Update SCIM and Group mapping attributes (#17876)

* add note to scim docs on attributes and fix typo * update attributes and shift group mapping content * updates from sme feedback * update for sme feedback
2023-08-07 13:46:21 -07:00 · 2023-08-07 13:46:21 -07:00 · fbf8368b75
parent 565306f956
commit fbf8368b75
2 changed files with 27 additions and 13 deletions
--- a/_includes/admin-group-mapping.md
+++ b/_includes/admin-group-mapping.md
@ -10,15 +10,6 @@

 With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams.

-To correctly assign your users to Docker teams, you must create groups in your IDP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers” in Docker, and your organization name is “moby,” you must create a group in your IdP with the name “moby:developers”.
-
-Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team “developers” in Docker.
-
->**Tip**
->
->Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesn’t already exist.
-{: .tip}
-
 ## How group mapping works

 IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. These attributes are used by Just-In-Time (JIT) Provisioning to create or update the user’s Docker profile and their associations with organizations and teams on Docker Hub.
@ -42,6 +33,26 @@ After every successful SSO sign-in authentication, the JIT provisioner performs

 ## Use group mapping

+To correctly assign your users to Docker teams, you must create groups in your IdP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers", and your organization name is "moby", you must create a group in your IdP with the name `moby:developers`.
+
+Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team "developers" in Docker.
+
+You can use this format to add a user to multiple organizations. For example, if you want to add a user to the "backend" team in the "moby" organization as well as the "desktop" team in the "docker" organization, the format would be: `moby:backend` and `docker:desktop`.
+
+>**Tip**
+>
+>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, a group is created if it doesn’t already exist.
+{: .tip}
+
+The following lists the supported group mapping attributes:
+
+| Attribute | Description |
+|:--------- | :---------- |
+| id | Unique ID of the group in UUID format. This attribute is read-only. |
+| displayName | Name of the group following the group mapping format: `organization:team`. |
+| members | A list of users that are members of this group. |
+| members[x].value | Unique ID of the user that is a member of this group. Members are referenced by ID. |
+
 To take advantage of group mapping, follow the instructions provided by your IdP:

 - [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm){: target="_blank" rel="noopener" class="_" }
--- a/_includes/admin-scim.md
+++ b/_includes/admin-scim.md
@ -29,13 +29,16 @@ The following provisioning features are supported:
 - Re-activate users
 - Group mapping

-The table below lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
+The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.

 | Attribute    | Description
 |:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
-| username             | Unique identifier of the user (email)                                   |
-| givenName                            | User’s first name |
-| familyName |User’s surname                                              |
+| userName             | User's primary email address. This is used as the unique identifier of the user. |
+| name.givenName | User’s first name |
+| name.familyName | User’s surname |
+| active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. |
+
+For additional details about supported attributes and SCIM, see [Docker Hub API SCIM reference](/docker-hub/api/latest/#tag/scim).

 ## Set up SCIM