docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/_includes/admin-scim.md

4.2 KiB
Raw Permalink Blame History

{% if include.product == "admin" %} {% assign product_link = "Docker Admin" %} {% if include.layer == "company" %} {% assign sso_link = "configured SSO" %} {% assign sso_navigation="Select your company in the left navigation drop-down menu, and then select SSO & SCIM." %} {% else %} {% assign sso_link = "configured SSO" %} {% assign sso_navigation="Select your organization in the left navigation drop-down menu, and then select SSO & SCIM." %} {% endif %} {% else %} {% assign product_link = "Docker Hub" %} {% assign sso_link = "configured SSO" %} {% assign sso_navigation="Navigate to the SSO settings page for your organization or company. - Organization: Select Organizations, your organization, Settings, and then Security. - Company: Select Organizations, your company, and then Settings." %} {% endif %}

This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.

SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company.

Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the users first name and last name.

The following provisioning features are supported:

  • Creating new users
  • Push user profile updates
  • Remove users
  • Deactivate users
  • Re-activate users
  • Group mapping

The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.

Attribute Description
userName User's primary email address. This is used as the unique identifier of the user.
name.givenName Users first name
name.familyName Users surname
active Indicates if a user is enabled or disabled. Can be set to false to de-provision the user.

For additional details about supported attributes and SCIM, see Docker Hub API SCIM reference.

Set up SCIM

You must make sure you have {{ sso_link }} before you enable SCIM. Enforcing SSO is not required.

Step one: Enable SCIM in Docker

  1. Sign in to {{ product_link }}{: target="blank" rel="noopener" class="" }.
  2. {{ sso_navigation }}
  3. In the SSO connections table, select the Actions icon and Setup SCIM.
  4. Copy the SCIM Base URL and API Token and paste the values into your IdP.

Step two: Enable SCIM in your IdP

Follow the instructions provided by your IdP:

  • Okta{: target="blank" rel="noopener" class="" }
  • Azure AD{: target="blank" rel="noopener" class="" }
  • OneLogin{: target="blank" rel="noopener" class="" }

Disable SCIM

If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.

  1. Sign in to {{ product_link }}{: target="blank" rel="noopener" class="" }.
  2. {{ sso_navigation }}
  3. In the SSO connections table, select the Actions icon.
  4. Select Disable SCIM.

Limitations

Administrators can assign roles to organization members. However, SCIM doesn't support role management.