docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update provisioning references (#19735) 

* update jit callouts and add step

* separate management steps and update callouts

* update conditional steps

* add diagram and add cross-links

* remove old diagram

* update diagram

* add details about multi-org sso

* implement feedback

* move beta feature banner and link to section

* update tab order

* update diagram and provide clarity around sso error

* remove image and update faq
This commit is contained in:
Stephanie Aurelio 2024-04-10 08:25:46 -07:00 committed by GitHub
parent 2977952666
commit f1777ac06e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 276 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
content/faq/security/single-sign-on/idp-faqs.md
View File

@ -42,9 +42,14 @@ You can add a bot account to your IDP and create an access token for it to repla
Yes, bot accounts need a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
### Does Docker plan to release SAML Just-In-Time (JIT) provisioning?
### Does SAML SSO use Just-in-Time provisioning?
The SSO implementation is already Just-In-Time. Administrators don't have to create user's accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub.
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
{ .experimental }
The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM.
### Will there be IdP-initiated logins?

22
content/faq/security/single-sign-on/users-faqs.md
View File

@ -57,10 +57,30 @@ When SSO is enabled and enforced, your users just have to sign in using the emai
### Is Docker SSO fully synced with the IdP?
Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization. [SCIM](../../../security/for-admins/scim.md) is available to provide full synchronization with users and groups.
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
{ .experimental }
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
[SCIM](../../../security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process.
### How does disabling Just-in-Time provisioning impact user sign-in?
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
{ .experimental }
If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/scim/).
### What's the best way to provision the Docker subscription without SSO?
Company or organization owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).

33
content/security/for-admins/group-mapping.md
View File

@ -21,6 +21,8 @@ IdPs share with Docker the main attributes of every authorized user through SSO,
Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
### SSO authentication with JIT provisioning enabled
After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
@ -29,13 +31,40 @@ After every successful SSO sign-in authentication, the JIT provisioner performs
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if the IdP shared group mappings while authenticating the user.
2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user is added to the invited group along with group mappings in the following step.
3. Checks if the IdP shared group mappings while authenticating the user.
a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection.
![JIT provisioning](../images/group-mapping.png)
![JIT provisioning enabled](../images/jit-enabled-flow.svg)
### SSO authentication with JIT provisioning disabled
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users.
{ .experimental }
When you opt to disable JIT provisioning in your SSO connection, the following actions occur:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). Authentication with SSO generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation.
a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user encounters an `Access denied` error. This blocks the user from joining the organization. They need to contact an administrator to invite them to join.
b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful.
If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also [enabled SCIM](/security/for-admins/scim/#enable-scim-in-docker). When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned).
![JIT provisioning disabled](../images/jit-disabled-flow.svg)
## Use group mapping

7
content/security/for-admins/scim.md
View File

@ -39,9 +39,14 @@ For additional details about supported attributes and SCIM, see [Docker Hub API
> **Important**
>
>SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes).
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes).
{.important}
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
## Enable SCIM in Docker
You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required.

20
content/security/for-admins/single-sign-on/configure/_index.md
View File

@ -25,34 +25,34 @@ This page walks through steps 1 and 2 using Docker Hub or the Admin Console.
## Step one: Add and verify your domain
{{< tabs >}}
{{< tab name="Docker Hub" >}}
{{% admin-domains product="hub" %}}
{{< /tab >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-domains product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-domains product="hub" %}}
{{< /tab >}}
{{< /tabs >}}
## Step two: Create an SSO connection in Docker
{{< tabs >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-config product="hub" %}}
{{< /tab >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-sso-config product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-config product="hub" %}}
{{< /tab >}}
{{< /tabs >}}

5
content/security/for-admins/single-sign-on/configure/configure-idp.md
View File

@ -41,6 +41,11 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th
>SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP.
{.important}
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping).
| SSO attribute | SAML assertion message attributes |

15
content/security/for-admins/single-sign-on/connect/_index.md
View File

@ -26,16 +26,21 @@ Make sure you have completed the following before you begin:
## Step four: Complete your SSO connection
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
{{< tabs >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-connect product="hub" %}}
{{< /tab >}}
{{< tab name="Admin Console" >}}
{{% admin-sso-connect product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-connect product="hub" %}}
{{< /tab >}}
{{< /tabs >}}

54
content/security/for-admins/single-sign-on/manage/_index.md
View File

@ -14,34 +14,68 @@ aliases:
> You must have a [company](/admin/company/) to manage more than one organization.
{{< tabs >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management-orgs product="hub" %}}
{{< /tab >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-sso-management-orgs product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management-orgs product="hub" %}}
{{< /tab >}}
{{< /tabs >}}
## Manage domains
{{< tabs >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management product="hub" %}}
{{< /tab >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-sso-management product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management product="hub" %}}
{{< /tab >}}
{{< /tabs >}}
## Manage SSO connections
{{< tabs >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-sso-management-connections product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management-connections product="hub" %}}
{{< /tab >}}
{{< /tabs >}}
## Manage users
{{< tabs >}}
{{< tab name="Admin Console" >}}
{{< include "admin-early-access.md" >}}
{{% admin-sso-management-users product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% admin-sso-management-users product="hub" %}}
{{< /tab >}}
{{< /tabs >}}

BIN
content/security/images/group-mapping.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 67 KiB

21
content/security/images/jit-disabled-flow.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

21
content/security/images/jit-enabled-flow.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

8
layouts/shortcodes/admin-sso-connect.md
View File

@ -2,15 +2,19 @@
{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
- Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
- Company: Select **Organizations**, your company, and then **Settings**.` }}
{{ $provisioning_step := "4. Review your summary and select **Create Connection**." }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }}
{{ $provisioning_step = `
3. **Beta feature** - Choose how you want to provision users by enabling Just-in-Time (JIT) provisioning (default), or disabling JIT provisioning.
4. Review your summary and select **Create Connection**.` }}
{{ end }}
1. In {{ $product_link }}, select the verified domains you want to apply the connection to.
2. To provision your users, select the organization(s) and/or team(s).
3. Review your summary and select **Create Connection**.
{{ $provisioning_step }}
## Test your SSO configuration
@ -21,7 +25,7 @@ After youve completed the SSO configuration process in Docker, you can test t
>**Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization on Docker Hub.
> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>

29
layouts/shortcodes/admin-sso-management-connections.md Normal file
View File

@ -0,0 +1,29 @@
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
- Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
- Company: Select **Organizations**, your company, and then **Settings**.` }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }}
{{ end }}
### Edit a connection
1. Sign in to {{ $product_link }}.
2. {{ $sso_navigation }}
3. In the SSO connections table, select the **Action** icon.
4. Select **Edit connection** to edit your connection.
5. Follow the on-screen instructions to edit the connection.
### Delete a connection
1. Sign in to {{ $product_link }}.
2. {{ $sso_navigation }}
3. In the SSO connections table, select the **Action** icon.
4. Select **Delete connection**.
5. Follow the on-screen instructions to delete a connection.
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.

65
layouts/shortcodes/admin-sso-management-users.md Normal file
View File

@ -0,0 +1,65 @@
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
- Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
- Company: Select **Organizations**, your company, and then **Settings**.` }}
{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }}
{{ $invite_button := "**Invite members**" }}
{{ $remove_button := "**Remove member**" }}
{{ $provisioning_steps := "This feature is only available in the Admin Console."}}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $invite_button = "**Invite**" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }}
{{ $member_navigation = `Navigate to the user management page for your organization or company.
- Organization: Select your organization in the left navigation drop-down menu, and then select **Members**.
- Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }}
{{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, is you're a company" }}
{{ $provisioning_steps = `To choose how your users are provisioned:
1. Sign in to the [Admin Console](https://admin.docker.com).
2. Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**.
3. In the SSO connections table, select the **Action** icon and then **Edit connection**.
4. Select **Next** to navigate to the section where you can choose how to provision users.
5. Choose to enable or disable Just-in-Time (JIT) provisioning (default).
6. Follow the on-screen instructions to save your configuration.` }}
{{ end }}
> **Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
>
> Alternatively, see [Manage how users are provisioned](#manage-how-users-are-provisioned).
{ .important}
### Add guest users when SSO is enabled
To add a guest that isn't verified through your IdP:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select {{ $invite_button }}.
4. Follow the on-screen instructions to invite the user.
### Remove users from the SSO company
To remove a user:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select the action icon next to a users name, and then select {{ $remove_button }}.
4. Follow the on-screen instructions to remove the user.
### Manage how users are provisioned
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
{{ $provisioning_steps }}

60
layouts/shortcodes/admin-sso-management.md
View File

@ -2,18 +2,10 @@
{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
- Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
- Company: Select **Organizations**, your company, and then **Settings**.` }}
{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }}
{{ $invite_button := "**Invite members**" }}
{{ $remove_button := "**Remove member**" }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $invite_button = "**Invite**" }}
{{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }}
{{ $member_navigation := `Navigate to the user management page for your organization or company.
- Organization: Select your organization in the left navigation drop-down menu, and then select **Members**.
- Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }}
{{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, is you're a company" }}
{{ end }}
### Remove a domain from an SSO connection
@ -30,55 +22,3 @@
> **Note**
>
> If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.
## Manage SSO connections
### Edit a connection
1. Sign in to {{ $product_link }}.
2. {{ $sso_navigation }}
3. In the SSO connections table, select the **Action** icon.
4. Select **Edit connection** to edit your connection.
5. Follow the on-screen instructions to edit the connection.
### Delete a connection
1. Sign in to {{ $product_link }}.
2. {{ $sso_navigation }}
3. In the SSO connections table, select the **Action** icon.
4. Select **Delete connection**.
5. Follow the on-screen instructions to delete a connection.
### Deleting SSO
When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
## Manage users
> **Important**
>
> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{ .important}
### Add guest users when SSO is enabled
To add a guest if they arent verified through your IdP:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select {{ $invite_button }}.
4. Follow the on-screen instructions to invite the user.
### Remove users from the SSO company
To remove a user:
1. Sign in to {{ $product_link }}.
2. {{ $member_navigation }}
3. Select the action icon next to a users name, and then select {{ $remove_button }}.
4. Follow the on-screen instructions to remove the user.