: SCIM - path: /admin/organization/security-settings/group-mapping/ title: Group mapping - - path: /admin/organization/security-settings/sso-faq/ - title: Single Sign-On FAQs - - sectiontitle: Administration and security section: diff --git a/_includes/admin-domain-audit.md b/_includes/admin-domain-audit.md new file mode 100644 index 0000000000..87bcb39bcd --- /dev/null +++ b/_includes/admin-domain-audit.md @@ -0,0 +1,48 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign domain_navigation="Select your organization in the left navigation drop-down menu, and then select **Domain management**." %} + {% assign sso_link = "[SSO](/admin/organization/security-settings/sso/)" %} + {% assign scim_link = "[SCIM](/admin/organization/security-settings/scim/)" %} + {% assign invite_link = "[Invite members](/admin/organization/members/)" %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign domain_navigation="Select **Organizations**, your organization, **Settings**, and then **Security**." %} + {% assign sso_link = "[SSO](/single-sign-on/)" %} + {% assign scim_link = "[SCIM](/docker-hub/scim/)" %} + {% assign invite_link = "[Invite members](/docker-hub/members/)" %} +{% endif %} + +Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). + +Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings. + +Domain audit can't identify the following Docker users in your environment: + * Users who access Docker Desktop without authenticating + * Users who authenticate using an account that doesn't have an email address associated with one of your verified domains + +Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](/docker-hub/configure-sign-in/). + +### Audit your domains for uncaptured users + +Before you audit your domains, the following prerequisites are required: + * Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). + * You must add and verify your domains. + +To audit your domains: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ domain_navigation }} +3. In **Domain Audit**, select **Export Users** to export a CSV file of uncaptured users with the following columns: + - Name: The name of the user. + - Username: The Docker ID of the user. + - Email: The email address of the user. + +You can invite all the uncaptured users to your organization using the exported CSV file. For more details, see {{ invite_link }}. Optionally, enforce single sign-on or enable SCIM to add users to your organization automatically. For more details, see {{ sso_link }} or {{ scim_link }}. + +> **Note** +> +> Domain audit may identify accounts of users who are no longer a part of your organization. If you don't want to add a user to your organization and you don't want the user to appear in future domain audits, you must deactivate the account or update the associated email address. +> +> Only someone with access to the Docker account can deactivate the account or update the associated email address. For more details, see [Deactivating an account](/docker-hub/deactivate-account/). +> +> If you don't have access to the account, you can contact [Docker support](/support/) to discover if more options are available. \ No newline at end of file diff --git a/_includes/admin-domains.md b/_includes/admin-domains.md new file mode 100644 index 0000000000..50575f4b52 --- /dev/null +++ b/_includes/admin-domains.md @@ -0,0 +1,25 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% if include.layer == "company" %} + {% assign domain_navigation="Select your company in the left navigation drop-down menu, and then select **Domain management**." %} + {% else" %} + {% assign domain_navigation="Select your organization in the left navigation drop-down menu, and then select **Domain management**." %} + {% endif %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign domain_navigation="Navigate to the domain settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**." %} +{% endif %} + + + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ domain_navigation }} +3. Select **Add a domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS). + + >**Note** + > + > Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. aren’t permitted. Also, the email domain should be set as the primary email. + +4. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions. \ No newline at end of file diff --git a/_includes/admin-early-access.md b/_includes/admin-early-access.md index bd8f536572..6a1d7283e9 100644 --- a/_includes/admin-early-access.md +++ b/_includes/admin-early-access.md @@ -2,4 +2,5 @@ > > Docker Admin is an [early access](/release-lifecycle#early-access-ea) product. > -> Docker is releasing it using an incremental roll-out strategy. It's currently available to some company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/). \ No newline at end of file +> It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/). +{: .restricted} \ No newline at end of file diff --git a/_includes/admin-group-mapping.md b/_includes/admin-group-mapping.md index f58c8b0b3e..18e8bee16d 100644 --- a/_includes/admin-group-mapping.md +++ b/_includes/admin-group-mapping.md @@ -1,3 +1,13 @@ +{% if include.product == "admin" %} + {% if include.layer == "company" %} + {% assign scim_link = "[Enable SCIM](/admin/company/settings/scim/)" %} + {% else %} + {% assign scim_link = "[Enable SCIM](/admin/organization/security-settings/scim/)" %} + {% endif %} +{% else %} + {% assign scim_link = "[Enable SCIM](/docker-hub/scim/)" %} +{% endif %} + With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams. To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”. @@ -38,4 +48,9 @@ To take advantage of group mapping, follow the instructions provided by your IdP - [Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes){: target="_blank" rel="noopener" class="_" } - [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" } -Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP. \ No newline at end of file +Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP. + +>**Tip** +> +> {{ scim_link }} to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. +{: .tip} \ No newline at end of file diff --git a/_includes/admin-image-access.md b/_includes/admin-image-access.md new file mode 100644 index 0000000000..5e5be56c99 --- /dev/null +++ b/_includes/admin-image-access.md @@ -0,0 +1,40 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign iam_navigation="Select your organization in the left navigation drop-down menu, and then select **Image Access**." %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign iam_navigation="Select **Organizations**, your organization, **Settings**, and then select **Image Access**." %} +{% endif %} + +>Note +> +>Image Access Management is available to [Docker Business](/subscription/details/) customers only. + +Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. + +For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. + +## Prerequisites + +You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Image Access Management to take effect, Docker Desktop users must authenticate to your organization. + +## Configure Image Access Management permissions + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ iam_navigation }} +3. Enable Image Access Management to set the permissions for the following categories of images you can manage: +- **Organization Images**: When Image Access Management is enabled, images from your organization are always allowed. These images can be public or private created by members within your organization. +- **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time. +- **Docker Verified Publisher Images**: published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain. You can set permissions to **Allowed** or **Restricted**. +- **Community Images**: Images are always disabled when Image Access Management is enabled. These images are not trusted because various Docker Hub users contribute them and pose security risks. + + > **Note** + > + > Image Access Management is turned off by default. However, members of the `owners` team in your organization have access to all images regardless of the settings. + +4. Select the category restrictions for your images by selecting **Allowed**. + Once the restrictions are applied, your members can view the organization permissions page in a read-only format. + +## Verify the restrictions + +The new Image Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull a disallowed image type using Docker, they receive an error message. \ No newline at end of file diff --git a/_includes/admin-org-audit-log-events.md b/_includes/admin-org-audit-log.md similarity index 60% rename from _includes/admin-org-audit-log-events.md rename to _includes/admin-org-audit-log.md index 5fb3c5e957..f7908613ba 100644 --- a/_includes/admin-org-audit-log-events.md +++ b/_includes/admin-org-audit-log.md @@ -1,3 +1,46 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign audit_navigation="Select your organization in the left navigation drop-down menu, and then select **Activity Logs**." %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign audit_navigation="Select **Organizations**, your organization, and then **Activity**." %} +{% endif %} + + +Audit logs display a chronological list of activities that occur at organization and repository levels. It provides a report to owners on all their member activities. + +With audit logs, owners can view and track: + - What changes were made + - The date when a change was made + - Who initiated the change + + For example, audit logs display activities such as the date when a repository was created or deleted, the member who created the repository, the name of the repository, and when there was a change to the privacy settings. + +Owners can also see the audit logs for their repository if the repository is part of the organization subscribed to a Docker Business or Team plan. + +## View the audit logs + +To view the audit logs: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ audit_navigation }} + +> **Note** +> +> Docker retains the activity data for a period of three months. + +## Customize the audit logs + +By default, all activities that occur are displayed on the **Activity** tab. Use the calendar option to select a date range and customize your results. After you have selected a date range, the audit logs of all the activities that occurred during that period are displayed. + +> **Note** +> +> Activities created by the Docker Support team as part of resolving customer issues appear in the audit logs as **dockersupport**. + +Select the **All Activities** drop-down to view activities that are specific to an organization, repository, or billing. In Docker Hub, if you select the **Activities** tab from the **Repository** view, you can only filter repository-level activities. + +After choosing **Organization**, **Repository**, or **Billing**, you can further refine the results using the **All Actions** drop-down. + ## Event definitions Refer to the following section for a list of events and their descriptions: diff --git a/_includes/admin-registry-access.md b/_includes/admin-registry-access.md new file mode 100644 index 0000000000..e7642e15e7 --- /dev/null +++ b/_includes/admin-registry-access.md @@ -0,0 +1,67 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign ram_navigation="Select your organization in the left navigation drop-down menu, and then select **Registry Access**." %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign ram_navigation="Select **Organizations**, your organization, **Settings**, and then select **Registry Access**." %} +{% endif %} + + +>Note +> +>Registry Access Management is available to Docker Business customers only. + +With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. + +Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: + - Docker Hub. This is enabled by default. + - Amazon ECR + - GitHub Container Registry + - Google Container Registry + - Nexus + - Artifactory + +## Prerequisites + +You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. + +## Configure Registry Access Management permissions + +To configure Registry Access Management permissions, perform the following steps: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ ram_navigation }} +3. Enable Registry Access Management to set the permissions for your registry. + + > **Note** + > + > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. + +4. Select **Add** and enter your registry details in the applicable fields, and then select **Create** to add the registry to your list. +5. Verify that the registry appears in your list and select **Save & Apply**. + + > **Note** + > + > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the Caveats section below to learn more about limitations when using this feature. + + > **Tip** + > + > Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization. +{: .tip} + +## Verify the restrictions + +The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry. + +## Caveats + +There are certain limitations when using Registry Access Management; they are as follows: + +- Windows image pulls, and image builds are not restricted +- Builds such as `docker buildx` using a Kubernetes driver are not restricted +- Builds such as `docker buildx` using a custom docker-container driver are not restricted +- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” +- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) +- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) + +Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. diff --git a/_includes/admin-scim.md b/_includes/admin-scim.md index 28531431f8..810b7bcd1a 100644 --- a/_includes/admin-scim.md +++ b/_includes/admin-scim.md @@ -1,8 +1,25 @@ +{% if include.product == "admin" %} + {% assign product_link = "[Docker Admin](https://admin.docker.com)" %} + {% if include.layer == "company" %} + {% assign sso_link = "[configured SSO](/admin/company/settings/sso-configuration/)" %} + {% assign sso_navigation="Select your company in the left navigation drop-down menu, and then select **SSO & SCIM.**" %} + {% else %} + {% assign sso_link = "[configured SSO](/admin/organization/security-settings/sso-configuration/)" %} + {% assign sso_navigation="Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM.**" %} + {% endif %} +{% else %} + {% assign product_link = "[Docker Hub](https://hub.docker.com)" %} + {% assign sso_link = "[configured SSO](/single-sign-on/configure/)" %} + {% assign sso_navigation="Navigate to the SSO settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**." %} +{% endif %} + This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers. -SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker Hub and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization or company. +SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company. -Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker Hub. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. +Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name. The following provisioning features are supported: - Creating new users @@ -18,4 +35,32 @@ The table below lists the supported attributes. Note that your attribute mapping |:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------| | username | Unique identifier of the user (email) | | givenName | User’s first name | -| familyName |User’s surname | \ No newline at end of file +| familyName |User’s surname | + +## Set up SCIM + +You must make sure you have {{ sso_link }} before you enable SCIM. Enforcing SSO is not required. + +### Step one: Enable SCIM in Docker + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_" }. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Actions** icon and **Setup SCIM**. +4. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP. + +### Step two: Enable SCIM in your IdP + +Follow the instructions provided by your IdP: + +- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" } +- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" } +- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" } + +## Disable SCIM + +If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization. + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_" }. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Actions** icon. +4. Select **Disable SCIM**. \ No newline at end of file diff --git a/_includes/admin-sso-config.md b/_includes/admin-sso-config.md new file mode 100644 index 0000000000..a504d51169 --- /dev/null +++ b/_includes/admin-sso-config.md @@ -0,0 +1,117 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign invite_button = "**Invite**" %} + {% assign remove_button = "**Remove member**" %} + {% if include.layer == "company" %} + {% assign sso_navigation="Select your company in the left navigation drop-down menu, and then select **SSO & SCIM**." %} + {% assign domain_navigation="Select your company in the left navigation drop-down menu, and then select **Domain management**." %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select **Users**." %} + {% assign remove_button = "**Remove user**" %} + {% assign scim_link="[Set up SCIM](/admin/company/settings/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/admin/company/settings/group-mapping/)" %} + {% assign sso_mgmt_link ="[Manage your SSO connections](/admin/company/settings/sso-management/)" %} + {% else %} + {% assign sso_navigation="Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM.**" %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select **Members**." %} + {% assign domain_navigation="Select your organization in the left navigation drop-down menu, and then select **Domain management**." %} + {% assign remove_button = "**Remove member**" %} + {% assign scim_link="[Set up SCIM](/admin/organization/security-settings/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/admin/organization/security-settings/group-mapping/)" %} + {% assign sso_mgmt_link ="[Manage your SSO connections](/admin/organization/security-settings/sso-management/)" %} + {% endif %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign sso_navigation="Navigate to the SSO settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**." %} + {% assign domain_navigation="Navigate to the domain settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**." %} + {% assign member_navigation="Select **Organizations, your organization, and then **Members**." %} + {% assign invite_button = "**Invite members**" %} + {% assign remove_button = "**Remove member**" %} + {% assign scim_link="[Set up SCIM](/docker-hub/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/docker-hub/group-mapping/)" %} + {% assign sso_mgmt_link ="[Manage your SSO connections](/single-sign-on/manage/)" %} +{% endif %} + +## Step two: Create an SSO connection + +> **Important** +> +> If your IdP setup requires an Entity ID and the ACS URL, you must select the +> **SAML** tab in the **Authentication Method** section. For example, if your +> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure +> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select +> **Azure AD** as the authentication method. Also, IdP initiated connections +> aren't supported at this time. +{: .important} + +After your domain is verified, create an SSO connection. + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table select **Create Connection**, and create a name for the connection. + + > **Note** + > + > You have to verify at least one domain before creating the connections. + +4. Select an authentication method, **SAML** or **Azure AD (OIDC)**. +5. Copy the following fields and add them to your IdP: + + - SAML: **Entity ID**, **ACS URL** + - Azure AD (OIDC): **Redirect URL** + + ![SAML](/docker-hub/images/saml-create-connection.png){: width="500px" } + + ![Azure AD](/docker-hub/images/azure-create-connection.png){: width="500px" } + +6. From your IdP, copy and paste the following values into the settings in the Docker console: + + - SAML: **SAML Sign-on URL**, **x509 Certificate** + - Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain** + +7. Select the verified domains you want to apply the connection to. +8. To provision your users, select the organization(s) and/or team(s). +9. Review your summary and select **Create Connection**. + +## Step three: Test your SSO configuration + +After you’ve completed the SSO configuration process in Docker, you can test the configuration when you sign in to {{ product_link }} using an incognito browser. Sign in to {{ product_link }} using your domain email address. You are then redirected to your IdP's login page to authenticate. + +1. Authenticate through email instead of using your Docker ID, and test the login process. +2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. + +>**Important** +> +> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub. +> +> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: +> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) +> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) +{: .important} + +The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see {{ scim_link }}. + +## Optional step four: Enforce SSO + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon and then **Enable enforcement**. + When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP. +4. Continue with the on-screen instructions and verify that you’ve completed the tasks. +5. Select **Turn on enforcement** to complete. + +Your users must now sign in to Docker with SSO. + +> **Important** +> +> If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. +{: .important} + +## What's next? + +- {{ sso_mgmt_link }} +- {{ scim_link }} +- {{ mapping_link }} diff --git a/_includes/admin-sso-faq.md b/_includes/admin-sso-faq.md deleted file mode 100644 index 35733a80f7..0000000000 --- a/_includes/admin-sso-faq.md +++ /dev/null @@ -1,308 +0,0 @@ - -
-
- -### Is Docker SSO available for all paid subscriptions? - -Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO. - -### How does Docker SSO work? - -Docker Single Sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. Docker supports Azure AD and any SAML 2.0 identity providers. When you enable SSO, users are redirected to your provider’s authentication page to authenticate using their email and password. - -### What SSO flows are supported by Docker? - -Docker supports Service Provider Initiated (SP-initiated) SSO flow. This means users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. - -### Where can I find detailed instructions on how to configure Docker SSO? - -You first need to establish an SSO connection with your identity provider, and the company email domain needs to be verified prior to establishing an SSO connection for your users. - -### Does Docker SSO support multi-factor authentication (MFA)? - -When an organization uses SSO, MFA is determined on the IdP level, not on the Docker platform. - -### Do I need a specific version of Docker Desktop for SSO? - -Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2 or later. Users on older versions of Docker Desktop will not be able to sign in after SSO is enforced, if the company domain email is used to sign in or as the primary email associated with an existing Docker account. Your users with existing accounts can't sign in with their username and password. - -
-
-
- -### Does SAML authentication require additional attributes? - -You must provide an email address as an attribute to authenticate through SAML. The ‘Name’ attribute is optional. - -### Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject? - -The preferred format is your email address, which should also be your Name ID. - -### When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time? - -At runtime for Docker Desktop if it’s configured to require authentication to the organization. - -### Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly? - -Verify that your users have downloaded the latest version of Docker Desktop. An enhancement in user management observability and capabilities will become available in the future. -
-
-
- -### What’s a Docker ID? Can I retain my Docker ID when using SSO? - -For a personal Docker ID, a user is the account owner, it’s associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account, when enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created. - -### What if the Docker ID I want for my organization or company is taken? - -This depends on the state of the namespace, if trademark claims exist for the organization or company Docker ID, a manual flow for legal review is required. - -### What if I want to create more than 3 organizations? - -You can create multiple organizations or multiple teams under a single company. SSO is available at the company level. - -
-
-
- -### Is it possible to use more than one IdP with Docker SSO? - -No. You can only configure Docker SSO to work with a single IdP. A domain can only be associated with a single IdP. Docker supports Azure AD and identity providers that support SAML 2.0. - -### Is it possible to change my identity provider after configuring SSO? - -Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection. - -### What information do I need from my identity providers to configure SSO? - -To enable SSO in Docker, you need the following from your IdP: - -* **SAML**: Entity ID, ACS URL, Single Logout URL and the public X.509 certificate - -* **Azure AD**: Client ID, Client Secret, AD Domain. - -### What happens if my existing certificate expires? - -If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. The new certificate must be updated in the SSO configuration settings page on Docker Hub. - -### What happens if my IdP goes down when SSO is enabled? - -It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization. - -### What happens when I turn off SSO for my organization(s) or company? - -When you turn off SSO, authentication through your Identity Provider isn't required to access Docker. Users may continue to sign in through Single Sign-On as well as Docker ID and password. - -### Q: How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account? - -You can add a bot account to your IDP and create an access token for it to replace the other credentials. - -### Does Docker plan to release SAML just in time provisioning? - -The SSO implementation is already "just in time". Admins don't have to create users’ accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub. - -### Will there be IdP initiated logins? Does Docker plan to support SSO logins outside of Hub and Desktop? - -We currently do not have any plans to enable IdP initiated logins. - -### Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg? - -Yes, bot accounts needs a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub. - -### Is it possible to connect Docker Hub directly with a Microsoft Azure Active Directory Group? - -Yes, Azure AD is supported with SSO for Docker Business, both through a direct integration and through SAML. - -
-
-
- -### Can i add sub-domains? - -Yes, you can add sub-domains to your SSO , however all email addresses should also be on that domain. Verify that your DNS provider supports multiple txt fields for the same domain. - -### Can the DNS provider configure it once for one-time verification and remove it later OR will it be needed permanently? - -They can do it one time to add it to a connection. If they ever change IdPs and have to set up SSO again, they will need to verify again. - -### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it? - -Adding and verifying a domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that's allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email. - -### If users are using their personal email, do they have to convert to using the Org’s domain before they can be invited to join an Org? Is this just a quick change in their Hub account? - -No, they don't. Though they can add multiple emails to a Docker ID if they choose to. However, that email can only be used once across Docker. The other thing to note is that (as of January 2022) SSO will not work for multi domains as an MVP and it will not work for personal emails either. - -### Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time? - -Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org. - -### Do you support IdP-initiated authentication (e.g., Okta tile support)? - -We don't support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub. - - -
-
-
- -### We currently have a Docker Team subscription. How do we enable SSO? - -SSO is available with a Docker Business subscription. To enable SSO, you must first upgrade your subscription to a Docker Business subscription. To learn how to upgrade your existing account, see [Upgrade your subscription](https://www.docker.com/pricing). - -### How do service accounts work with SSO? - -Service accounts work like any other user when SSO is turned on. If the service account is using an email for a domain with SSO turned on, it needs a PAT for CLI and API usage. - -### Is DNS verification required to enable SSO? - -Yes. You must verify a domain before using it with an SSO connection. - -### Does Docker SSO support authenticating through the command line? - -Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. - -### How does SSO affect our automation systems and CI/CD pipelines? - -Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password. - -### I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they purchase Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account? - -If they already have their organization email on their account, then it will be migrated to SSO. - -### If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users? - -SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced. - -### Can I enable SSO and hold off on the domain verification and enforcement options? - -Yes, they can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen. - -### SSO is enforced, but one of our users is connected to several organizations (and several email-addresses) and is able to bypass SSO and login through userid and password. Why is this happening? - -They can bypass SSO if the email they're using to sign in doesn't match the organization email being used when SSO is enforced. - -### Is there a way to test this functionality in a test tenant with Okta before going to production? - -Yes, you can create a test organization. Companies can set up a new 5 seat Business plan on a new organization to test with (making sure to only enable SSO, not enforce it or all domain email users will be forced to sign in to that test tenant). - -### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts? - -If SSO is enabled, there is no impact for now. We'll continue to support either username/password or personal access token sign-in. -However, if you **enforce** SSO: - -* Service Account domain email addresses must be unaliased and enabled in their IdP -* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts) -* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account. - -
-
-
- -### How do I manage users when using SSO? - -Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. - -### Do I need to manually add users to my organization? - -No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address. - -When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication. - -### Can users in my organization use different email addresses to authenticate through SSO? - -During the SSO setup, you’ll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects. - -Users with a public domain email address will be added as guests. - -### Can Docker org owners/Admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO Is enabled? - -Admins, organization owners and company owners can currently approve users by configuring their permissions through their IdP. That's if the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as there’s an available seat. - -### How will users be made aware that they're being made a part of a Docker Org? - -When SSO is enabled, users will be prompted to authenticate through SSO the next time they try to sign in to Docker Hub or Docker Desktop. The system will see the end-user has a domain email associated with the docker ID they're trying to authenticate with, and prompts them to sign in with SSO email and credentials instead. - -If users attempt to sign in through the CLI, they must authenticate using a personal access token (PAT). - -### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain? - -Yes. Admins can force users to authenticate with Docker Desktop by provisioning a `registry.json` configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file. - -Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password). - -Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited. - -### Is it possible to convert existing users from non-SSO to SSO accounts? - -Yes, you can convert existing users to an SSO account. To convert users from a non-SSO account: - -* Ensure your users have a company domain email address and they have an account in your IdP -* Verify that all users have Docker Desktop version 4.4.2 or later installed on their machines -* Each user has created a PAT to replace their passwords to allow them to sign in through Docker CLI -* Confirm that all CI/CD pipelines automation systems have replaced their passwords with PATs. - -### What impact can users expect once we start onboarding them to SSO accounts? - -When SSO is enabled and enforced, your users just have to sign in using the email address and password. - -### Is Docker SSO fully synced with Active Directory (AD)? - -Docker doesn’t currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually remove the user from the organization. - -Additionally, you can use our APIs to complete this process. - -### What's the best way to provision the Docker Subscription without SSO? - -Company or organisation owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already). - -### If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email? - -Yes, if the user is added through email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for [zeiss.com](https://www.zeiss.com/) domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider). - -### Can someone join an organization without an invitation? Is it possible to put specific users to an organization with existing email accounts? - -Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned. - -### When we send an invitation to the user, will the existing account be consolidated and retained? - -Yes, the existing user account will join the organization with all assets retained. - -### How can I view, update, and remove multiple email addresses for my users? - -We only support one email per user on the Docker platform. - -### How can I remove invitees to the org who haven't signed in? - -They can go to the invitee list in the org view and remove them. - -### How's the flow for service account authentication different from a UI user account? - -It isn't; we don't differentiate the two in product. - -
-
-
- - - - - - - - - -. - - - - - diff --git a/_includes/admin-sso-management-orgs.md b/_includes/admin-sso-management-orgs.md new file mode 100644 index 0000000000..32ba0c4111 --- /dev/null +++ b/_includes/admin-sso-management-orgs.md @@ -0,0 +1,30 @@ + +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign sso_navigation="Select your company in the left navigation drop-down menu, and then select **SSO & SCIM**." %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign sso_navigation="Select **Organizations**, your company, and then **Settings**." %} +{% endif %} + + + +### Connect an organization + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon and then **Edit connection**. +4. Select **Next** to navigate to the section where connected organizations are listed. +5. In the **Organizations** drop-down, select the organization to add to the connection. +6. Select **Next** to confirm or change the default organization and team provisioning. +7. Review the **Connection Summary** and select **Save**. + +### Remove an organization + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon and then **Edit connection**. +4. Select **Next** to navigate to the section where connected organizations are listed. +5. In the **Organizations** drop-down, select **Remove** to remove the connection. +6. Select **Next** to confirm or change the default organization and team provisioning. +7. Review the **Connection Summary** and select **Save**. \ No newline at end of file diff --git a/_includes/admin-sso-management.md b/_includes/admin-sso-management.md new file mode 100644 index 0000000000..5c5884a448 --- /dev/null +++ b/_includes/admin-sso-management.md @@ -0,0 +1,100 @@ +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign invite_button = "**Invite**" %} + {% if include.layer == "company" %} + {% assign sso_navigation="Select your company in the left navigation drop-down menu, and then select **SSO & SCIM**." %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select **Users**." %} + {% assign remove_button = "**Remove user**" %} + {% assign scim_link="[Set up SCIM](/admin/company/settings/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/admin/company/settings/group-mapping/)" %} + {% else %} + {% assign sso_navigation="Select your organization in the left navigation drop-down menu, and then select **SSO & SCIM**." %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select **Members**." %} + {% assign remove_button = "**Remove member**" %} + {% assign scim_link="[Set up SCIM](/admin/organization/security-settings/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/admin/organization/security-settings/group-mapping/)" %} + {% endif %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign sso_navigation="Navigate to the SSO settings page for your organization or company. + - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. + - Company: Select **Organizations**, your company, and then **Settings**." %} + {% assign member_navigation="Select **Organizations**, your organization, and then **Members**." %} + {% assign invite_button = "**Invite members**" %} + {% assign remove_button = "**Remove member**" %} + {% assign scim_link="[Set up SCIM](/docker-hub/scim/)" %} + {% assign mapping_link="[Enable Group mapping](/docker-hub/group-mapping/)" %} +{% endif %} + +## Manage domains + +### Remove a domain from an SSO connection + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon and then **Edit connection**. +4. Select **Next** to navigate to the section where the connected domains are listed. +5. In the **Domain** drop-down, select the **x** icon next to the domain that you want to remove. +6. Select **Next** to confirm or change the connected organization(s). +7. Select **Next** to confirm or change the default organization and team provisioning selections. +8. Review the **Connection Summary** and select **Save**. + +> **Note** +> +> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. + +## Manage SSO connections + +### Edit a connection + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon. +4. Select **Edit connection** to edit your connection. +5. Follow the on-screen instructions to edit the connection. + +### Delete a connection + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ sso_navigation }} +3. In the SSO connections table, select the **Action** icon. +4. Select **Delete connection**. +5. Follow the on-screen instructions to delete a connection. + +### Deleting SSO + +When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. + +## Manage users + +> **Important** +> +> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization. +> +> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: +> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm){: target="_blank" rel="noopener" class="_"} +> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users){: target="_blank" rel="noopener" class="_"} +{: .important} + +### Add guest users when SSO is enabled + +To add a guest if they aren’t verified through your IdP: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. Select {{ invite_button }}. +4. Follow the on-screen instructions to invite the user. + +### Remove users from the SSO company + +To remove a user: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. Select the action icon next to a user’s name, and then select {{ remove_button }}. +4. Follow the on-screen instructions to remove the user. + +## What's next? + +- {{ scim_link }} +- {{ mapping_link }} \ No newline at end of file diff --git a/_includes/admin-sso.md b/_includes/admin-sso.md new file mode 100644 index 0000000000..ef1f174079 --- /dev/null +++ b/_includes/admin-sso.md @@ -0,0 +1,45 @@ +{% if include.product == "admin" %} + {% assign product_name="Docker Admin" %} + {% if include.layer == "company" %} + {% assign sso_config_link = "[configuring SSO](/admin/company/settings/sso-configuration/)" %} + {% else %} + {% assign sso_config_link = "[configuring SSO](/admin/organization/security-settings/sso-configuration/)" %} + {% endif %} +{% else %} + {% assign product_name="Docker Hub" %} + {% assign sso_config_link = "[configuring SSO](/single-sign-on/configure/)" %} +{% endif %} + +SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). + +## How it works + +When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. + +The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. + +![SSO architecture](/single-sign-on/images/sso-architecture.png) + +## How to set it up + +Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. + +After establishing the connection between the IdP server and Docker, administrators sign in to Docker {{ product_name }} and complete the SSO enablement process. + +When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company and assigned to the company team in the organization. + +Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company. + +## Prerequisites + +* You must first notify your company about the new SSO login procedures. +* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines. +* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in to the CLI. There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. +In addition, you should add all email addresses to your IdP. +* Confirm that all CI/CD pipelines have replaced their passwords with PATs. +* For your service accounts, add your additional domains or enable it in your IdP. + +## What's next? + +- Start {{ sso_config_link }} +- Explore the [FAQs](/single-sign-on/faqs/) diff --git a/_includes/admin-users.md b/_includes/admin-users.md new file mode 100644 index 0000000000..c11806d6bb --- /dev/null +++ b/_includes/admin-users.md @@ -0,0 +1,119 @@ + +{% if include.product == "admin" %} + {% assign product_link="[Docker Admin](https://admin.docker.com)" %} + {% assign invite_button = "**Invite**" %} + {% assign export_button = "the **Action** icon and then select **Export users as CSV**" %} + {% if include.layer == "company" %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select **Users**." %} + {% assign remove_button = "**Remove user**" %} + {% else %} + {% assign member_navigation="Select your organization in the left navigation drop-down menu, and then select *Members**." %} + {% assign remove_button = "**Remove member**" %} + {% endif %} +{% else %} + {% assign product_link="[Docker Hub](https://hub.docker.com)" %} + {% assign member_navigation="Select **Organizations**, your organization, and then **Members**." %} + {% assign invite_button = "**Invite members**" %} + {% assign remove_button = "**Remove member**" %} + {% assign export_button = "**Export members**" %} +{% endif %} + +## Invite members + +Owners can invite new members to an organization via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat. + +### Invite members via Docker ID or email address + +Use the following steps to invite members to your organization via Docker ID or email address. To invite a large amount of members to your organization via CSV file, see the next section. + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. Select {{ invite_button }}. +4. Select **Emails or usernames**. +5. Follow the on-screen instructions to invite members. Invite a maximum of 1000 members and separate multiple entries by comma, semicolon, or space. + + > **Note** + > + > It is recommended that you invite non-administrative users to a team other than the owners team. Members in the owners team will have full access to your organization’s administrative settings. + +Pending invitations appear in the table. The invitees receive an email with a link to Docker Hub where they can accept or decline the invitation. + +### Invite members via CSV file + +To invite multiple members to an organization via a CSV file containing email addresses: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. Select {{ invite_button }}. +4. Select **CSV upload**. +5. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file. + ``` + email + docker.user-0@example.com + docker.user-1@example.com + ``` + CSV file requirements: + - The file must contain a header row with at least one heading named `email`. Additional columns are allowed and are ignored in the import. + - The file must contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file. +6. Create a new CSV file or export a CSV file from another application. + - To export a CSV file from another application, see the application’s documentation. + - To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension. +7. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time. + > **Note** + > + > If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you cannot continue to invite members. To invite members, you can purchase more seats, or remove some email addresses from the CSV file and re-select the new file. To purchase more seats, see [Add seats to your subscription](/subscription/add-seats/) or [Contact sales](https://www.docker.com/pricing/contact-sales/). +8. After the CSV file has been uploaded, select **Review**. + Valid email addresses and any email addresses that have issues appear. + Email addresses may have the following issues: + - **Invalid email**: The email address is not a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file. + - **Already invited**: The user has already been sent an invite email and another invite email will not be sent. + - **Member**: The user is already a member of your organization and an invite email will not be sent. + - **Duplicate**: The CSV file has multiple occurrences of the same email address. The user will be sent only one invite email. +9. Follow the on-screen instructions to invite members. + + > **Note** + > + > It is recommended that you invite non-administrative users to a team other than the owners team. Members in the owners team will have full access to your organization’s administrative settings. + + +Pending invitations appear in the table. The invitees receive an email with a link to Docker Hub where they can accept or decline the invitation. + +## Resend invitations + +To resend an invitation if the invite is pending or declined: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. In the table, locate the invitee, select the **Action** icon, and then select **Resend invitation**. +4. Select **Invite** to confirm. + +## Remove a member or invitee + +To remove a member from an organization: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. In the table, select the **Action** icon, and then select {{ remove_button }} or **Remove invitee**. +4. Follow the on-screen instructions to remove the member or invitee. + +## Export members + +Owners can export a CSV file containing all members. +The CSV file may contain the following fields: + + * **Name**: The user's name. + * **Username**: The user's Docker ID. + * **Email**: The user's email address. + * **Type**: The type of user. For example, **Invitee** for users who have not accepted the organization's invite, or **User** for users who are members of the organization. + * **Permission**: The user's organization permissions. For example, **Member** or **Owner**. + * **Teams**: The teams where the user is a member. A team is not listed for invitees. + * **Date Joined**: The time and date when the user was invited to the organization. + * **Member of Organizations**: All organizations the user is a member of within a company. + * **Invited to Organizations**: All organizations the user is an invitee of within a company. + * **Account Created**: The time and date when the user account was created. + +To export a CSV file of the members: + +1. Sign in to {{ product_link }}{: target="_blank" rel="noopener" class="_"}. +2. {{ member_navigation }} +3. Select {{ export_button }}. diff --git a/admin/company/index.md b/admin/company/index.md index dac27bcfec..41a550bbae 100644 --- a/admin/company/index.md +++ b/admin/company/index.md @@ -8,7 +8,7 @@ title: Overview {% include admin-company-overview.md %} -To create a company, see [Create a company](../../docker-hub/new-company.md). +To create a company, see [Create a company](../organization/general-settings.md#create-a-company). Learn how to administer a company using Docker Admin in the following sections. @@ -57,12 +57,21 @@ Learn how to administer a company using Docker Admin in the following sections.
- company faqs + Configure company SCIM

Set up SCIM

Set up SCIM to automatically provision and deprovision users in your company.

+
+
+
+ Add and verify your domains +
+

Domain management

+

Add and verify your domains.

+
+
diff --git a/admin/company/settings/domains.md b/admin/company/settings/domains.md new file mode 100644 index 0000000000..07c123d265 --- /dev/null +++ b/admin/company/settings/domains.md @@ -0,0 +1,13 @@ +--- +description: Domain management in Docker Admin +keywords: domains, SCIM, SSO, Docker Admin +title: Domain management +--- + +{% include admin-early-access.md %} + +Use domain management to manage your domains for Single Sign-On and SCIM. + +## Add and verify a domain + +{% include admin-domains.md product="admin" layer="company"%} \ No newline at end of file diff --git a/admin/company/settings/group-mapping.md b/admin/company/settings/group-mapping.md index 928974e6df..13251a19ac 100644 --- a/admin/company/settings/group-mapping.md +++ b/admin/company/settings/group-mapping.md @@ -6,9 +6,4 @@ title: Group Mapping {% include admin-early-access.md %} -{% include admin-group-mapping.md %} - ->**Tip** -> -> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. -{: .tip} +{% include admin-group-mapping.md product="admin" layer="company" %} \ No newline at end of file diff --git a/admin/company/settings/scim.md b/admin/company/settings/scim.md index aa94a8eaed..d827e1eec3 100644 --- a/admin/company/settings/scim.md +++ b/admin/company/settings/scim.md @@ -6,31 +6,6 @@ title: SCIM {% include admin-early-access.md %} -{% include admin-scim.md %} +Follow the steps on this page to manage SCIM for your company. To manage SCIM for an organization, see [SCIM for an organization](/admin/organization/security-settings/scim/). -## Set up SCIM - -You must make sure you have [configured SSO](sso.md) before you enable SCIM. Enforcing SSO is not required. - -### Step one: Enable SCIM in Docker Admin - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Settings**. -4. In the **Single Sign-On Connection** table, select the **Actions** icon and **Setup SCIM**. -5. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP. - -### Step two: Enable SCIM in your IdP - -Follow the instructions provided by your IdP: - -- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" } -- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" } -- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" } - -## Disable SCIM - -If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization. - -1. In the **Single Sign-On Connection** table, select the **Actions** icon. -2. Select **Disable SCIM**. \ No newline at end of file +{% include admin-scim.md product="admin" layer="company"%} \ No newline at end of file diff --git a/admin/company/settings/sso-configuration.md b/admin/company/settings/sso-configuration.md index b518906b5f..f7332affcd 100644 --- a/admin/company/settings/sso-configuration.md +++ b/admin/company/settings/sso-configuration.md @@ -1,103 +1,15 @@ --- description: SSO configuration keywords: configure, sso, docker admin -title: Configure Single Sign-On +title: Configure Single Sign-On for a company --- {% include admin-early-access.md %} -Follow the steps on this page to configure SSO for your company. +Follow the steps on this page to configure SSO for your company. To configure SSO for an organization, see [Configure SSO for an organization](/admin/organization/security-settings/sso-configuration/). ## Step one: Add and verify your domain -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Settings**. -4. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS). +{% include admin-domains.md product="admin" layer="company"%} - >**Note** - > - > Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. aren’t permitted. Also, the email domain should be set as the primary email. - -5. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions. - -## Step two: Create an SSO connection - -> **Important** -> -> If your IdP setup requires an Entity ID and the ACS URL, you must select the -> **SAML** tab in the **Authentication Method** section. For example, if your -> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure -> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select -> **Azure AD** as the authentication method. Also, IdP initiated connections -> aren't supported at this time. -{: .important} - -1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection. - - > **Note** - > - > You have to verify at least one domain before creating the connections. - -2. Select an authentication method, **SAML** or **Azure AD (OIDC)**. -3. Copy the following fields and add them to your IdP: - - - SAML: **Entity ID**, **ACS URL** - - Azure AD (OIDC): **Redirect URL** - - ![SAML](../../../docker-hub/images/saml-create-connection.png){: width="500px" } - - ![Azure AD](../../../docker-hub/images/azure-create-connection.png){: width="500px" } - -4. From your IdP, copy and paste the following values into the Docker **Settings** fields: - - - SAML: **SAML Sign-on URL**, **x509 Certificate** - - Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain** - -5. Select the verified domains you want to apply the connection to. - -6. To provision your users, select the organization(s) and/or team(s). - - > **Note** - > - > If you are a company owner and have more than one organization, you need to select a default organization. - -7. Review your summary and select **Create Connection**. - -## Step three: Test your SSO configuration - -After you’ve completed the SSO configuration process in Docker Admin, you can test the configuration when you sign in to Docker Admin using an incognito browser. Sign in to Docker Admin using your domain email address. You are then redirected to your IdP's login page to authenticate. - -1. Authenticate through email instead of using your Docker ID, and test the login process. -2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. - ->**Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -The SSO connection is now created. You can continue to set up [SCIM](scim.md) without enforcing SSO log-in. - -## Optional step four: Enforce SSO - -1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**. - When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP. -2. Continue with the on-screen instructions and verify that you’ve completed the tasks. -3. Select **Turn on enforcement** to complete. - -Your users must now sign in to Docker with SSO. - -> **Important** -> -> If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. -{: .important} - -## What's next? - -- [Manage your SSO connections](sso-management.md) -- [Set up SCIM](scim.md) -- [Enable Group mapping](group-mapping.md) +{% include admin-sso-config.md product="admin" layer="company"%} \ No newline at end of file diff --git a/admin/company/settings/sso-faq.md b/admin/company/settings/sso-faq.md deleted file mode 100644 index 8943fa6f13..0000000000 --- a/admin/company/settings/sso-faq.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Single Sign-on FAQs -keywords: Docker, Docker Admin, SSO FAQs, single sign-on -title: Single Sign-On FAQs -toc_max: 2 ---- - -{% include admin-early-access.md %} - -{% include admin-sso-faq.md %} \ No newline at end of file diff --git a/admin/company/settings/sso-management.md b/admin/company/settings/sso-management.md index 31dfd74b0f..65d84b5d17 100644 --- a/admin/company/settings/sso-management.md +++ b/admin/company/settings/sso-management.md @@ -1,95 +1,16 @@ --- description: Manage SSO keywords: manage, single sign-on, SSO, sign-on -title: Manage Single Sign-On +title: Manage Single Sign-On for a company --- {% include admin-early-access.md %} -## Manage domains - -### Remove a domain from an SSO connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where the connected domains are listed. -3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove. -4. Select **Next** to confirm or change the connected organization(s). -5. Select **Next** to confirm or change the default organization and team provisioning selections. -6. Review the **Connection Summary** and select **Save**. - -> **Note** -> -> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. +Follow the steps on this page to manage SSO for your company. To manage SSO for an organization, see [Manage SSO for an organization](/admin/organization/security-settings/sso-management/). ## Manage organizations -### Connect an organization +{% include admin-sso-management-orgs.md product="admin" %} -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select the organization to add to the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. +{% include admin-sso-management.md product="admin" layer="company"%} -### Remove an organization - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select **Remove** to remove the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. - -## Manage SSO connections - -### Edit a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Edit connection** to edit you connection. -3. Continue with the on-screen instructions. - -### Delete a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Delete** and **Delete connection**. -3. Continue with the on-screen instructions. - -### Deleting SSO - -When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. - -## Manage users - -> **Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -### Add guest users when SSO is enabled - -To add a guest to your organization if they aren’t verified through your IdP: - - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Select **Invite**, enter the email address, and select an organization and team from the drop-down lists. -5. Select **Invite** to confirm. - -### Remove users from the SSO company - -To remove a user from an organization: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Select the action icon next to a user’s name, and then select **Remove user**. -5. Follow the on-screen instructions to remove the user. - -## What's next? - -- [Set up SCIM](scim.md) -- [Enable Group mapping](group-mapping.md) diff --git a/admin/company/settings/sso.md b/admin/company/settings/sso.md index 3ea66a705f..36ed9304dd 100644 --- a/admin/company/settings/sso.md +++ b/admin/company/settings/sso.md @@ -6,36 +6,4 @@ title: Single Sign-On overview {% include admin-early-access.md %} -SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../../subscription/upgrade.md). - -## How it works - -When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. - -The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. - -![SSO architecture](/single-sign-on/images/sso-architecture.png) - -## How to set it up - -Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. - -After establishing the connection between the IdP server and Docker, administrators sign in to Docker Admin and complete the SSO enablement process. - -When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company and assigned to the company team in the organization. - -Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company. - -## Prerequisites - -* You must first notify your company about the new SSO login procedures. -* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines. -* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../../../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. -In addition, you should add all email addresses to your IdP. -* Confirm that all CI/CD pipelines have replaced their passwords with PATs. -* For your service accounts, add your additional domains or enable it in your IdP. - -## What's next? - -- Start [configuring SSO](sso-configuration.md) for your company -- Explore [the FAQs](sso-faq.md) +{% include admin-sso.md product="admin" layer="company" %} \ No newline at end of file diff --git a/admin/company/users.md b/admin/company/users.md index 6f0b39d3ed..f59d3e1aee 100644 --- a/admin/company/users.md +++ b/admin/company/users.md @@ -6,102 +6,8 @@ title: Manage company users {% include admin-early-access.md %} -## Invite members +{% include admin-users.md product="admin" layer="company" %} -Company owners can invite new members to an organization in the company via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat. +## Manage members on a team -### Invite members via Docker ID or email address - -Use the following steps to invite members to an organization in your company via Docker ID or email address. To invite a large amount of members to your company, Docker recommends that you [invite members via CSV file](#invite-members-via-csv-file). - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Select **Invite**. -5. Select **Emails Or Docker IDs**. -6. Enter the Docker IDs or email addresses that you want to invite, up to a maximum of 1000. Separate multiple entries by a comma, semicolon, or space. -7. Select an organization from the drop-down list to add all invited users to that organization. -8. Select a team or type to create a new team. Docker will invite all users to that team. -9. Select **Invite** to confirm. - > **Note** - > - > You can view the pending invitations in the **Users** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. - -### Invite members via CSV file - -To invite multiple members to your organization in your company via a CSV file containing email addresses: -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Select **Invite**. -5. Select **CSV Upload**. -6. Select an organization from the drop-down list to add all invited users to that organization. -7. Select a team or type to create a new team. Docker will invite all users to that team. -8. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file. - ``` - email - docker.user-0@example.com - docker.user-1@example.com - ``` - CSV file requirements: - - The file must contain a header row with at least one heading named `email`. You can add additional columns but the import will ignore them. - - The file can contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file. -9. Create a new CSV file or export a CSV file from another application. - - To export a CSV file from another application, see the application’s documentation. - - To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension. -10. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time. - > **Note** - > - > If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you can't continue to invite members. To invite members, you can buy more seats, or remove some email addresses from the CSV file and re-select the new file. To buy more seats, see [Add seats to your subscription](../../subscription/add-seats.md) or [Contact sales](https://www.docker.com/pricing/contact-sales/). -11. After the CSV file upload completes, select **Review**. - Valid email addresses and any email addresses that have issues appear. - Email addresses may have the following issues: - - **Invalid email**: The email address isn't a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file. - - **Already invited**: Docker has already sent an invite email and Docker won't send another invite email. - - **Member**: The user is already a member of your organization and Docker won't send an invite email. - - **Duplicate**: The CSV file has multiple occurrences of the same email address. Docker will send the user only one invite email. -12. Select **Send invites**. - > **Note** - > - > You can view the pending invitations in the **Users** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. - -## Resend invitations - -To resend an invitation if the invite is pending or declined: - -1. Go to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Locate the invitee, select the action icon in the invitee's row, and then select **Resend invitation**. -5. Select **Invite** to confirm. - -## Remove a member or invitee from an organization - -To remove a member or invitee from an organization: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Locate the user, select the action icon in the user's row, and then select **Remove user** or **Remove invitee**. -5. Select the organizations to remove the user from. -6. Select **Remove** to confirm. - -## Export users - -Company owners can export a CSV file containing all of the company's users. -The CSV file contains the following fields: - - * **Name**: The user's name. - * **Username**: The user's Docker ID. - * **Email**: The user's email address. - * **Type**: The type of user. For example, **Invitee** for users who haven't accepted the organization's invite, or **User** for users who are members of the organization. - * **Permissions**: The user's organization permissions. For example, **Member** or **Owner**. - * **Teams**: The teams where the user is a member. A team isn't listed for invitees. - * **Date Joined**: The time and date when the user was invited to the organization. - -To export a CSV file of the company's users: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your company in the drop-down menu. -3. Select **Users**. -4. Select the action icon next to **Invite**, and then select **Export users as CSV**. \ No newline at end of file +Use Docker Hub to add a member to a team or remove a member from a team. For more details, see [Manage members in Docker Hub](../../docker-hub/members.md). \ No newline at end of file diff --git a/admin/organization/activity-logs.md b/admin/organization/activity-logs.md index b02fab9579..8529070cbc 100644 --- a/admin/organization/activity-logs.md +++ b/admin/organization/activity-logs.md @@ -6,39 +6,4 @@ title: Activity logs {% include admin-early-access.md %} -Activity logs are a chronological list of activities that occur at organization and repository levels. The feature provides information to organization owners on all their team member activities. - -With activity logs, owners can view and track: - - What changes were made - - The date when a change was made - - Who initiated the change - - For example, activity logs display activities such as the date when a repository was created or deleted, the team member who created the repository, the name of the repository, and when there was a change to the privacy settings. - -Owners can also see the activity logs for their repository if the repository is part of the organization. - -## View the activity logs - -To view the activity logs: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Activity Logs**. - -> **Note** -> -> Docker retains the activity data for a period of three months. - -## Customize the activity logs - -By default, all activities that occur at organization and repository levels are displayed. Use the calendar option to select a date range and customize your results. After you have selected a date range, Docker Admin displays the activity logs of all the activities that occurred during that period. - -> **Note** -> -> Activities created by the Docker Support team as part of resolving customer issues appear in the activity logs as **dockersupport**. - -Select the **All Activities** dropdown to view activities that are specific to an organization, repository, or billing. - -After choosing **Organization**, **Repository**, or **Billing**, you can further refine the results using the **All Actions** dropdown. - -{% include admin-org-audit-log-events.md %} \ No newline at end of file +{% include admin-org-audit-log.md product="admin" %} \ No newline at end of file diff --git a/admin/organization/general-settings.md b/admin/organization/general-settings.md index 084e87a28b..832ab14356 100644 --- a/admin/organization/general-settings.md +++ b/admin/organization/general-settings.md @@ -6,6 +6,8 @@ title: General settings {% include admin-early-access.md %} +## Configure general information + General organization information appears on your organization landing page in Docker Hub. This information includes: @@ -19,4 +21,16 @@ To edit this information: 1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. 2. In the left navigation, select your organization in the drop-down menu. -3. Under **Organization Settings**, select **General**. \ No newline at end of file +3. Under **Organization Settings**, select **General**. +4. Specify the organization information and select **Save**. + +## Create a company + +To create a new company: + +1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. +2. In the left navigation, select your organization in the drop-down menu. +3. Under **Organization Settings**, select **General**. +4. In the **Organization management** section, select **Create a company**. +5. Enter a unique name for your company, then select **Continue**. +6. Review the company migration details and then select **Create company**. \ No newline at end of file diff --git a/admin/organization/image-access.md b/admin/organization/image-access.md index 0c5feac5fc..206e5a80ac 100644 --- a/admin/organization/image-access.md +++ b/admin/organization/image-access.md @@ -6,31 +6,4 @@ title: Image Access Management {% include admin-early-access.md %} -Image Access Management (IAM) is a feature available to organizations with a Docker Business subscription. Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. - -For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. - -## Configure Image Access Management permissions - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Image Access**. -4. Enable Image Access Management to set the permissions for the following categories of images you can manage: -- **Organization Images**: When Image Access Management is enabled, images from your organization are always allowed. These images can be public or private created by members within your organization. -- **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time. -- **Docker Verified Publisher Images**: Published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain. You can set permissions to **Allowed** or **Restricted**. -- **Community Images**: Images are always disabled when Image Access Management is enabled. These images are not trusted because various Docker Hub users contribute them and pose security risks. - - > **Note** - > - > Image Access Management is turned off by default. However, organization owners have access to all images regardless of the settings. - -5. Select the category restrictions for your images by selecting **Allowed**. - Once the restrictions are applied, your members can view the organization permissions page in a read-only format. -6. Optional: To ensure that each organization member uses images in a safe and secure environment, [enforce sign-in](../../docker-hub/configure-sign-in.md). - -## Verify the restrictions - - To confirm that the restrictions are successful, have each organization member attempt to pull different types of images from Docker Hub onto their local computer after signing in to Docker Desktop. - - For example, if you enable Image Access Management, your members can only pull an Organization Image, Docker Official Image, or Verified Publisher Image onto their local machine. If you disable the restrictions, your members can pull any image, including community images. +{% include admin-image-access.md product="admin" %} \ No newline at end of file diff --git a/admin/organization/index.md b/admin/organization/index.md index be863c69a6..e3f744b34f 100644 --- a/admin/organization/index.md +++ b/admin/organization/index.md @@ -36,7 +36,7 @@ Learn how to administer an organization using Docker Admin in the following sect
- Image Access Management + Image Access Management

Image Access Management

Control which types of images your developers can pull.

@@ -48,7 +48,7 @@ Learn how to administer an organization using Docker Admin in the following sect
- Registry Access Management + Registry Access Management

Registry Access Management

Define which registries your developers can access.

@@ -60,7 +60,7 @@ Learn how to administer an organization using Docker Admin in the following sect General settings

General settings

-

Configure general information that Docker Hub displays on your organization's landing page.

+

Configure general information or create a company.

@@ -68,10 +68,21 @@ Learn how to administer an organization using Docker Admin in the following sect
Security settings
-

Security settings

+

SSO & SCIM

Set up Single Sign-On and SCIM for your organization.

+ +
+
+
+
+ Domain management +
+

Domain management

+

Add, verify, and audit your domains.

+
+
diff --git a/admin/organization/members.md b/admin/organization/members.md index 8959eaa5ad..ded2ab268c 100644 --- a/admin/organization/members.md +++ b/admin/organization/members.md @@ -6,106 +6,8 @@ title: Manage members {% include admin-early-access.md %} -## Invite members +{% include admin-users.md product="admin" layer="company" %} -Organization owners can invite new members to an organization via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat. +## Manage members on a team -### Invite members via Docker ID or email address - -Use the following steps to invite members to your organization via Docker ID or email address. To invite a large amount of members to your organization, the recommended method is to [invite members via CSV file](#invite-members-via-csv-file). - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Select **Invite Member**. -5. Select **Emails Or Docker IDs**. -6. Enter the Docker IDs or email addresses that you want to invite, up to a maximum of 1000. Separate multiple entries by a comma, semicolon, or space. -7. Select a team or type to create a new team. Docker will invite all users to that team. -8. Select **Invite** to confirm. - > **Note** - > - > You can view the pending invitations in the **Members** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. - -### Invite members via CSV file - -To invite multiple members to your organization via a CSV file containing email addresses: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Select **Invite Member**. -5. Select **CSV Upload**. -6. Select a team or type to create a new team. Docker will invite all users to that team. -7. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file. - ``` - email - docker.user-0@example.com - docker.user-1@example.com - ``` - CSV file requirements: - - The file must contain a header row with at least one heading named `email`. Additional columns are allowed but are ignored in the import. - - The file must contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file. -8. Create a new CSV file or export a CSV file from another application. - - To export a CSV file from another application, see the application’s documentation. - - To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension. -9. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time. - > **Note** - > - > If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you can't continue to invite members. To invite members, you can buy more seats, or remove some email addresses from the CSV file and re-select the new file. To buy more seats, see [Add seats to your subscription](../../subscription/add-seats.md) or [Contact sales](https://www.docker.com/pricing/contact-sales/). -10. After the CSV file has been uploaded, select **Review**. - Valid email addresses and any email addresses that have issues appear. - Email addresses may have the following issues: - - **Invalid email**: The email address is not a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file. - - **Already invited**: The user has already been sent an invite email and another invite email will not be sent. - - **Member**: The user is already a member of your organization and an invite email will not be sent. - - **Duplicate**: The CSV file has multiple occurrences of the same email address. The user will be sent only one invite email. -11. Select **Send invites**. - > **Note** - > - > You can view the pending invitations in the **Members** page. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. - -## Add a member to a team - -Use Docker Hub to add a member to a team. For more details, see [Add a member to a team](../../docker-hub/members.md#add-a-member-to-a-team). - -## Resend invitations - -To resend an invitation if the invite is pending or declined: - - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Locate the invitee, select the action icon in the invitee's row, and then select **Resend invitation**. -5. Select **Invite** to confirm. - -## Remove a member or invitee from an organization - -To remove a member or invitee from an organization: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Locate the user, select the action icon in the user's row, and then select **Remove member** or **Remove invitee**. -5. Select **Remove** to confirm. - -## Export members - -Organization owners can export a CSV file containing the organization's members. -The CSV file contains the following fields: - - * **Name**: The user's name. - * **Username**: The user's Docker ID. - * **Email**: The user's email address. - * **Type**: The type of user. For example, **Invitee** for users who have not accepted the organization's invite, or **User** for users who are members of the organization. - * **Permissions**: The user's organization permissions. For example, **Member** or **Owner**. - * **Teams**: The teams where the user is a member. A team is not listed for invitees. - * **Date Joined**: The time and date when the user was invited to the organization. - -To export a CSV file of the organization's members: - - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Select **Export members** to download the CSV file. +Use Docker Hub to add a member to a team or remove a member from a team. For more details, see [Manage members in Docker Hub](../../docker-hub/members.md). diff --git a/admin/organization/registry-access.md b/admin/organization/registry-access.md index e0a5de24f8..64a20ed376 100644 --- a/admin/organization/registry-access.md +++ b/admin/organization/registry-access.md @@ -6,63 +6,4 @@ title: Registry Access Management {% include admin-early-access.md %} -> **Note** -> -> Registry Access Management is available to Docker Business customers only. - -With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. - -Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: - - Docker Hub. This is enabled by default. - - Amazon ECR - - GitHub Container Registry - - Google Container Registry - - Nexus - - Artifactory - -## Prerequisites - -You need to [configure a registry.json to enforce sign-in](../../docker-hub/configure-sign-in.md). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. - -## Configure Registry Access Management permissions - -To configure Registry Access Management permissions: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Registry Access**. -4. Toggle on Registry Access Management to set the permissions for your registry. - - > **Note** - > - > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. - -5. To add registries to your list, select **Add** and enter your registry details in the applicable fields, then select **Create**. -6. Verify that the registry appears in your list and select **Save & Apply**. - - > **Note** - > - > Once you add a registry, it takes up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. - -> **Tip** -> -> Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization. -{: .tip} - -## Verify the restrictions - -The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry. - -## Caveats - -There are certain limitations when using Registry Access Management: - -- Windows image pulls, and image builds are not restricted -- Builds such as `docker buildx` using a Kubernetes driver are not restricted -- Builds such as `docker buildx` using a custom docker-container driver are not restricted -- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” -- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) -- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) -- Not currently supported on Hyper-V Windows Containers - -Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Docker Desktop does not support blocking these forms of manipulation. \ No newline at end of file +{% include admin-registry-access.md product="admin" %} \ No newline at end of file diff --git a/admin/organization/security-settings/domains.md b/admin/organization/security-settings/domains.md new file mode 100644 index 0000000000..21d13407d1 --- /dev/null +++ b/admin/organization/security-settings/domains.md @@ -0,0 +1,17 @@ +--- +description: Domain management in Docker Admin +keywords: domains, SCIM, SSO, Docker Admin, domain audit +title: Domain management +--- + +{% include admin-early-access.md %} + +Use domain management to manage your domains for Single Sign-On and SCIM, as well as audit your domains for uncaptured users. + +## Add and verify a domain + +{% include admin-domains.md product="admin" layer="organization"%} + +## Domain audit + +{% include admin-domain-audit.md product="admin" %} diff --git a/admin/organization/security-settings/group-mapping.md b/admin/organization/security-settings/group-mapping.md index 928974e6df..1dbd7f5b73 100644 --- a/admin/organization/security-settings/group-mapping.md +++ b/admin/organization/security-settings/group-mapping.md @@ -6,9 +6,4 @@ title: Group Mapping {% include admin-early-access.md %} -{% include admin-group-mapping.md %} - ->**Tip** -> -> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. -{: .tip} +{% include admin-group-mapping.md product="admin" layer="organization" %} diff --git a/admin/organization/security-settings/scim.md b/admin/organization/security-settings/scim.md index 2876836f53..54530818d5 100644 --- a/admin/organization/security-settings/scim.md +++ b/admin/organization/security-settings/scim.md @@ -6,31 +6,6 @@ title: SCIM {% include admin-early-access.md %} -{% include admin-scim.md %} +Follow the steps on this page to manage SCIM for your organization. To manage SCIM for a company, see [SCIM for a company](/admin/company/settings/scim/). -## Set up SCIM - -You must make sure you have [configured SSO](sso.md) before you enable SCIM. Enforcing SSO is not required. - -### Step one: Enable SCIM in Docker Admin - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Security**. -4. In the **Single Sign-On Connection** table, select the **Actions** icon and **Setup SCIM**. -5. Copy the **SCIM Base URL** and **API Token** and paste the values into your IdP. - -### Step two: Enable SCIM in your IdP - -Follow the instructions provided by your IdP: - -- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm){: target="_blank" rel="noopener" class="_" } -- [Azure AD](https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#step-2-configure-the-enterprise-application){: target="_blank" rel="noopener" class="_" } -- [OneLogin](https://developers.onelogin.com/scim/create-app){: target="_blank" rel="noopener" class="_" } - -## Disable SCIM - -If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization. - -1. In the **Single Sign-On Connection** table, select the **Actions** icon. -2. Select **Disable SCIM**. \ No newline at end of file +{% include admin-scim.md product="admin" layer="organization"%} \ No newline at end of file diff --git a/admin/organization/security-settings/sso-configuration.md b/admin/organization/security-settings/sso-configuration.md index d802fa8623..0173d3b156 100644 --- a/admin/organization/security-settings/sso-configuration.md +++ b/admin/organization/security-settings/sso-configuration.md @@ -1,99 +1,16 @@ --- description: SSO configuration keywords: configure, sso, docker admin -title: Configure Single Sign-On +title: Configure Single Sign-On for an organization --- {% include admin-early-access.md %} -Follow the steps on this page to configure SSO for your organization. +Follow the steps on this page to configure SSO for your organization. To configure SSO for a company, see [Configure SSO for a company](/admin/company/settings/sso-configuration/). ## Step one: Add and verify your domain -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Security**. -4. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS). +{% include admin-domains.md product="admin" layer="organization"%} - >**Note** - > - > Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. aren’t permitted. Also, the email domain should be set as the primary email. -5. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions. - -## Step two: Create an SSO connection - -> **Important** -> -> If your IdP setup requires an Entity ID and the ACS URL, you must select the -> **SAML** tab in the **Authentication Method** section. For example, if your -> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure -> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select -> **Azure AD** as the authentication method. Also, IdP initiated connections -> aren't supported at this time. -{: .important} - -1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection. - - > **Note** - > - > You have to verify at least one domain before creating the connections. - -2. Select an authentication method, **SAML** or **Azure AD (OIDC)**. -3. Copy the following fields and add them to your IdP: - - - SAML: **Entity ID**, **ACS URL** - - Azure AD (OIDC): **Redirect URL** - - ![SAML](../../../docker-hub/images/saml-create-connection.png){: width="500px" } - - ![Azure AD](../../../docker-hub/images/azure-create-connection.png){: width="500px" } - -4. From your IdP, copy and paste the following values into the Docker **Settings** fields: - - - SAML: **SAML Sign-on URL**, **x509 Certificate** - - Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain** - -5. Select the verified domains you want to apply the connection to. - -6. To provision your users, select the organization(s) and/or team(s). - -7. Review your summary and select **Create Connection**. - -## Step three: Test your SSO configuration - -After you’ve completed the SSO configuration process in Docker Admin, you can test the configuration when you sign in to Docker Admin using an incognito browser. Sign in to Docker Admin using your domain email address. You are then redirected to your IdP's login page to authenticate. - -1. Authenticate through email instead of using your Docker ID, and test the login process. -2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. - ->**Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -The SSO connection is now created. You can continue to set up [SCIM](scim.md) without enforcing SSO log-in. - -## Optional step four: Enforce SSO - -1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**. - When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP. -2. Continue with the on-screen instructions and verify that you’ve completed the tasks. -3. Select **Turn on enforcement** to complete. - -Your users must now sign in to Docker with SSO. - -> **Important** -> -> If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. -{: .important} - -## What's next? - -- [Manage you SSO connections](sso-management.md) -- [Set up SCIM](scim.md) -- [Enable Group mapping](group-mapping.md) +{% include admin-sso-config.md product="admin" layer="organization"%} \ No newline at end of file diff --git a/admin/organization/security-settings/sso-faq.md b/admin/organization/security-settings/sso-faq.md deleted file mode 100644 index 8943fa6f13..0000000000 --- a/admin/organization/security-settings/sso-faq.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: Single Sign-on FAQs -keywords: Docker, Docker Admin, SSO FAQs, single sign-on -title: Single Sign-On FAQs -toc_max: 2 ---- - -{% include admin-early-access.md %} - -{% include admin-sso-faq.md %} \ No newline at end of file diff --git a/admin/organization/security-settings/sso-management.md b/admin/organization/security-settings/sso-management.md index 74f89b5612..d1cc2dfc9c 100644 --- a/admin/organization/security-settings/sso-management.md +++ b/admin/organization/security-settings/sso-management.md @@ -1,95 +1,12 @@ --- description: Manage SSO keywords: manage, single sign-on, SSO, sign-on -title: Manage Single Sign-On +title: Manage Single Sign-On for an organization --- {% include admin-early-access.md %} -## Manage domains - -### Remove a domain from an SSO connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where the connected domains are listed. -3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove. -4. Select **Next** to confirm or change the connected organization(s). -5. Select **Next** to confirm or change the default organization and team provisioning selections. -6. Review the **Connection Summary** and select **Save**. - -> **Note** -> -> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. - -## Manage organizations - -### Connect an organization - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select the organization to add to the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. - -### Remove an organization - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select **Remove** to remove the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. - -## Manage SSO connections - -### Edit a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Edit connection** to edit you connection. -3. Continue with the on-screen instructions. - -### Delete a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Delete** and **Delete connection**. -3. Continue with the on-screen instructions. - -### Deleting SSO - -When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. - -## Manage users - -> **Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -### Add guest users when SSO is enabled - -To add a guest to your organization if they aren’t verified through your IdP: +Follow the steps on this page to manage SSO for an organization. To manage SSO for a company, see [Manage SSO for a company](/admin/company/settings/sso-management/). -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your organization in the drop-down menu. -3. Select **Members**. -4. Select **Invite**, enter the email address, and select an organization and team from the drop-down lists. -5. Select **Invite** to confirm. - -### Remove users from the SSO company - -To remove a user from an organization: - -1. Sign in to [Docker Admin](https://admin.docker.com){: target="_blank" rel="noopener" class="_"}. -2. In the left navigation, select your oranization in the drop-down menu. -3. Select **Members**. -4. Select the action icon next to a user’s name, and then select **Remove member**. -5. Follow the on-screen instructions to remove the user. - -## What's next? - -- [Set up SCIM](scim.md) -- [Enable Group mapping](group-mapping.md) +{% include admin-sso-management.md product="admin" layer="organization"%} \ No newline at end of file diff --git a/admin/organization/security-settings/sso.md b/admin/organization/security-settings/sso.md index cf3e1851bb..7efbfc32fb 100644 --- a/admin/organization/security-settings/sso.md +++ b/admin/organization/security-settings/sso.md @@ -6,36 +6,4 @@ title: Single Sign-On overview {% include admin-early-access.md %} -SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../../subscription/upgrade.md). - -## How it works - -When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. - -The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. - -![SSO architecture](/single-sign-on/images/sso-architecture.png) - -## How to set it up - -Before enabling SSO in Docker, administrators must first configure their IdP to work with Docker. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. - -After establishing the connection between the IdP server and Docker, administrators sign in to Docker Admin and complete the SSO enablement process. - -When you enable SSO for your company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company and assigned to the company team in the organization. - -Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual company. - -## Prerequisites - -* You must first notify your company about the new SSO login procedures. -* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines. -* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../../../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. -In addition, you should add all email addresses to your IdP. -* Confirm that all CI/CD pipelines have replaced their passwords with PATs. -* For your service accounts, add your additional domains or enable it in your IdP. - -## What's next? - -- Start [configuring SSO](sso-configuration.md) for your organization -- Explore [the FAQs](sso-faq.md) +{% include admin-sso.md product="admin" layer="organization" %} diff --git a/desktop/hardened-desktop/image-access-management.md b/desktop/hardened-desktop/image-access-management.md new file mode 100644 index 0000000000..c339e152c4 --- /dev/null +++ b/desktop/hardened-desktop/image-access-management.md @@ -0,0 +1,7 @@ +--- +description: Image Access Management +keywords: image, access, management +title: Image Access Management +--- + +{% include admin-image-access.md product="hub" %} \ No newline at end of file diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md index 6e31156d4d..2bf0b50832 100644 --- a/desktop/hardened-desktop/registry-access-management.md +++ b/desktop/hardened-desktop/registry-access-management.md @@ -6,62 +6,4 @@ redirect_from: - /docker-hub/registry-access-management/ --- ->Note -> ->Registry Access Management is available to Docker Business customers only. - -With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. - -Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: - - Docker Hub. This is enabled by default. - - Amazon ECR - - GitHub Container Registry - - Google Container Registry - - Nexus - - Artifactory - -## Prerequisites - -You need to [configure a registry.json to enforce sign-in](../../docker-hub/configure-sign-in.md). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. - -## Configure Registry Access Management permissions - -To configure Registry Access Management permissions: - -1. Sign in to your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization owner. -2. Select an organization and then navigate to the **Settings** tab on the **Organizations** page and select **Registry Access**. -3. Toggle on Registry Access Management to set the permissions for your registry. - - > **Note** - > - > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. - -4. To add registries to your list, select **Add** and enter your registry details in the applicable fields, then select **Create**. -5. Verify that the registry appears in your list and select **Save & Apply**. You can verify that your changes are saved in the **Activity** tab. There is no limit on the number of registries you can add. - - > **Note** - > - > Once you add a registry, it takes up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. - -> **Tip** -> -> Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization. -{: .tip} - -## Verify the restrictions - -The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry. - -## Caveats - -There are certain limitations when using Registry Access Management: - -- Windows image pulls, and image builds are not restricted -- Builds such as `docker buildx` using a Kubernetes driver are not restricted -- Builds such as `docker buildx` using a custom docker-container driver are not restricted -- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” -- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) -- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) -- Not currently supported on Hyper-V Windows Containers - -Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Docker Desktop does not support blocking these forms of manipulation. +{% include admin-registry-access.md product="hub" %} \ No newline at end of file diff --git a/docker-hub/audit-log.md b/docker-hub/audit-log.md index 930948cf8b..3e7101de86 100644 --- a/docker-hub/audit-log.md +++ b/docker-hub/audit-log.md @@ -6,44 +6,6 @@ title: Audit logs > **Note** > -> Audit logs requires a [Docker Team, or Business subscription](../subscription/index.md). +> Audit logs requires a [Docker Team or Business subscription](../subscription/index.md). -Audit logs display a chronological list of activities that occur at organization and repository levels. It provides a report to owners of Docker Team on all their team member activities. - -With audit logs, team owners can view and track: - - What changes were made - - The date when a change was made - - Who initiated the change - - For example, Audit logs display activities such as the date when a repository was created or deleted, the team member who created the repository, the name of the repository, and when there was a change to the privacy settings. - -Team owners can also see the audit logs for their repository if the repository is part of the organization subscribed to a Docker Team plan. - -Audit logs began tracking activities from the date the feature went live, that is from 25 January 2021. Activities that took place before this date are not captured. - -## View the audit logs - -To view the audit logs: - -1. Sign in to Docker Hub. -2. Select your organization from the list and then select the **Activity** tab. - -> **Note** -> -> Docker retains the activity data for a period of three months. - -## Customize the audit logs - -By default, all activities that occur at organization and repository levels are displayed on the **Activity** tab. Use the calendar option to select a date range and customize your results. After you have selected a date range, the **Activity** tab displays the audit logs of all the activities that occurred during that period. - -![Activities list](images/activity-list.png){:width="600px"} - -> **Note** -> -> Activities created by the Docker Support team as part of resolving customer issues appear in the audit logs as **dockersupport**. - -Select the **All Activities** dropdown to view activities that are specific to an organization, repository, or billing. If you select the **Activities** tab from the **Repository** view, you can only filter repository-level activities. - -After choosing **Organization**, **Repository**, or **Billing**, you can further refine the results using the **All Actions** dropdown. - -{% include admin-org-audit-log-events.md %} \ No newline at end of file +{% include admin-org-audit-log.md product="hub" %} \ No newline at end of file diff --git a/docker-hub/domain-audit.md b/docker-hub/domain-audit.md index 2a578aae1c..835c025633 100644 --- a/docker-hub/domain-audit.md +++ b/docker-hub/domain-audit.md @@ -4,48 +4,4 @@ keywords: domain audit, security title: Domain audit --- -> **Note** -> -> Domain audit is currently in [Early Access](../release-lifecycle.md/#early-access-ea). - -Domain audit identifies uncaptured users. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade.md). - -Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings. - -Domain audit can't identify the following Docker users in your environment: - * Users who access Docker Desktop without authenticating - * Users who authenticate using an account that doesn't have an email address associated with one of your verified domains - -Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](../docker-hub/configure-sign-in.md). - -## Audit your domains for uncaptured users - -Before you audit your domains, the following prerequisites are required: - * Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade.md). - * Single sign-on must be configured for your organization. To configure single sign-on, see [Configure Single Sign-on](../single-sign-on/configure/index.md). - * You must add and verify your domains. To add and verify a domain, see [Domain control](../single-sign-on/configure/index.md#step-one-add-and-verify-your-domain). - -To audit your domains: - -1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} as an owner of your organization. - -2. Select **Organizations** and then select your organization. - -3. Select **Settings** and then select **Security**. - -4. In **Domain Audit**, select **Export Users** to export a CSV file of uncaptured users with the following columns: - - Name: The name of the user. - - Username: The Docker ID of the user. - - Email: The email address of the user. - -You can invite all the uncaptured users to your organization using the exported CSV file. For more details, see [Invite members via CSV file](../docker-hub/members.md/#invite-members-via-csv-file). Optionally, enforce single sign-on or enable SCIM to add users to your organization automatically. For more details, see [Single Sign-on](../single-sign-on/index.md) or [SCIM](../docker-hub/scim.md). - -> **Note** -> -> Domain audit may identify accounts of users who are no longer a part of your organization. If you don't want to add a user to your organization and you don't want the user to appear in future domain audits, you must deactivate the account or update the associated email address. -> -> Only someone with access to the Docker account can deactivate the account or update the associated email address. For more details, see [Deactivating an account](../docker-hub/deactivate-account.md/). -> -> If you don't have access to the account, you can contact [Docker support](../support/index.md) to discover if more options are available. - - +{% include admin-domain-audit.md product="hub" %} \ No newline at end of file diff --git a/docker-hub/general-faqs.md b/docker-hub/general-faqs.md index 088b4258f4..6a33c206a5 100644 --- a/docker-hub/general-faqs.md +++ b/docker-hub/general-faqs.md @@ -75,4 +75,4 @@ A [service account](../docker-hub/service-accounts.md) is a Docker ID used for a Only someone with access to the Docker account can deactivate the account. For more details, see [Deactivating an account](../docker-hub/deactivate-account.md/). -If the user is a member of your organization, you can remove the user from your organization. For more details, see [Remove members](../docker-hub/members.md/#remove-members). \ No newline at end of file +If the user is a member of your organization, you can remove the user from your organization. For more details, see [Remove a member or invitee](/docker-hub/members/#remove-a-member-or-invitee). \ No newline at end of file diff --git a/docker-hub/group-mapping.md b/docker-hub/group-mapping.md index 73ae5062ee..ff21a23cb7 100644 --- a/docker-hub/group-mapping.md +++ b/docker-hub/group-mapping.md @@ -4,9 +4,4 @@ keywords: Group Mapping, SCIM, Docker Hub title: Group Mapping --- -{% include admin-group-mapping.md %} - ->**Tip** -> -> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually. -{: .tip} +{% include admin-group-mapping.md product="hub" %} \ No newline at end of file diff --git a/docker-hub/image-access-management.md b/docker-hub/image-access-management.md index 784a3eaad9..c339e152c4 100644 --- a/docker-hub/image-access-management.md +++ b/docker-hub/image-access-management.md @@ -4,35 +4,4 @@ keywords: image, access, management title: Image Access Management --- ->Note -> ->Image Access Management is available to [Docker Business](../subscription/details.md) customers only. - -Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. - -For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. - -## Configure Image Access Management permissions - -1. Sign into your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization administrator. -2. Select an organization, and navigate to the **Settings** tab -3. From the **Organizations** page select **Org Permissions**. -4. Enable Image Access Management to set the permissions for the following categories of images you can manage: -- **Organization Images**: When Image Access Management is enabled, images from your organization are always allowed. These images can be public or private created by members within your organization. -- **Docker Official Images**: A curated set of Docker repositories hosted on Hub. They provide OS repositories, best practices for Dockerfiles, drop-in solutions, and applies security updates on time. -- **Docker Verified Publisher Images**: published by Docker partners that are part of the Verified Publisher program and are qualified to be included in the developer secure supply chain. You can set permissions to **Allowed** or **Restricted**. -- **Community Images**: Images are always disabled when Image Access Management is enabled. These images are not trusted because various Docker Hub users contribute them and pose security risks. - - > **Note** - > - > Image Access Management is turned off by default. However, members of the `owners` team in your organization have access to all images regardless of the settings. - -5. Select the category restrictions for your images by selecting **Allowed**. - Once the restrictions are applied, your members can view the organization permissions page in a read-only format. -6. Optional: To ensure that each organization member uses images in a safe and secure environment, [enfore sign-in](../docker-hub/configure-sign-in.md). - -## Verify the restrictions - - To confirm that the restrictions are successful, have each organization member pull an image onto their local computer after signing in to Docker Desktop. If they don't sign in, they receive an error message. - - For example, if you enable Image Access Management, your members can only pull an Organization Image, Docker Official Image, or Verified Publisher Image onto their local machine. If you disable the restrictions, your members can pull any image, including community images. +{% include admin-image-access.md product="hub" %} \ No newline at end of file diff --git a/docker-hub/members.md b/docker-hub/members.md index f1293523a1..005a1945b3 100644 --- a/docker-hub/members.md +++ b/docker-hub/members.md @@ -4,69 +4,9 @@ keywords: members, teams, organizations title: Manage members --- - This section describes how to manage members in your [teams and organizations](../docker-hub/orgs.md). -## Invite members - -Organization owners can invite new members to an organization via Docker ID, email address, or via a CSV file containing email addresses. If an invitee does not have a Docker account, they must create an account and verify their email address before they can accept the invitation to join the organization. When inviting members, their pending invitation occupies a seat. - -### Invite members via Docker ID or email address - -Use the following steps to invite members to your organization via Docker ID or email address. To invite a large amount of members to your organization, the recommended method is to [invite members via CSV file](#invite-members-via-csv-file). - -1. Go to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, select **Invite Member**. -3. Select **Emails Or Docker IDs**. -4. Enter the Docker IDs or email addresses that you want to invite, up to a maximum of 1000. Separate multiple entries by a comma, semicolon, or space. -5. Select a team from the drop-down list to add all invited users to that team. - > **Note** - > - > It is recommended that you invite non-administrative users to a team other than the owners team. Members in the owners team will have full access to your organization’s administrative settings. To create a new team, see [Create a team](manage-a-team.md). -6. Select **Invite** to confirm. - > **Note** - > - > You can view the pending invitations in the **Members** tab. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. - - -### Invite members via CSV file - -To invite multiple members to your organization via a CSV file containing email addresses: - -1. Go to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, select **Invite Member**. -3. Select **CSV Upload**. -4. Select a team from the drop-down list to add all invited users to that team. - > **Note** - > - > It is recommended that you invite non-administrative users to a team other than the owners team. Members in the owners team will have full access to your organization’s administrative settings. To create a new team, see [Create a team](manage-a-team.md). -5. Select **Download the template CSV file** to optionally download an example CSV file. The following is an example of the contents of a valid CSV file. - ``` - email - docker.user-0@example.com - docker.user-1@example.com - ``` - CSV file requirements: - - The file must contain a header row with at least one heading named `email`. Additional columns are allowed and are ignored in the import. - - The file must contain a maximum of 1000 email addresses (rows). To invite more than 1000 users, create multiple CSV files and perform all steps in this task for each file. -6. Create a new CSV file or export a CSV file from another application. - - To export a CSV file from another application, see the application’s documentation. - - To create a new CSV file, open a new file in a text editor, type `email` on the first line, type the user email addresses one per line on the following lines, and then save the file with a .csv extension. -7. Select **Browse files** and then select your CSV file, or drag and drop the CSV file into the **Select a CSV file to upload** box. You can only select one CSV file at a time. - > **Note** - > - > If the amount of email addresses in your CSV file exceeds the number of available seats in your organization, you cannot continue to invite members. To invite members, you can purchase more seats, or remove some email addresses from the CSV file and re-select the new file. To purchase more seats, see [Add seats to your subscription](../subscription/add-seats.md) or [Contact sales](https://www.docker.com/pricing/contact-sales/). -8. After the CSV file has been uploaded, select **Review**. - Valid email addresses and any email addresses that have issues appear. - Email addresses may have the following issues: - - **Invalid email**: The email address is not a valid address. The email address will be ignored if you send invites. You can correct the email address in the CSV file and re-import the file. - - **Already invited**: The user has already been sent an invite email and another invite email will not be sent. - - **Member**: The user is already a member of your organization and an invite email will not be sent. - - **Duplicate**: The CSV file has multiple occurrences of the same email address. The user will be sent only one invite email. -9. Select **Send invites**. - > **Note** - > - > You can view the pending invitations in the **Members** tab. The invitees receive an email with a link to the organization in Docker Hub where they can accept or decline the invitation. +{% include admin-users.md product="hub" %} ## Add a member to a team @@ -74,62 +14,25 @@ Organization owners can add a member to one or more teams within an organization To add a member to a team: -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, select the additional options from the table menu and select **Add to team**. +1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}. +2. Select **Organizations**, your organization, and then **Members**. +3. Select the **Action** icon, and then select **Add to team**. > **Note** > > You can also navigate to **Organizations** > **Your Organization** > **Teams** > **Your Team Name** and select **Add Member**. Select a member from the drop-down list to add them to the team or search by Docker ID or email. -3. Select the team and then select **Add**. +4. Select the team and then select **Add**. > **Note** > > The invitee must first accept the invitation to join the organization before being added to the team. -## Resend invitations - -To resend an invitation if the invite is pending or declined: - -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} and select your organization. -2. In the **Members** tab, locate the invitee and select **Resend invitation** from the table menu. -3. Select **Invite** to confirm. - -## Remove members - -To remove a member from an organization: - -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, select Remove member from the table menu. -3. When prompted, select **Remove** to confirm. - -To remove an invitee from an organization: - -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, locate the invitee you would like to remove and select **Remove invitee** from the table menu. -3. When prompted, select **Remove** to confirm. +## Remove a member from a team To remove a member from a specific team: -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. Select on the **Teams** tab and select the team from the list. +1. Sign in to [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}. +2. Select **Organizations**, your organization, **Teams**, and then the team. 3. Select the **X** next to the user’s name to remove them from the team. -4. When prompted, select **Remove** to confirm. - -## Export members - -Organization owners can export a CSV file containing the organization's members. -The CSV file contains the following fields: - - * **Name**: The user's name. - * **Username**: The user's Docker ID. - * **Email**: The user's email address. - * **Type**: The type of user. For example, **Invitee** for users who have not accepted the organization's invite, or **User** for users who are members of the organization. - * **Permissions**: The user's organization permissions. For example, **Member** or **Owner**. - * **Teams**: The teams where the user is a member. A team is not listed for invitees. - * **Date Joined**: The time and date when the user was invited to the organization. - -To export a CSV file of the organization's members: - -1. Navigate to **Organizations** in [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"}, and select your organization. -2. In the **Members** tab, select **Export members** to download the CSV file. +4. When prompted, select **Remove** to confirm. \ No newline at end of file diff --git a/docker-hub/registry-access-management.md b/docker-hub/registry-access-management.md index f7f98232d4..1831b8de1b 100644 --- a/docker-hub/registry-access-management.md +++ b/docker-hub/registry-access-management.md @@ -1,62 +1,7 @@ --- description: Registry Access Management -keywords: registry, access, managment +keywords: registry, access, management title: Registry Access Management --- -Registry Access Management (RAM) is a feature available to organizations with a Docker Business subscription. When RAM is enabled, organization owners can ensure that their developers using Docker Desktop can only access registries that have been allow-listed via the Registry Access Management dashboard on Docker Hub to reflect support for other registries: AWS ECR, GitHub Container Registry, Google Container Registry, Quay, a local private registry, and others. - -For example, you can use RAM if you manage engineering teams that use Docker Desktop for local development and want to ensure that the images they are pulling are licensed and reputable before using them. - -## Requirements: - -Download Docker Desktop v4.8 or a later release. - -- [Download and install for Windows](../desktop/install/windows-install.md) -- [Download and install for Mac](../desktop/install/mac-install.md) -- [Download and install for Linux](../desktop/install/linux-install.md) - -## Configure Registry Access Management permissions - -To configure Registry Access Management permissions, perform the following steps: - -1. Sign into your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization owner. -2. Select an organization, navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**. -3. Enable Registry Access Management to set the permissions for your registry. - - > **Note** - > - > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers. - -4. Click **Add** and enter your registry details in the applicable fields, and click **Create** to add the registry to your list. -5. Verify that the registry appears in your list and click **Save & Apply**. You can verify that your changes are saved in the Activity tab. - - > **Note** - > - > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature. - -![Registry Access Management](images/registry-access-management.png){:width="700px"} - -## Enforce authentication - -To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this: - -1. Download the latest version of Docker Desktop, and then -2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](configure-sign-in.md). - -## Verify the restrictions - -The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry. - -### Caveats - -There are certain limitations when using Registry Access Management; they are as follows: - -- Windows image pulls, and image builds are not restricted -- Builds such as `docker buildx` using a Kubernetes driver are not restricted -- Builds such as `docker buildx` using a custom docker-container driver are not restricted -- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” -- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) -- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) - -Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. +{% include admin-registry-access.md product="hub" %} \ No newline at end of file diff --git a/single-sign-on/configure/index.md b/single-sign-on/configure/index.md index d3fd5a7503..4fe37dc5fa 100644 --- a/single-sign-on/configure/index.md +++ b/single-sign-on/configure/index.md @@ -8,100 +8,10 @@ redirect_from: - /docker-hub/enforcing-sso/ --- -Follow the steps on this page to configure SSO for your organization or company. +Follow the steps on this page to configure SSO for your organization or company. ## Step one: Add and verify your domain -1. Sign in to Docker Hub, navigate to the **Organizations** page and select your organization or company. -2. Select **Settings**. If you are setting up SSO for an organization you then need to select **Security**. -3. Select **Add Domain** and continue with the on-screen instructions to add the TXT Record Value to your domain name system (DNS). +{% include admin-domains.md product="hub" %} - >**Note** - > - > Format your domains without protocol or www information, for example, `yourcompany.example`. This should include all email domains and subdomains users will use to access Docker, for example `yourcompany.example` and `us.yourcompany.example`. Public domains such as `gmail.com`, `outlook.com`, etc. aren’t permitted. Also, the email domain should be set as the primary email. - -4. Once you have waited 72 hours for the TXT Record verification, you can then select **Verify** next to the domain you've added, and follow the on-screen instructions. - -![verify-domain](../images/verify-domain.png){: width="700px" } - -## Step two: Create an SSO connection - -> **Important** -> -> If your IdP setup requires an Entity ID and the ACS URL, you must select the -> **SAML** tab in the **Authentication Method** section. For example, if your -> Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure -> AD, you must select **SAML**. If you are [configuring Open ID Connect with Azure AD](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings){: target="_blank" rel="noopener" class="_"} select -> **Azure AD** as the authentication method. Also, IdP initiated connections -> aren't supported at this time. -{: .important} - - -1. Once your domain is verified, in the **Single Sign-on Connection** table select **Create Connections**, and create a name for the connection. - - > **Note** - > - > You have to verify at least one domain before creating the connections. - -2. Select an authentication method, **SAML** or **Azure AD (OIDC)**. -3. Copy the following fields and add them to your IdP: - - - SAML: **Entity ID**, **ACS URL** - - Azure AD (OIDC): **Redirect URL** - - ![SAML](../../docker-hub/images/saml-create-connection.png){: width="500px" } - - ![Azure AD](../../docker-hub/images/azure-create-connection.png){: width="500px" } - -4. From your IdP, copy and paste the following values into the Docker **Settings** fields: - - - SAML: **SAML Sign-on URL**, **x509 Certificate** - - Azure AD (OIDC): **Client ID**, **Client Secret**, **Azure AD Domain** - -5. Select the verified domains you want to apply the connection to. - -6. To provision your users, select the organization(s) and/or team(s). - - > **Note** - > - > If you are a company owner and have more than one organization, you need to select a default organization. - -7. Review your summary and select **Create Connection**. - -## Step three: Test your SSO configuration - -After you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you sign in to Docker Hub using an incognito browser. Sign in to Docker Hub using your domain email address. You are then redirected to your IdP's login page to authenticate. - -1. Authenticate through email instead of using your Docker ID, and test the login process. -2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users. - ->**Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub. -> ->You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -The SSO connection is now created. You can continue to set up [SCIM](../../docker-hub/scim.md) without enforcing SSO log-in. - -## Optional step four: Enforce SSO - -1. In the **Single Sign-On Connections** table, select the **Action** icon and then **Enforce Single Sign-on**. - When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP. -2. Continue with the on-screen instructions and verify that you’ve completed the tasks. -3. Select **Turn on enforcement** to complete. - -Your users must now sign in to Docker with SSO. - ->**Important** -> ->If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO. -{: .important} - -## What's next? - -- [Manage you SSO connections](../manage/index.md) -- [Set up SCIM](../../docker-hub/scim.md) -- [Enable Group mapping](../../docker-hub/group-mapping.md) +{% include admin-sso-config.md product="hub" %} \ No newline at end of file diff --git a/single-sign-on/index.md b/single-sign-on/index.md index 43aa22b5a6..68d88321e5 100644 --- a/single-sign-on/index.md +++ b/single-sign-on/index.md @@ -4,36 +4,4 @@ keywords: Single Sign-on, SSO, sign-on title: Overview --- -SSO allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../subscription/upgrade/){:target="blank" rel="noopener" class=""}. - -## How it works - -When SSO is enabled, users are redirected to your IdP's authentication page to sign in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. - -The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. - -[![SSO architecture](images/sso-architecture.png)](images/sso-architecture.png){: target="_blank" rel="noopener" class="_"} - -## How to set it up - -Before enabling SSO in Docker Hub, administrators must first configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. - -After establishing the connection between the IdP server and Docker Hub, administrators sign in to the organization in Docker Hub and complete the SSO enablement process. - -When you enable SSO for your organization or company, a first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your organization and assigned to your company's team. - -Administrators can then choose to enforce SSO login and effortlessly manage SSO connections for their individual organization or company. - -## Prerequisites - -* You must first notify your company about the new SSO login procedures. -* Verify that your org members have Docker Desktop version 4.4.2, or later, installed on their machines. -* If your organization uses the Docker Hub CLI, new org members must [create a Personal Access Token (PAT)](../docker-hub/access-tokens.md) to sign in to the CLI.There is a grace period for existing users, which will expire in the near future. Before the grace period ends, your users can sign in from Docker Desktop CLI using their previous credentials until PATs are mandatory. -In addition, you should add all email addresses to your IdP. -* Confirm that all CI/CD pipelines have replaced their passwords with PATs. -* For your service accounts, add your additional domains or enable it in your IdP. - -## What's next? - -- Start [configuring SSO](configure/index.md) for your organization or company -- Explore [the FAQs](faqs.md) +{% include admin-sso.md product="hub" %} \ No newline at end of file diff --git a/single-sign-on/manage/index.md b/single-sign-on/manage/index.md index 2c539acdbd..52e148fa8f 100644 --- a/single-sign-on/manage/index.md +++ b/single-sign-on/manage/index.md @@ -4,89 +4,13 @@ keywords: manage, single sign-on, SSO, sign-on title: Manage SSO --- -## Manage domains - -### Remove a domain from an SSO connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where the connected domains are listed. -3. In the **Domain** drop-down, select the **Remove** icon next to the domain that you want to remove. -4. Select **Next** to confirm or change the connected organization(s). -5. Select **Next** to confirm or change the default organization and team provisioning selections. -6. Review the **Connection Summary** and select **Save**. - ->**Note** -> ->If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. - ## Manage organizations ->**Note** +> **Note** > ->You must have a [company](../../docker-hub/creating-companies.md) to manage more than one organization. +> You must have a [company](/docker-hub/creating-companies/) to manage more than one organization. -### Connect an organization +{% include admin-sso-management-orgs.md product="hub" %} -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select the organization to add to the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. +{% include admin-sso-management.md product="hub"%} -### Remove an organization - -1. In the **Single Sign-On Connection** table, select the **Action** icon and then **Edit connection**. -2. Select **Next** to navigate to the section where connected organizations are listed. -3. In the **Organizations** drop-down, select **Remove** to remove the connection. -4. Select **Next** to confirm or change the default organization and team provisioning. -5. Review the **Connection Summary** and select **Save**. - -## Manage SSO connections - -### Edit a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Edit connection** to edit you connection. -3. Continue with the on-screen instructions. - -### Delete a connection - -1. In the **Single Sign-On Connection** table, select the **Action** icon. -2. Select **Delete** and **Delete connection**. -3. Continue with the on-screen instructions. - -### Deleting SSO - -When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. - -## Manage users - ->**Important** -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub. -> ->You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -{: .important} - -### Add guest users when SSO is enabled - -To add a guest to your organization in Docker Hub if they aren’t verified through your IdP: - -1. Go to **Organizations** in Docker Hub, and select your organization. -2. Select **Add Member**, enter the email address, and select a team from the drop-down list. -3. Select **Add** to confirm. - -### Remove users from the SSO organization - -To remove a user from an organization: - -1. Go to **Organizations** in Docker Hub, and select your organization. -2. From the **Members** tab, select the **x** next to a member’s name to remove them from all the teams in the organization. -3. Select **Remove** to confirm. The member receives an email notification confirming the removal. - -## What's next? - -- [Set up SCIM](../../docker-hub/scim.md) -- [Enable Group mapping](../../docker-hub/group-mapping.md) diff --git a/single-sign-on/users-faqs.md b/single-sign-on/users-faqs.md index 7cffbaf514..6f611e01c4 100644 --- a/single-sign-on/users-faqs.md +++ b/single-sign-on/users-faqs.md @@ -55,7 +55,7 @@ When SSO is enabled and enforced, your users just have to sign in using the emai ### Is Docker SSO fully synced with Active Directory (AD)? -Docker doesn’t currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../docker-hub/members.md#remove-members) from the organization. +Docker doesn’t currently support a full sync with AD. That's, if a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](/docker-hub/members/#remove-a-member-or-invitee) from the organization. Additionally, you can use our APIs to complete this process.