docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify how CLI auth works with SSO (#20327) 

* refresh faqs

* style guide fix

* update acronym ref
This commit is contained in:
Stephanie Aurelio 2024-07-02 09:00:49 -07:00 committed by GitHub
parent 1ea23dcb28
commit e8a420f302
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/security/faqs/single-sign-on/enforcement-faqs.md
View File

@ -22,7 +22,9 @@ Yes. You must verify a domain before using it with an SSO connection.
### Does Docker SSO support authenticating through the command line?
Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../../../security/for-developers/access-tokens.md).
When SSO is enforced, you can't use passwords to access the Docker CLI, but you can still access the Docker CLI using a personal access token (PAT) for authentication.
Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](/security/for-developers/access-tokens/). Users who already used a PAT to sign in before SSO enforcement will still be able to use that PAT to authenticate.
### How does SSO affect our automation systems and CI/CD pipelines?
@ -46,11 +48,11 @@ Yes, you can create a test organization. Companies can set up a new 5 seat Busin
### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
If you enable SSO, there is no impact. Both username/password or personal access token sign-in are supported.
If you enable SSO, there is no impact. Both username/password or personal access token (PAT) sign-in are supported.
However, if you enforce SSO:
- Service Account domain email addresses must not be aliased and must be enabled in their IdP
- Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
- Username/password authentication wont work, so you should update the build system to use a PAT instead of a password
- Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
### Is the sign in required tracking at runtime or install time?