Update SCIM and Group mapping attributes (#17876)

* add note to scim docs on attributes and fix typo

* update attributes and shift group mapping content

* updates from sme feedback

* update for sme feedback
This commit is contained in:
Stephanie Aurelio 2023-08-07 13:46:21 -07:00 committed by GitHub
parent 565306f956
commit fbf8368b75
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 13 deletions

View File

@ -10,15 +10,6 @@
With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams.
To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team “developers” in Docker.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesnt already exist.
{: .tip}
## How group mapping works
IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the users Docker profile and their associations with organizations and teams on Docker Hub.
@ -42,6 +33,26 @@ After every successful SSO sign-in authentication, the JIT provisioner performs
## Use group mapping
To correctly assign your users to Docker teams, you must create groups in your IdP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers", and your organization name is "moby", you must create a group in your IdP with the name `moby:developers`.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team "developers" in Docker.
You can use this format to add a user to multiple organizations. For example, if you want to add a user to the "backend" team in the "moby" organization as well as the "desktop" team in the "docker" organization, the format would be: `moby:backend` and `docker:desktop`.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesnt already exist.
{: .tip}
The following lists the supported group mapping attributes:
| Attribute | Description |
|:--------- | :---------- |
| id | Unique ID of the group in UUID format. This attribute is read-only. |
| displayName | Name of the group following the group mapping format: `organization:team`. |
| members | A list of users that are members of this group. |
| members[x].value | Unique ID of the user that is a member of this group. Members are referenced by ID. |
To take advantage of group mapping, follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm){: target="_blank" rel="noopener" class="_" }

View File

@ -29,13 +29,16 @@ The following provisioning features are supported:
- Re-activate users
- Group mapping
The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
| Attribute | Description
|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
| username | Unique identifier of the user (email) |
| givenName | Users first name |
| familyName |Users surname |
| userName | User's primary email address. This is used as the unique identifier of the user. |
| name.givenName | Users first name |
| name.familyName | Users surname |
| active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. |
For additional details about supported attributes and SCIM, see [Docker Hub API SCIM reference](/docker-hub/api/latest/#tag/scim).
## Set up SCIM