centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 14:28:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Update provisioning pages and add group mapping steps (#20016)

Browse Source 
* add provisioning section and group mapping steps

* update URL

* update vale accept

* update callout in jit page

* fix urls

* vale fixes

* alphabetize new vale entries

* implement feedback
This commit is contained in:
Stephanie Aurelio
2024-05-21 09:25:52 -07:00
committed by GitHub
parent c597199384
commit 0e1aaa62ec
26 changed files with 304 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/vale/config/vocabularies/Docker/accept.txt vendored
View File

@@ -45,6 +45,7 @@ Docker-Sponsored Open Source
Dockerfile
Dockerize
Dockerizing
Entra
Ethernet
Fargate
Fedora
@@ -89,6 +90,7 @@ QEMU
RHEL
RPM
S3
SAML
SARIF
SBOMs?
SCIM
@@ -111,6 +113,7 @@ UDP
URLs?
Ubuntu
Unix
UUID
VLAN
VM
VMware
@@ -143,6 +146,7 @@ config
containerd
deserialization
deserialize
displayName
dockerignore
firewalld
g?libc

2
content/_index.md
View File

@@ -123,5 +123,5 @@ grid:
- text: "SSO"
url: "/security/for-admins/single-sign-on/"
- text: "SCIM"
url: "/security/for-admins/scim/"
url: "/security/for-admins/provisioning/scim/"
---

2
content/admin/company/_index.md
View File

@@ -28,7 +28,7 @@ grid:
description: Set up SCIM to automatically provision and deprovision users in your
company.
icon: checklist
link: /security/for-admins/scim/
link: /security/for-admins/provisioning/scim/
- title: Domain management
description: Add and verify your domains.
icon: domain_verification

2
content/admin/company/owners.md
View File

@@ -6,7 +6,7 @@ aliases:
- /docker-hub/company-owner/
---
As a company owner, you can configure [Single Sign-on (SSO)](../../security/for-admins/single-sign-on/_index.md) and [System for Cross-domain Identity Management (SCIM)](../../security/for-admins/scim.md) for all organizations under the company.
As a company owner, you can configure [Single Sign-on (SSO)](../../security/for-admins/single-sign-on/_index.md) and [System for Cross-domain Identity Management (SCIM)](../../security/for-admins/provisioning/scim.md) for all organizations under the company.
{{< tabs >}}
{{< tab name="Docker Hub" >}}

2
content/admin/faqs/company-faqs.md
View File

@@ -59,7 +59,7 @@ See your [SCIM](scim.md) and [SSO](../../security/for-admins/single-sign-on/conf
### How does a company owner enable group mapping in an IdP?
See [SCIM](scim.md) and [Group mapping](../../security/for-admins/group-mapping.md) for more information.
See [SCIM](scim.md) and [Group mapping](../../security/for-admins/provisioning/group-mapping.md) for more information.
### What's the definition of a company vs an organization?

2
content/admin/faqs/organization-faqs.md
View File

@@ -22,7 +22,7 @@ An existing owner can add additional team members as organization owners. You ca
### How do I know how many active users are part of my organization?
If your organization uses a Software Asset Management tool, you can use it to find out how many users have Docker Desktop installed. If your organization doesn't use this software, you can run an internal survey to find out who is using Docker Desktop. See [Identify your Docker users and their Docker accounts](../../admin/organization/onboard.md#step-1-identify-your-docker-users-and-their-docker-accounts). With a Docker Business subscription, you can manage members in your identity provider and automatically provision them to your Docker organization with [SSO](../../security/for-admins/single-sign-on/_index.md) or [SCIM](../../security/for-admins/scim.md).
If your organization uses a Software Asset Management tool, you can use it to find out how many users have Docker Desktop installed. If your organization doesn't use this software, you can run an internal survey to find out who is using Docker Desktop. See [Identify your Docker users and their Docker accounts](../../admin/organization/onboard.md#step-1-identify-your-docker-users-and-their-docker-accounts). With a Docker Business subscription, you can manage members in your identity provider and automatically provision them to your Docker organization with [SSO](../../security/for-admins/single-sign-on/_index.md) or [SCIM](../../security/for-admins/provisioning/scim.md).
### Do users first need to authenticate with Docker before an owner can add them to an organization?

2
content/admin/organization/_index.md
View File

@@ -29,7 +29,7 @@ grid:
link: /admin/organization/general-settings/
- title: SSO & SCIM
description: 'Set up [Single Sign-On](/security/for-admins/single-sign-on/)
and [SCIM](/security/for-admins/scim/) for your organization.
and [SCIM](/security/for-admins/provisioning/scim/) for your organization.
'
icon: key

2
content/admin/organization/general-settings.md
View File

@@ -28,4 +28,4 @@ To edit this information:
## Next steps
In the **Organization settings** menu, you can also [configure SSO](../../security/for-admins/single-sign-on/configure/) and [set up SCIM](../../security/for-admins/scim.md). If your organization isn't part of a company, from here you can also [audit your domains](../../security/for-admins/domain-audit.md) or [create a company](new-company.md).
In the **Organization settings** menu, you can also [configure SSO](../../security/for-admins/single-sign-on/configure/) and [set up SCIM](../../security/for-admins/provisioning/scim.md). If your organization isn't part of a company, from here you can also [audit your domains](../../security/for-admins/domain-audit.md) or [create a company](new-company.md).

2
content/docker-hub/_index.md
View File

@@ -50,7 +50,7 @@ GitHub and Bitbucket and push them to Docker Hub.
* [Create and manage teams and organizations](orgs.md)
* [Create a company](../admin/company/new-company.md)
* [Enforce sign in](configure-sign-in.md)
* Set up [SSO](../security/for-admins/single-sign-on/index.md) and [SCIM](../security/for-admins/scim.md)
* Set up [SSO](../security/for-admins/single-sign-on/index.md) and [SCIM](../security/for-admins/provisioning/scim.md)
* Use [Group mapping](group-mapping.md)
* [Carry out domain audits](domain-audit.md)
* [Use Image Access Management](image-access-management.md) to control developers' access to certain types of images

2
content/docker-hub/api/latest.yaml
View File

@@ -98,7 +98,7 @@ tags:
x-displayName: SCIM
description: |
SCIM is a provisioning system that lets you manage users within your identity provider (IdP).
For more information, see [System for Cross-domain Identity management](https://docs.docker.com/security/for-admins/scim/).
For more information, see [System for Cross-domain Identity management](https://docs.docker.com/security/for-admins/provisioning/scim/).
x-tagGroups:
- name: General
tags:

2
content/security/_index.md
View File

@@ -42,7 +42,7 @@ grid_admins:
- title: SCIM
description: Set up SCIM to automatically provision and deprovision users.
icon: checklist
link: /security/for-admins/scim/
link: /security/for-admins/provisioning/scim/
- title: Roles and permissions
description: Assign roles to individuals giving them different permissions within an organization.
icon: badge

6
content/security/faqs/single-sign-on/users-faqs.md
View File

@@ -66,7 +66,7 @@ When SSO is enabled and enforced, your users just have to sign in using the emai
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
[SCIM](../../../security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
[SCIM](../../../security/for-admins/provisioning/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process.
@@ -79,9 +79,9 @@ Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to compl
If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/scim/).
To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/provisioning/scim/).
### What's the best way to provision the Docker subscription without SSO?

109
content/security/for-admins/group-mapping.md
View File

@@ -1,109 +0,0 @@
---
description: Group mapping for administrators
keywords: Group Mapping, SCIM, Docker Hub, Docker Admin, admin, security
title: Group Mapping
aliases:
- /admin/company/settings/group-mapping/
- /admin/organization/security-settings/group-mapping/
- /docker-hub/group-mapping/
---
With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams.
> **Tip**
>
> Group mapping is ideal for adding a user to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, you can use [user-level attributes](scim.md#set-up-role-mapping).
{ .tip }
## How group mapping works
IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. Just-In-Time (JIT) Provisioning uses these attributes to create or update the users Docker profile and their associations with organizations and teams on Docker Hub.
Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
### SSO authentication with JIT provisioning enabled
After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). The JIT provisioner generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user is added to the invited group along with group mappings in the following step.
3. Checks if the IdP shared group mappings while authenticating the user.
a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection.
![JIT provisioning enabled](../images/jit-enabled-flow.svg)
### SSO authentication with JIT provisioning disabled
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning.
{ .experimental }
When you opt to disable JIT provisioning in your SSO connection, the following actions occur:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). Authentication with SSO generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation.
a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user encounters an `Access denied` error. This blocks the user from joining the organization. They need to contact an administrator to invite them to join.
b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful.
If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also [enabled SCIM](/security/for-admins/scim/#enable-scim-in-docker). When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned).
![JIT provisioning disabled](../images/jit-disabled-flow.svg)
## Use group mapping
To correctly assign your users to Docker teams, you must create groups in your IdP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers", and your organization name is "moby", you must create a group in your IdP with the name `moby:developers`.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team "developers" in Docker.
You can use this format to add a user to multiple organizations. For example, if you want to add a user to the "backend" team in the "moby" organization as well as the "desktop" team in the "docker" organization, the format would be: `moby:backend` and `docker:desktop`.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, this creates a group if it doesnt already exist.
{ .tip}
The following lists the supported group mapping attributes:
| Attribute | Description |
|:--------- | :---------- |
| id | Unique ID of the group in UUID format. This attribute is read-only. |
| displayName | Name of the group following the group mapping format: `organization:team`. |
| members | A list of users that are members of this group. |
| members(x).value | Unique ID of the user that is a member of this group. Members are referenced by ID. |
To take advantage of group mapping, follow the instructions provided by your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm)
- [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes)
- [OneLogin](https://developers.onelogin.com/scim/create-app)
Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP.
> **Tip**
>
> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
{ .tip }
## More resources
The following videos demonstrate how to use group mapping with your IdP.
- [Video: Group mapping with Okta](https://youtu.be/c56YECO4YP4?feature=shared&t=3023)
- [Video: Attribute and group mapping with Entra ID (Azure)](https://youtu.be/bGquA8qR9jU?feature=shared&t=2039)

181
content/security/for-admins/provisioning/group-mapping.md Normal file
View File

@@ -0,0 +1,181 @@
---
description: Group mapping for administrators
keywords: Group Mapping, SCIM, Docker Hub, Docker Admin, admin, security
title: Group mapping
aliases:
- /admin/company/settings/group-mapping/
- /admin/organization/security-settings/group-mapping/
- /docker-hub/group-mapping/
- /security/for-admins/group-mapping/
---
With directory group-to-team provisioning from your IdP, user updates will automatically sync with your Docker organizations and teams. You can use group mapping once you have configured [single sign-on (SSO)](../single-sign-on/_index.md).
> **Tip**
>
> Group mapping is ideal for adding a user to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, you can use [user-level attributes](scim.md#set-up-role-mapping).
{ .tip }
## How group mapping works
IdPs share with Docker the main attributes of every authorized user through SSO, such as email address, name, surname, and groups. Just-in-Time (JIT) Provisioning uses these attributes to create or update the users Docker profile and their associations with organizations and teams on Docker Hub.
Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
## Use group mapping
To correctly assign your users to Docker teams, you must create groups in your IdP following the naming pattern `organization:team`. For example, if you want to manage provisioning for the team "developers", and your organization name is "moby", you must create a group in your IdP with the name `moby:developers`.
Once you enable group mappings in your connection, users assigned to that group in your IdP will automatically be added to the team "developers" in Docker.
You can use this format to add a user to multiple organizations. For example, if you want to add a user to the "backend" team in the "moby" organization as well as the "desktop" team in the "whale" organization, the format would be: `moby:backend` and `whale:desktop`.
>**Tip**
>
>Use the same names for the Docker teams as your group names in the IdP to prevent further configuration. When you sync groups, this creates a group if it doesnt already exist.
{ .tip}
The following lists the supported group mapping attributes:
| Attribute | Description |
|:--------- | :---------- |
| id | Unique ID of the group in UUID format. This attribute is read-only. |
| displayName | Name of the group following the group mapping format: `organization:team`. |
| members | A list of users that are members of this group. |
| members(x).value | Unique ID of the user that is a member of this group. Members are referenced by ID. |
The general steps to use group mapping are:
1. In your IdP, create groups with the `organization:team` format.
2. Add users to the group.
3. Add the Docker application that you created in your IdP to the group.
4. Add attributes in the IdP.
5. Push groups to Docker.
The exact configuration may vary depending on your IdP. You can use [group mapping with SSO](#use-group-mapping-with-sso), or with SSO and [SCIM enabled](#use-group-mapping-with-scim).
### Use group mapping with SSO
The following steps describe how to set up and use group mapping with your SSO connection only. For these configurations, enabling SCIM isn't required.
{{< tabs >}}
{{< tab name="Okta" >}}
The user interface for your IdP may differ slightly from the following steps. You can refer to the [Okta documentation](https://help.okta.com/oie/en-us/content/topics/apps/define-group-attribute-statements.htm) to verify.
To set up group mapping:
1. Sign in to the Okta Console to go to your application.
2. Go to the **SAML Settings** for your application.
3. In the **Group Attribute Statements (optional)** section, configure like the following:
- **Name**: `groups`
- **Name format**: `Unspecified`
- **Filter**: `Starts with` + `organization:` where `organization` is the name of your organization
The filter option will filter out the groups that aren't affiliated with your Docker organization.
4. Create your groups by navigating to **Directory > Groups**.
5. Add your groups using the format `organization:team` that matches the names of your organization(s) and team(s) in Docker.
6. Assign users to the group(s) that you create.
The next time you sync your groups with Docker, your users will map to the Docker groups you defined.
{{< /tab >}}
{{< tab name="Entra ID" >}}
The user interface for your IdP may differ slightly from the following steps. You can refer to the [Entra ID documentation](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes) to verify.
To set up group mapping:
1. Sign in to Entra ID and go to your application.
2. Go to **Manage > Single sign-on**.
3. Select **Add a group claim**.
4. In **Group Claims**, select **Groups assigned to the application** with the source attribute **Cloud-only group display names (Preview)**.
5. Select **Advanced options**, then the **Filter groups** option.
6. Configure the attribute like the following:
- **Attribute to match**: `Display name`
- **Match with**: `Contains`
- **String**: `:`
7. Select **Save**.
8. Go to **Groups > All groups** then select **New group** to create your group(s).
9. Assign users to the group(s) that you create.
The next time you sync your groups with Docker, your users will map to the Docker groups you defined.
{{< /tab >}}
{{< /tabs >}}
### Use group mapping with SCIM
The following steps describe how to set up and use group mapping with SCIM. Before you begin, make sure you [set up SCIM](./scim.md#enable-scim) first.
{{< tabs >}}
{{< tab name="Okta" >}}
The user interface for your IdP may differ slightly from the following steps. You can refer to the [Okta documentation](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm) to verify.
To set up your groups:
1. Sign in to the Okta Console to go to your application.
2. Select **Applications > Provisioning > Integration**.
3. Select **Edit** to enable groups on your connection, then select **Push groups**.
4. Select **Save**. Saving this configuration will add the **Push Groups** tab to your application.
5. Create your groups by navigating to **Directory > Groups**.
6. Add your groups using the format `organization:team` that matches the names of your organization(s) and team(s) in Docker.
7. Assign users to the group(s) that you create.
8. Return to **Applications > Provisioning > Integration**, then select the **Push Groups** tab to open the view where you can control and manage how groups are provisioned.
9. Select **Push Groups > Find groups by rule**.
10. Configure the groups by rule like the following:
- Enter a rule name, for example `Sync groups with Docker Hub`
- Match group by name, for example starts with `docker:` or contains `:` for multi-organization
- If you enable **Immediately push groups by rule**, sync will happen as soon as there's a change to the group or group assignments. Enable this if you don't want to manually push groups.
Find your new rule under **By rule** in the **Pushed Groups** column. The groups that match that rule are listed in the groups table on the right-hand side.
To push the groups from this table:
1. Select **Group in Okta**.
2. Select the **Push Status** drop-down.
3. Select **Push Now**.
{{< /tab >}}
{{< tab name="Entra ID" >}}
The user interface for your IdP may differ slightly from the following steps. You can refer to the [Entra ID documentation](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes) to verify.
Complete the following before configuring group mapping:
1. Sign in to Entra ID and go to your application.
2. In your application, go to **Provisioning > Mappings**.
3. Select **Provision Microsoft Entra ID Groups**.
4. Select **Show advanced options**, then **Edit attribute list**.
5. Update the `externalId` type to `reference`, then select the **Multi-Value** checkbox and choose the referenced object attribute `urn:ietf:params:scim:schemas:core:2.0:Group`.
6. Select **Save**, then **Yes** to confirm.
7. Go to **Provisioning**.
8. Toggle **Provision Status** to **On**, then select **Save**.
Next, set up group mapping:
1. Go to the application overview page.
2. Under **Provision user accounts**, select **Get started**.
3. Select **Add user/group**.
4. Create your group(s) using the `organization:team` format.
5. Assign the group to the provisioning group.
6. Select **Start provisioning** to start the sync.
To verify, go to **Monitor > Provisioning logs** to see that your groups were provisioned successfully. In your Docker organization, you can check that the groups were correctly provisioned and the members were added to the appropriate teams.
{{< /tab >}}
{{< /tabs >}}
Once complete, a user who signs in to Docker through SSO is automatically added to the organizations and teams mapped in the IdP.
> **Tip**
>
> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
{ .tip }
## More resources
The following videos demonstrate how to use group mapping with your IdP with SCIM enabled.
- [Video: Group mapping with Okta](https://youtu.be/c56YECO4YP4?feature=shared&t=3023)
- [Video: Attribute and group mapping with Entra ID (Azure)](https://youtu.be/bGquA8qR9jU?feature=shared&t=2039)

71
content/security/for-admins/provisioning/just-in-time.md Normal file
View File

@@ -0,0 +1,71 @@
---
description: Learn how Just-in-Time provisioning works with your SSO connection.
keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Hub, Docker Admin, admin, security
title: Just-in-Time provisioning
---
Just-in-Time (JIT) provisioning runs after every successful single sign-on (SSO) sign-in. JIT verifies that the user that signs in is a member of the organization and teams that they are assigned to in the IdP. When you [create your SSO connection](../single-sign-on/_index.md), JIT provisioning is turned on by default.
## SSO authentication with JIT provisioning enabled
After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). The JIT provisioner generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user is added to the invited group along with group mappings in the following step.
3. Checks if the IdP shared group mappings while authenticating the user.
a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection.
![JIT provisioning enabled](../../images/jit-enabled-flow.svg)
## SSO authentication with JIT provisioning disabled
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning.
{ .experimental }
When you opt to disable JIT provisioning in your SSO connection, the following actions occur:
1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). Authentication with SSO generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
b) If an account exists for this email address, it uses this account and updates the full name of the users profile if needed.
2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation.
a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user encounters an `Access denied` error. This blocks the user from joining the organization. They need to contact an administrator to invite them to join.
b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful.
If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also [enabled SCIM](/security/for-admins/provisioning/scim/#enable-scim-in-docker). When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned).
![JIT provisioning disabled](../../images/jit-disabled-flow.svg)
## Disable JIT provisioning
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users.
{ .experimental }
You may want to disable JIT provisioning for reasons such as the following:
- You have multiple organizations, have SCIM enabled, and want SCIM to be the source of truth for provisioning
- You want to control and restrict usage based on your organization's security configuration, and want to use SCIM to provision access
> **Warning**
>
> Disabling JIT provisioning could potentially disrupt your users' workflows. Users must already be a member of the organization or have an invitation to the organization when they authenticate with SSO in order to sign in successfully. To auto-provision users with JIT disabled, you can [use SCIM](./scim.md).
{ .warning }
See [Manage how users are provisioned](../single-sign-on/manage/_index.md#manage-how-users-are-provisioned) to learn how to disable JIT provisioning.

19
content/security/for-admins/scim.md → content/security/for-admins/provisioning/scim.md
View File

@@ -1,8 +1,11 @@
---
keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
title: SCIM overview
title: SCIM provisioning
description: Learn how System for Cross-domain Identity Management works and how to set it up.
aliases:
- /security/for-admins/scim/
direct_from:
- /docker-hub/company-scim/
- /docker-hub/scim/
@@ -39,17 +42,17 @@ For additional details about supported attributes and SCIM, see [Docker Hub API
> **Important**
>
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes).
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../single-sign-on/configure/configure-idp.md#sso-attributes).
{.important}
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
## Enable SCIM in Docker
You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required.
You must make sure you have [configured SSO](../single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required.
{{< tabs >}}
{{< tab name="Docker Hub" >}}
@@ -138,8 +141,8 @@ The following table lists the supported optional user-level attributes.
| Attribute | Possible values | Considerations |
| --------- | ------------------ | -------------- |
| `dockerRole` | `member`, `editor`, or `owner`. For a list of permissions for each role, see [Roles and permissions](/security/for-admins/roles-and-permissions/). | If you don't assign a role in the IdP, the value of the `dockerRole` attribute defaults to `member`. When you set the attribute, this overrides the default value. |
| `dockerOrg` | `organizationName`. For example, an organization named "moby" would be `moby`. | Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and `dockerTeam` is also set, this provisions the user to the team within that org. |
| `dockerTeam` | `teamName`. For example, a team named "developers" would be `developers`. | Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See [Group mapping](/security/for-admins/group-mapping/). |
| `dockerOrg` | `organizationName`. For example, an organization named "moby" would be `moby`. | Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and `dockerTeam` is also set, this provisions the user to the team within that organization. |
| `dockerTeam` | `teamName`. For example, a team named "developers" would be `developers`. | Setting this attribute provisions the user to the default organization and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple organizations. See [Group mapping](/security/for-admins/provisioning/group-mapping/). |
After you set the role in the IdP, you need to sync to push the changes to Docker.
@@ -150,7 +153,7 @@ The external namespace to use to set up these attributes is `urn:ietf:params:sci
### Set up
1. Setup [SSO](./single-sign-on/configure/_index.md) and SCIM first.
1. Setup [SSO](../single-sign-on/configure/_index.md) and SCIM first.
2. In the Okta admin portal, go to **Directory > Profile Editor** and select **User (Default)**.
3. Select **Add Attribute** and configure the values for the role, org, or team you want to add. Exact naming isn't required.
4. Return to the **Profile Editor** and select your application.
@@ -176,7 +179,7 @@ If a user doesn't already have attributes set up, users who are added to the gro
### Set up
1. Setup [SSO](./single-sign-on/configure/_index.md) and SCIM first.
1. Setup [SSO](../single-sign-on/configure/_index.md) and SCIM first.
2. In the Azure AD admin portal, go to**Enterprise Apps > YOUR APP > Provisioning > Mappings > Provision Azure Active Directory Users**.
3. To set up the new mapping, check **Show advanced options**, then select **Edit attribute options**.
4. Create new entries with the desired mapping for role, org, or group (for example, `urn:ietf:params:scim:schemas:extension:docker:2.0:User:dockerRole`) as a string type.

6
content/security/for-admins/single-sign-on/configure/configure-idp.md
View File

@@ -38,15 +38,15 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th
> **Important**
>
>SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP.
>SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../provisioning/scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP.
{.important}
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping).
You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../provisioning/scim.md#set-up-role-mapping).
| SSO attribute | SAML assertion message attributes |
| ---------------- | ------------------------- |

2
content/security/for-admins/single-sign-on/connect/_index.md
View File

@@ -28,7 +28,7 @@ Make sure you have completed the following before you begin:
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
{{< tabs >}}

4
content/security/for-admins/single-sign-on/manage/_index.md
View File

@@ -81,6 +81,6 @@ aliases:
## What's next?
- [Set up SCIM](../../scim.md)
- [Enable Group mapping](../../group-mapping.md)
- [Set up SCIM](../../provisioning/scim.md)
- [Enable Group mapping](../../provisioning/group-mapping.md)

2
content/subscription/core-subscription/details.md
View File

@@ -71,7 +71,7 @@ Docker Business includes:
- [Registry Access Management](../../security/for-admins/registry-access-management.md) which lets admins control what registries developers can access
- [Company layer](../../admin/company/_index.md) to manage multiple organizations and settings
- [Single Sign-On](../../security/for-admins/single-sign-on/index.md)
- [System for Cross-domain Identity Management](../../security/for-admins/scim.md) and more.
- [System for Cross-domain Identity Management](../../security/for-admins/provisioning/scim.md) and more.
For a list of features available in each tier, see [Docker Pricing](https://www.docker.com/pricing/).

12
data/toc.yaml
View File

@@ -2194,10 +2194,14 @@ Manuals:
title: Connect
- path: /security/for-admins/single-sign-on/manage/
title: Manage
- path: /security/for-admins/scim/
title: SCIM
- path: /security/for-admins/group-mapping/
title: Group mapping
- sectiontitle: Provisioning
section:
- path: /security/for-admins/provisioning/scim/
title: SCIM
- path: /security/for-admins/provisioning/just-in-time/
title: Just-in-Time
- path: /security/for-admins/provisioning/group-mapping/
title: Group mapping
- path: /security/for-admins/configure-sign-in/
title: Enforce sign in
- path: /security/for-admins/roles-and-permissions/

4
layouts/shortcodes/admin-domain-audit.md
View File

@@ -1,13 +1,13 @@
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $domain_navigation := "Select **Organizations**, your organization, **Settings**, and then **Security**." }}
{{ $sso_link := "[SSO](/security/for-admins/single-sign-on/)" }}
{{ $scim_link := "[SCIM](/security/for-admins/scim/)" }}
{{ $scim_link := "[SCIM](/security/for-admins/provisioning/scim/)" }}
{{ if eq (.Get "product") "admin" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $domain_navigation = "Select your organization in the left navigation drop-down menu, and then select **Domain management**." }}
{{ $sso_link = "[SSO](/security/for-admins/single-sign-on/)" }}
{{ $scim_link = "[SCIM](/security/for-admins/scim/)" }}
{{ $scim_link = "[SCIM](/security/for-admins/provisioning/scim/)" }}
{{ end }}
To audit your domains:

2
layouts/shortcodes/admin-org-onboarding.md
View File

@@ -52,7 +52,7 @@ Configuring SSO and SCIM is optional and only available to Docker Business subsc
You can manage your members in your identity provider and automatically provision them to your Docker organization with SSO and SCIM. See the following for more details.
- [Configure SSO](/security/for-admins/single-sign-on/) to authenticate and add members when they sign in to Docker through your identity provider.
- Optional: [Enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso) to ensure that users must sign in to Docker with SSO.
- [Configure SCIM](/security/for-admins/scim/) to automatically provision, add, and de-provision members to Docker through your identity provider.
- [Configure SCIM](/security/for-admins/provisioning/scim/) to automatically provision, add, and de-provision members to Docker through your identity provider.
## Step 5: Enforce sign-in for Docker Desktop

4
layouts/shortcodes/admin-sso-connect.md
View File

@@ -21,7 +21,7 @@ After youve completed the SSO configuration process in Docker, you can test t
>**Important**
>
> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub.
> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub.
>
> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
>
@@ -29,7 +29,7 @@ After youve completed the SSO configuration process in Docker, you can test t
> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
{ .important}
The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see [Set up SCIM](/security/for-admins/scim/).
The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see [Set up SCIM](/security/for-admins/provisioning/scim/).
## Optional: Enforce SSO

2
layouts/shortcodes/admin-sso-management-users.md
View File

@@ -57,7 +57,7 @@ To remove a user:
> **Beta feature**
>
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and SCIM is enabled. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
> Optional Just-in-Time (JIT) provisioning is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and SCIM is enabled. With this feature, you have the option to disable JIT provisioning. See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).
{ .experimental }
{{ $provisioning_steps }}

6
layouts/shortcodes/admin-users.html
View File

@@ -4,7 +4,7 @@
{{ $remove_button := "**Remove member**" }}
{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
{{ $update_role := "Select the role you want to assign, then select **Save**." }}
{{ $role_mapping_link := "[SCIM for role mapping](/security/for-admins/scim/)" }}
{{ $role_mapping_link := "[SCIM for role mapping](/security/for-admins/provisioning/scim/)" }}
{{ $export_fields := `The CSV file for an organization contains the following fields:
* **Name**: The user's name.
* **Username**: The user's Docker ID.
@@ -21,7 +21,7 @@
{{ $member_navigation = "Select your organization in the left navigation drop-down menu, and then select **Members**." }}
{{ $remove_button = "**Remove member**" }}
{{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/scim/)" }}
{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/provisioning/scim/)" }}
{{ if eq (.Get "layer") "company" }}
{{ $export_fields = `The CSV file for a company contains the following fields:
* **Name**: The user's name.
@@ -33,7 +33,7 @@
{{ $member_navigation = "Select your company in the left navigation drop-down menu, and then select **Users**." }}
{{ $remove_button = "**Remove user**" }}
{{ $update_role = "Select their organization, select the role you want to assign, and then select **Save**." }}
{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/scim/)"}}
{{ $role_mapping_link = "[SCIM for role mapping](/security/for-admins/provisioning/scim/)"}}
{{ end }}
{{ end }}