centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 14:28:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Refresh admin and security FAQ pages (#20084)

Browse Source 
* refresh admin and security pages

* clean up sso faqs

* edits

* vale fixes

* vale fixes and edit

* implement feedback
This commit is contained in:
Stephanie Aurelio
2024-05-29 08:40:23 -07:00
committed by GitHub
parent dcdab79a6a
commit da58f6c5a6
16 changed files with 73 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/vale/config/vocabularies/Docker/accept.txt vendored
View File

@@ -109,6 +109,7 @@ Syft
Sysdig
TCP
TLS
TXT
UDP
URLs?
Ubuntu

4
content/admin/company/_index.md
View File

@@ -1,7 +1,7 @@
---
description: Learn about managing companies in Docker including how they relate to organizations, their key features, and more
description: Learn how to manage multiple organizations using companies, including managing users, owners, and security.
keywords: company, multiple organizations, manage companies
title: Overview
title: Company overview
grid:
- title: Create a company
description: Get started by learning how to create a company.

2
content/admin/company/new-company.md
View File

@@ -1,6 +1,6 @@
---
title: Create a company
description: Learn how to create a company.
description: Learn how to create a company to centrally manage multiple organizations.
keywords: company, hub, organization, company owner, Admin Console, company management
aliases:
- /docker-hub/new-company/

2
content/admin/company/owners.md
View File

@@ -1,5 +1,5 @@
---
description: Learn about company owners.
description: Learn how to add and remove company owners.
keywords: company, owners
title: Manage company owners
aliases:

6
content/admin/faqs/company-faqs.md
View File

@@ -30,11 +30,11 @@ You can add a maximum of 10 company owners to a single company account.
### What permissions does the company owner have in the associated/nested organizations?
Company owners can navigate to the **Organizations** page to view all their nested organizations in a single location. They can also view or edit organization members and change SSO and SCIM settings. Changes to company settings impact all users in each organization under the company. See [Roles and permissions](../../security/for-admins/roles-and-permissions.md).
Company owners can navigate to the **Organizations** page to view all their nested organizations in a single location. They can also view or edit organization members and change single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) settings. Changes to company settings impact all users in each organization under the company. See [Roles and permissions](../../security/for-admins/roles-and-permissions.md).
### What features are supported at the company level?
You can manage domain verification, Single Sign-on, and System for Cross-domain Identity Management (SCIM) at the company level. The following features aren't supported at the company level, but you can manage them at the organization level:
You can manage domain verification, SSO, and SCIM at the company level. The following features aren't supported at the company level, but you can manage them at the organization level:
- Image Access Management
- Registry Access Management
@@ -59,7 +59,7 @@ See your [SCIM](scim.md) and [SSO](../../security/for-admins/single-sign-on/conf
### How does a company owner enable group mapping in an IdP?
See [SCIM](scim.md) and [Group mapping](../../security/for-admins/provisioning/group-mapping.md) for more information.
See [SCIM](scim.md) and [group mapping](../../security/for-admins/provisioning/group-mapping.md) for more information.
### What's the definition of a company vs an organization?

4
content/admin/faqs/general-faqs.md
View File

@@ -14,7 +14,7 @@ aliases:
A Docker ID is a username for your Docker account that lets you access Docker products. All you need is an email address to create a Docker ID, or you can sign up with your Google or GitHub account. Your Docker ID must be between 4 and 30 characters long, and can only contain
numbers and lowercase letters. You can't use any special characters or spaces.
For more information, see [Docker ID](../../docker-id/index.md). If your administrator enforces [Single sign-on (SSO)](../../security/for-admins/single-sign-on/index.md), this provisions a Docker ID for new users.
For more information, see [Docker ID](../../docker-id/index.md). If your administrator enforces [single sign-on (SSO)](../../security/for-admins/single-sign-on/index.md), this provisions a Docker ID for new users.
Developers may have multiple Docker IDs in order to separate their Docker IDs associated with an organization with a Docker Business or Team subscription, and their personal use Docker IDs.
@@ -28,7 +28,7 @@ An organization in Docker is a collection of teams and repositories that are man
### What's an organization name or namespace?
The organization name, sometimes referred to as the organization namespace or the org ID, is the unique identifier of a Docker organization. The organization name can't be the same as an existing Docker ID.
The organization name, sometimes referred to as the organization namespace or the organization ID, is the unique identifier of a Docker organization. The organization name can't be the same as an existing Docker ID.
### What are roles?

8
content/admin/faqs/organization-faqs.md
View File

@@ -12,10 +12,6 @@ aliases:
All Docker IDs are first-come, first-served except for companies that have a US Trademark on a username. If you have a trademark for your namespace, [Docker Support](https://hub.docker.com/support/contact/) can retrieve the Docker ID for you.
### What if I want to create more than 3 organizations?
You can create multiple organizations or multiple teams under a single company. SSO is available at the company level.
### How do I add an organization owner?
An existing owner can add additional team members as organization owners. You can [invite a member](../../admin/organization/members.md#invite-members) and assign them the owner role in Docker Hub or the Docker Admin Console.
@@ -26,7 +22,7 @@ If your organization uses a Software Asset Management tool, you can use it to fi
### Do users first need to authenticate with Docker before an owner can add them to an organization?
No. Organization owners can invite users through email and also choose a team for them to join within the invite.
No. Organization owners can invite users with their email address, and also assign them to a team during the invite process.
### Can I force my organization's members to authenticate before using Docker Desktop and are there any benefits?
@@ -50,7 +46,7 @@ revert it to a personal user account. For prerequisites and instructions, see
There isn't any automatic notification when the total number of users for the requested licenses has been met. However, if the number of team
members exceed the number of licenses, you will receive an error informing you
to contact the administrator due to lack of seats.
to contact the administrator due to lack of seats. You can [add seats](/subscription/core-subscription/add-seats/) if needed.
### How can I merge organization accounts?

22
content/security/faqs/single-sign-on/domain-faqs.md
View File

@@ -1,6 +1,6 @@
---
description: Single Sign-on domain FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, domains, domain verification
description: Single sign-on domain FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, domains, domain verification, domain management
title: Domains
tags: [FAQ]
aliases:
@@ -10,24 +10,16 @@ aliases:
### Can I add sub-domains?
Yes, you can add sub-domains to your SSO, however all email addresses should also be on that domain. Verify that your DNS provider supports multiple TXT records for the same domain.
Yes, you can add sub-domains to your SSO connection, however all email addresses should also be on that domain. Verify that your DNS provider supports multiple TXT records for the same domain.
### Can the DNS provider configure it once for one-time verification and remove it later or will it be needed permanently?
You can do it one time to add it to a connection. If your organization ever changes IdPs and has to set up SSO again, your DNS provider will need to verify again.
You can do it one time to add the domain to a connection. If your organization ever changes IdPs and has to set up SSO again, your DNS provider will need to verify again.
### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it?
Adding and verifying a domain is required to enable and enforce SSO. Select **Add Domain** and specify the email domains that are allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains are not permitted, such as gmail.com, outlook.com, etc. Also, the email domain should be set as the primary email.
Adding and verifying a domain is required to enable and enforce SSO. See [Step one: Add and verify your domain](/security/for-admins/single-sign-on/configure/#step-one-add-and-verify-your-domain) to learn how to specify the email domains that are allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains, for example `gmail.com` or `outlook.com`, are not permitted. Also, the email domain should be set as the primary email.
### If users are using their personal email, do they have to convert to using the organization's domain before they can be invited to join an organization? Is this just a quick change in their Hub account?
### Is IdP-initiated authentication supported?
No, they don't. Though they can add multiple emails to a Docker ID if they choose to. However, they can only use that email address once across Docker. The other thing to note is that (as of January 2022) SSO doesn't work for multi domains as an MVP and it doesn't work for personal emails either.
### Since Docker ID is tracked from SAML, at what point is the login required to be tracked from SAML? Runtime or install time?
Runtime for Docker Desktop if they configure Docker Desktop to require authentication to their org.
### Do you support IdP-initiated authentication (e.g., Okta tile support)?
We don't support IdP-initiated authentication. Users must initiate login through Docker Desktop or Hub.
IdP-initiated authentication isn't supported by Docker SSO. Users must initiate sign-in through Docker Desktop or Hub.

29
content/security/faqs/single-sign-on/enforcement-faqs.md
View File

@@ -1,5 +1,5 @@
---
description: Single Sign-on enforcement FAQs
description: Single sign-on enforcement FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, enforce SSO, SSO enforcement
title: Enforcement
tags: [FAQ]
@@ -28,17 +28,13 @@ Yes. When SSO is enforced, you can access the Docker CLI through Personal Access
Before enforcing SSO, you must create PATs for automation systems and CI/CD pipelines and use the tokens instead of a password.
### I have a user working on projects within Docker Desktop but authenticated with personal or no email. After they buy Docker Business licenses, they will implement and enforce SSO through Okta to manage their users. When this user signs on SSO, is their work on DD compromised/impacted with the migration to the new account?
### What can organization users who authenticated with personal emails prior to enforcement expect?
If they already have their organization email on their account, then it will be migrated to SSO.
### If an organization enables SSO, the owners can control Docker IDs associated with their work email domain. Some of these Docker IDs won't be users of Docker Desktop and therefore don't require a Business subscription. Can the owners choose which Docker IDs they add to their Docker org and get access to Business features? Is there a way to flag which of these Docker IDs are Docker Desktop users?
SSO enforcement will apply to any domain email user, and automatically add that user to the Docker Hub org that enables enforcement. The admin could remove users from the org manually, but those users wouldn't be able to authenticate if SSO is enforced.
Ensure your users have their organization email on their account, so that the accounts will be migrated to SSO for authentication.
### Can I enable SSO and hold off on the enforcement option?
Yes, you can choose to not enforce, and users have the option to use either Docker ID (standard email/password) or email address (SSO) at the sign-in screen.
Yes, you can choose to not enforce, and users have the option to use either Docker ID (standard email and password) or domain-verified email address (SSO) at the sign-in screen.
### SSO is enforced, but one of our users is connected to several organizations (and several email addresses) and is able to bypass SSO and sign in through username and password. Why is this happening?
@@ -50,19 +46,22 @@ Yes, you can create a test organization. Companies can set up a new 5 seat Busin
### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?
If you enable SSO, there is no impact for now. We'll continue to support either username/password or personal access token sign-in.
If you enable SSO, there is no impact. Both username/password or personal access token sign-in are supported.
However, if you enforce SSO:
* Service Account domain email addresses must be unaliased and enabled in their IdP
* Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
* Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
- Service Account domain email addresses must not be aliased and must be enabled in their IdP
- Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
- Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.
### Is enforcing Single Sign-On the same as enforcing sign-in to Docker Desktop?
### Is the sign in required tracking at runtime or install time?
No. They are different features that you can use separately or together.
At runtime for Docker Desktop if its configured to require authentication to the organization.
### What is enforcing SSO versus enforcing sign-in?
Enforcing SSO and enforcing sign-in to Docker Desktop are different features that you can use separately or together.
Enforcing SSO ensures that users sign in using their SSO credentials instead of their Docker ID. One of the benefits is that SSO enables you to better manage user credentials.
Enforcing sign-in to Docker Desktop ensures that users always sign in to an
account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../../../security/for-admins/configure-sign-in.md).

19
content/security/faqs/single-sign-on/faqs.md
View File

@@ -1,20 +1,23 @@
---
description: Single Sign-on FAQs
description: Single sign-on FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, administration, security
title: General FAQs on SSO
tags: [FAQ]
aliases:
- /single-sign-on/faqs/
- /faq/security/single-sign-on/faqs/
- /single-sign-on/saml-faqs/
- /faq/security/single-sign-on/saml-faqs/
- /security/faqs/single-sign-on/saml-faqs/
---
### Is Docker SSO available for all paid subscriptions?
Docker Single Sign-on (SSO) is only available with the Docker Business subscription. Upgrade your existing subscription to start using Docker SSO.
Docker single sign-on (SSO) is only available with the Docker Business subscription. [Upgrade your existing subscription](/subscription/core-subscription/upgrade/) to start using Docker SSO.
### How does Docker SSO work?
Docker Single Sign-on (SSO) lets users to authenticate using their identity providers (IdPs) to access Docker. Docker supports Entra ID (formerly Azure AD) and any SAML 2.0 identity providers. When you enable SSO, this redirects users to your providers authentication page to authenticate using their email and password.
Docker SSO lets users authenticate using their identity providers (IdPs) to access Docker. Docker supports Entra ID (formerly Azure AD) and any SAML 2.0 identity providers. When you enable SSO, this redirects users to your providers authentication page to authenticate using their email and password.
### What SSO flows does Docker support?
@@ -34,4 +37,12 @@ Yes, all users in your organization must upgrade to Docker Desktop version 4.4.2
### Can I retain my Docker ID when using SSO?
For a personal Docker ID, a user is the account owner. A Docker ID is associated with access to the user's repositories, images, assets. An end user can choose to have a company domain email on the Docker account. When enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
For a personal Docker ID, a user is the account owner. A Docker ID is associated with access to the user's repositories, images, assets. A user can choose to have a company domain email on the Docker account. When enforcing SSO, the account is connected to the organization account. When enforcing SSO for an organization(s) or company, any user logging in without an existing account using verified company domain email will automatically have an account provisioned, and a new Docker ID created.
### Does SAML authentication require additional attributes?
You must provide an email address as an attribute to authenticate through SAML. The Name attribute is optional.
### Does the application recognize the NameID/Unique Identifier in the `SAMLResponse` subject?
The preferred format is your email address, which should also be your Name ID.

22
content/security/faqs/single-sign-on/idp-faqs.md
View File

@@ -1,5 +1,5 @@
---
description: Single Sign-on IdP FAQs
description: Single sign-on IdP FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, IdP
title: Identity providers
tags: [FAQ]
@@ -14,7 +14,7 @@ No. You can only configure Docker SSO to work with a single IdP. A domain can on
### Is it possible to change my identity provider after configuring SSO?
Yes. You must delete your existing IdP configuration in Docker Hub and follow the instructions to Configure SSO using your IdP. If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
Yes. You must delete your existing IdP configuration in your Docker SSO connection and then [configure SSO using your new IdP](/security/for-admins/single-sign-on/configure/configure-idp/). If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
### What information do I need from my identity provider to configure SSO?
@@ -26,21 +26,17 @@ To enable SSO in Docker, you need the following from your IdP:
### What happens if my existing certificate expires?
If your existing certificate has expired, you may need to contact your identity provider to retrieve a new x509 certificate. Then, you need to update the certificate in the SSO configuration settings page on Docker Hub.
If your existing certificate has expired, you may need to contact your identity provider to retrieve a new X.509 certificate. Then, you need to update the certificate in the [SSO configuration settings](/security/for-admins/single-sign-on/manage/#manage-sso-connections) in Docker Hub or Docker Admin Console.
### What happens if my IdP goes down when SSO is enabled?
It's not possible to access Docker Hub when your IdP is down. However, you can access Docker Hub images from the CLI using your Personal Access Token. Or, if you had an existing account before the SSO enforcement, you can use your username and password to access Docker Hub images during the grace period for your organization.
### What happens when I turn off SSO for my organization(s) or company?
When you turn off SSO, authentication through your Identity Provider isn't required to access Docker. Users may continue to sign in through Single Sign-on as well as Docker ID and password.
### How do I handle accounts using Docker Hub as a secondary registry? Do I need a bot account?
You can add a bot account to your IDP and create an access token for it to replace the other credentials.
You can add a bot account to your IdP and create an access token for it to replace the other credentials.
### Build agents - For customers using SSO, do they need to create a bot account to fill a seat within the dockerorg?
### Does a bot account need a seat to access an organization using SSO?
Yes, bot accounts need a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
@@ -51,16 +47,16 @@ Yes, bot accounts need a seat, similar to a regular end user, having a non-alias
> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console and enable SCIM. Otherwise, JIT is enabled by default.
{ .experimental }
The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM.
The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM. See [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/).
### Will there be IdP-initiated logins?
### Is IdP-initiated sign-in available?
We currently don't have any plans to enable IdP-initiated logins.
Docker SSO doesn't support IdP-initiated sign-in, only Service Provider Initiated (SP-initiated) sign-in.
### Is it possible to connect Docker Hub directly with a Microsoft Entra (formerly Azure AD) group?
Yes, Entra ID (formerly Azure AD) is supported with SSO for Docker Business, both through a direct integration and through SAML.
### My SSO connection with Entra ID (formerly Azure AD) isn't working and I receive an error that the application is misconfigured. How can I troubleshoot this?
### My SSO connection with Entra ID isn't working and I receive an error that the application is misconfigured. How can I troubleshoot this?
Confirm that you've configured the necessary API permissions in Entra ID (formerly Azure AD) for your SSO connection. You need to grant admin consent within your Entra ID (formerly Azure AD) tenant. See [Entra ID (formerly Azure AD) documentation](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal#grant-admin-consent-in-app-registrations).

25
content/security/faqs/single-sign-on/saml-faqs.md
View File

@@ -1,25 +0,0 @@
---
description: Single Sign-on SAML FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, SAML
title: SAML
tags: [FAQ]
aliases:
- /single-sign-on/saml-faqs/
- /faq/security/single-sign-on/saml-faqs/
---
### Does SAML authentication require additional attributes?
You must provide an email address as an attribute to authenticate through SAML. The Name attribute is optional.
### Does the application recognize the NameID/Unique Identifier in the SAMLResponse subject?
The preferred format is your email address, which should also be your Name ID.
### When you enforce SAML SSO, at what stage is the login required for tracking through SAML? At runtime or install time?
At runtime for Docker Desktop if its configured to require authentication to the organization.
### Do you have any information on how to use the Docker Desktop application in accordance with the SSO users we provide? How can we verify that we're handling the licensing correctly?
Verify that your users have downloaded the latest version of Docker Desktop. An enhancement in user management observability and capabilities will become available in the future.

30
content/security/faqs/single-sign-on/users-faqs.md
View File

@@ -1,5 +1,5 @@
---
description: Single Sign-on user management FAQs
description: Single sign-on user management FAQs
keywords: Docker, Docker Hub, SSO FAQs, single sign-on
title: Manage users
tags: [FAQ]
@@ -10,11 +10,11 @@ aliases:
### How do I manage users when using SSO?
You can manage users through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
You can manage users through organizations in Docker Hub or Admin Console. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
### Do I need to manually add users to my organization?
No, you dont need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
No, you dont need to manually add users to your organization in Docker or Admin Console. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker, they're automatically assigned to the organization using their domain email address.
When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
@@ -22,11 +22,11 @@ When a user signs in to Docker for the first time using their domain email addre
During the SSO setup, youll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
Users with a public domain email address will be added as guests.
If SSO isn't enforced, users with an email address that doesn't match the verified email domain can sign in with username and password to join the organization as guests.
### Can Docker org owners/admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO is enabled?
### Can Docker organization and company owners approve users to join an organization and use a seat, rather than having them automatically added when SSO is enabled?
Admins, organization owners, and company owners can approve users by configuring their permissions through their IdP. If the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
Organization owners and company owners can approve users by configuring their permissions through their IdP. If the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as theres an available seat.
### How will users be made aware that they're being made a part of a Docker organization?
@@ -36,11 +36,11 @@ If users attempt to sign in through the CLI, they must authenticate using a pers
### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their companys domain?
Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../../../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
Yes. Administrators can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../../../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file.
Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited.
Users may still be able to authenticate as a guest account using an email address that doesn't match the verified domain. However, they can only authenticate as guests if that non-domain email was invited.
### Is it possible to convert existing users from non-SSO to SSO accounts?
@@ -55,7 +55,7 @@ For detailed prerequisites and instructions on how to enable SSO, see [Configure
### What impact can users expect once we start onboarding them to SSO accounts?
When SSO is enabled and enforced, your users just have to sign in using the email address and password.
When SSO is enabled and enforced, your users just have to sign in using the verified domain email address.
### Is Docker SSO fully synced with the IdP?
@@ -64,7 +64,7 @@ When SSO is enabled and enforced, your users just have to sign in using the emai
> Optional Just-in-Time (JIT) provisioning configuration is available in [beta](/release-lifecycle/#beta) when you use the Admin Console. Otherwise, JIT is enabled by default.
{ .experimental }
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
[SCIM](../../../security/for-admins/provisioning/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
@@ -85,11 +85,7 @@ To auto-provision users without JIT provisioning, you can use [SCIM](/security/f
### What's the best way to provision the Docker subscription without SSO?
Company or organization owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
### If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
Yes, if you add the user via email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for their domain, the user will automatically be added to the domain SSO org the next time they sign and SSO authentication is required.
Company or organization owners can invite users through Docker Hub or Admin Console, by email address (for any user) or by Docker ID (assuming the user has an existing Docker account).
### Can someone join an organization without an invitation? Is it possible to add specific users to an organization with existing email accounts?
@@ -103,9 +99,9 @@ Yes, the existing user account will join the organization with all assets retain
We only support one email per user on the Docker platform.
### How can I remove invitees to the org who haven't signed in?
### How can I remove invitees to the organization who haven't signed in?
You can go to the invitee list in the org view and remove them.
You can go to the **Members** page for your organization in Docker Hub or Admin Console, view pending invites, and remove invitees as needed.
### Is the flow for service account authentication different from a UI user account?

2
content/subscription/core-subscription/add-seats.md
View File

@@ -28,7 +28,7 @@ When you add seats to your subscription in the middle of your billing cycle, you
5. Select **Purchase** to confirm.
The **Billing** tab displays the new number of seats.
6. Navigate to the **Members** tab to add new members. For more information, see [Add a member to a team](../../admin/organization/members.md#add-a-member-to-a-team).
6. Navigate to the **Members** tab to add new members. For more information, see [Manage organization members](../../admin/organization/members.md).
## Volume pricing

2
data/toc.yaml
View File

@@ -2220,8 +2220,6 @@ Manuals:
section:
- path: /security/faqs/single-sign-on/faqs/
title: General
- path: /security/faqs/single-sign-on/saml-faqs/
title: SAML
- path: /security/faqs/single-sign-on/idp-faqs/
title: Identity providers
- path: /security/faqs/single-sign-on/domain-faqs/

4
layouts/shortcodes/admin-org-onboarding.md
View File

@@ -1,4 +1,4 @@
Onboarding your organization allows you to gain visibility into the activity of your users and enforce security settings. In addition, members of your organization receive increased pull limits and other organization wide benefits. For more details, see [Docker subscriptions and features](/subscription/details/).
Onboarding your organization allows you to gain visibility into the activity of your users and enforce security settings. In addition, members of your organization receive increased pull limits and other organization wide benefits. For more details, see [Docker subscriptions and features](/subscription/core-subscription/details/).
In this guide, you'll learn how to get started with the following:
@@ -14,7 +14,7 @@ Before you start to onboard your organization, ensure that you:
> **Note**
>
> When purchasing a subscription through [Pricing & Subscriptions](https://www.docker.com/pricing/), the on-screen instructions guide you through creating an organization. If you have purchased a subscription through Docker Sales and you have not yet created an organization, see [Create an organization](/admin/organization/orgs).
> When purchasing a self-serve subscription, the on-screen instructions guide you through creating an organization. If you have purchased a subscription through Docker Sales and you have not yet created an organization, see [Create an organization](/admin/organization/orgs).
- Familiarize yourself with Docker concepts and terminology in the [glossary](/glossary/) and [FAQs](/faq/admin/general-faqs/).