Skip to content

Commit

Permalink
Merge pull request #21211 from sarahsanders-docker/ENGDOCS-2264
Browse files Browse the repository at this point in the history 
Update Configure and Connect SSO docs
  • Loading branch information
@sarahsanders-docker
sarahsanders-docker authored Oct 24, 2024
2 parents 3c72928 + 07d6ce0 commit d126656
Show file tree
Hide file tree
Showing 13 changed files with 284 additions and 286 deletions.
4 changes: 2 additions & 2 deletions content/manuals/admin/organization/insights.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ title: Insights
> [!NOTE]
> Insights requires a [Docker Business
> subscription](/subscription/core-subscription/details/#docker-business) and
> administrators must [enforce sign-in](/security/for-admins/enforce-sign-in/)
> administrators must [enforce sign-in](/manuals/security/for-admins/enforce-sign-in/_index.md)
> to ensure that users sign in with an account associated with their
> organization.
Expand Down Expand Up @@ -64,7 +64,7 @@ The chart contains the following data.
|:-----------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Total active users | The number of users that have actively used Docker Desktop and either signed in with a Docker account that has a license in your organization or signed in to a Docker account with an email address from a domain associated with your organization. <br><br>Users who don’t sign in to an account associated with your organization are not represented in the data. To ensure users sign in with an account associated with your organization, you can [enforce sign-in](/security/for-admins/enforce-sign-in/). |
| Active with license | The number of users that have actively used Docker Desktop and have signed in to a Docker account with a license in your organization. |
| Active without license | The number of users that have actively used Docker Desktop, are linked to a Docker account with an email address from a domain associated with your organization, and don’t have a license assigned to their account. <br><br>Users without a license don’t receive the benefits of your subscription. You can use [domain audit](/security/for-admins/domain-audit/) to identify users without a license. You can also use [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/) or [SCIM](/security/for-admins/provisioning/scim/) to help automatically provision users with a license. Note that when SSO is configured and [enforced](/security/for-admins/single-sign-on/connect/#optional-enforce-sso), active without license will be 0. |
| Active without license | The number of users that have actively used Docker Desktop, are linked to a Docker account with an email address from a domain associated with your organization, and don’t have a license assigned to their account. <br><br>Users without a license don’t receive the benefits of your subscription. You can use [domain audit](/security/for-admins/domain-audit/) to identify users without a license. You can also use [Just-in-Time provisioning](/security/for-admins/provisioning/just-in-time/) or [SCIM](/security/for-admins/provisioning/scim/) to help automatically provision users with a license. Note that when SSO is configured and enforced, active without license will be 0. |
| Users opted out of analytics | The number of users that are a member of your organization that have opted out of sending analytics. <br><br>When users opt out of sending analytics, you won't see any of their data in Insights. To ensure that the data includes all users, you can use [Settings Management](/desktop/hardened-desktop/settings-management/) to set `analyticsEnabled` for all your users. |
| Active users (graph) | The view over time for total active users. |

Expand Down
4 changes: 2 additions & 2 deletions content/manuals/admin/organization/onboard.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,8 +67,8 @@ To add a member, invite a user and assign them the member role. For more details
Configuring SSO and SCIM is optional and only available to Docker Business subscribers. To upgrade a Docker Team subscription to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).

You can manage your members in your identity provider and automatically provision them to your Docker organization with SSO and SCIM. See the following for more details.
- [Configure SSO](/security/for-admins/single-sign-on/) to authenticate and add members when they sign in to Docker through your identity provider.
- Optional: [Enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso) to ensure that when users sign in to Docker, they must use SSO.
- [Configure SSO](/manuals/security/for-admins/single-sign-on/configure.md) to authenticate and add members when they sign in to Docker through your identity provider.
- Optional: [Enforce SSO](/manuals/security/for-admins/single-sign-on/connect.md) to ensure that when users sign in to Docker, they must use SSO.
> [!NOTE]
>
> Enforcing single sign-on (SSO) and [Step 5: Enforce sign-in for Docker
Expand Down
2 changes: 1 addition & 1 deletion content/manuals/security/faqs/single-sign-on/domain-faqs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ You can do it one time to add the domain to a connection. If your organization e

### Is adding domain required to configure SSO? What domains should I be adding? And how do I add it?

Adding and verifying a domain is required to enable and enforce SSO. See [Step one: Add and verify your domain](/security/for-admins/single-sign-on/configure/#step-one-add-and-verify-your-domain) to learn how to specify the email domains that are allowed to authenticate through your server. This should include all email domains users will use to access Docker. Public domains, for example `gmail.com` or `outlook.com`, are not permitted. Also, the email domain should be set as the primary email.
Adding and verifying a domain is required to enable and enforce SSO. See [Configure single sign-on](/manuals/security/for-admins/single-sign-on/configure.md) for more information. This should include all email domains users will use to access Docker. Public domains, for example `gmail.com` or `outlook.com`, are not permitted. Also, the email domain should be set as the primary email.

### Is IdP-initiated authentication supported?

Expand Down
2 changes: 1 addition & 1 deletion content/manuals/security/faqs/single-sign-on/idp-faqs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ No. You can only configure Docker SSO to work with a single IdP. A domain can on

### Is it possible to change my identity provider after configuring SSO?

Yes. You must delete your existing IdP configuration in your Docker SSO connection and then [configure SSO using your new IdP](/security/for-admins/single-sign-on/configure/configure-idp/). If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.
Yes. You must delete your existing IdP configuration in your Docker SSO connection and then [configure SSO using your new IdP](/manuals/security/for-admins/single-sign-on/connect.md). If you had already turned on enforcement, you should turn off enforcement before updating the provider SSO connection.

### What information do I need from my identity provider to configure SSO?

Expand Down
3 changes: 1 addition & 2 deletions content/manuals/security/for-admins/enforce-sign-in/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,7 @@ following occurs:

## Enforcing sign-in versus enforcing single sign-on (SSO)

[Enforcing
SSO](/security/for-admins/single-sign-on/connect#optional-enforce-sso) and
[Enforcing SSO](/manuals/security/for-admins/single-sign-on/connect.md) and
enforcing sign-in are different features. The following table provides a
description and benefits when using each feature.

Expand Down
2 changes: 1 addition & 1 deletion content/manuals/security/for-admins/provisioning/scim.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ For additional details about supported attributes and SCIM, see [Docker Hub API

> [!IMPORTANT]
>
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../single-sign-on/configure/configure-idp.md#sso-attributes).
> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see
> [!TIP]
>
Expand Down
20 changes: 10 additions & 10 deletions content/manuals/security/for-admins/single-sign-on/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ weight: 10

Single sign-on (SSO) lets users access Docker by authenticating using their identity providers (IdPs). SSO is available for a whole company, and all associated organizations within that company, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/).

## How it works
## How SSO works

When you enable SSO, Docker supports a IdP-initiated SSO flow for user login. Instead of users authenticating using their Docker username and password, they are redirected to your identity provider's authentication page to sign in. Users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process.

Expand All @@ -23,27 +23,27 @@ The following diagram shows how SSO operates and is managed in Docker Hub and Do
## How to set it up

SSO is configured using the following steps:
1. Configure SSO by creating and verifying a domain in Docker.
2. Create your SSO connection in Docker and your IdP.
1. [Configure SSO](../single-sign-on/configure.md) by creating and verifying a domain in Docker.
2. [Create your SSO connection](../single-sign-on/connect.md) in Docker and your IdP.
3. Cross-connect Docker and your IdP.
4. Test your connection.
5. Provision users.
6. Optional. Enforce sign-in.
7. Manage your SSO configuration.
6. Optional. [Enforce sign-in](../enforce-sign-in/_index.md).
7. [Manage your SSO configuration](../single-sign-on/manage.md).

Once your SSO configuration is complete, a first-time user can sign in to Docker Hub or Docker Desktop using their company's domain email address. Once they sign in, they are added to your company, assigned to an organization, and if necessary, assigned to a team.

## Prerequisites

Before configuring SSO, ensure you meet the following prerequisites:
* To ensure users are aware of the sign in change, you must first notify your company about the new SSO login procedures.
* Verify that your members have Docker Desktop version 4.4.2 or later installed on their machines.
* If your organization is planning to [enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso), members using the Docker CLI are required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in. The PAT will be used instead of their username and password. Docker plans to deprecate signing in to the CLI with a password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced).
* Notify your company about the new SSO sign in procedures.
* Verify that all users have Docker Desktop version 4.4.2 or later installed.
* If your organization is planning to [enforce SSO](../enforce-sign-in/_index.md), members using the Docker CLI are required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/). The PAT will be used instead of their username and password. Docker plans to deprecate signing in to the CLI with a password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced).
* Ensure all your Docker users have a valid user on your IdP with the same email address as their Unique Primary Identifier (UPN).
* Confirm that all CI/CD pipelines have replaced their passwords with PATs.
* For your service accounts, add your additional domains or enable it in your IdP.

## What's next?

- Start [configuring SSO](configure/_index.md) in Docker
- Explore the [FAQs](../../../security/faqs/single-sign-on/faqs.md)
- Start [configuring SSO](../../for-admins/single-sign-on/configure.md) in Docker
- Explore the [FAQs](../../../security/faqs/single-sign-on/_index.md)
77 changes: 77 additions & 0 deletions content/manuals/security/for-admins/single-sign-on/configure.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
---
description: Learn how to configure single sign-on for your organization or company.
keywords: configure, sso, docker hub, hub, docker admin, admin, security
title: Configure single sign-on
linkTitle: Configure
aliases:
- /docker-hub/domains/
- /docker-hub/sso-connection/
- /docker-hub/enforcing-sso/
- /single-sign-on/configure/
- /admin/company/settings/sso-configuration/
- /admin/organization/security-settings/sso-configuration/
---

Get started creating a single sign-on (SSO) connection for your organization or company. This guide walks through the steps to add and verify the domains your members use to sign in to Docker.

## Step one: Add your domain

{{< tabs >}}
{{< tab name="Admin Console" >}}

{{< include "admin-early-access.md" >}}

1. Sign in to the [Admin Console](https://admin.docker.com/).
2. Select your organization or company from the left-hand drop-down menu. Note that when an organization is part of a company, you must select the company and configure the domain for the organization at the company level.
3. Under **Security and access**, select **Domain management**.
4. Select **Add a domain**.
5. Enter your domain in the text box and select **Add domain**.
6. The pop-up modal will prompt you with steps to verify your domain. Copy the **TXT Record Value**.

{{< /tab >}}
{{< tab name="Docker Hub" >}}

1. Sign in to [Docker Hub](https://hub.docker.com/).
2. Select **Organizations** and then your organization from the list.
3. On your organization page, select **Settings** and then **Security**.
4. Select **Add a domain**.
5. Enter your domain in the text box and select **Add domain**.
6. The pop-up modal will prompt you with steps to verify your domain. Copy the **TXT Record Value**.

{{< /tab >}}
{{< /tabs >}}

## Step two: Verify your domain

Verifying your domain ensures Docker knows you own it. Domain verification is done by adding your Docker TXT Record Value to your domain host. The TXT Record Value proves ownership, which signals the Domain Name System (DNS) to add this record. It can take up to 72 hours for DNS to recognize the change. When the change is reflected in DNS, Docker will automatically check the record to confirm your ownership.

{{< tabs >}}
{{< tab name="Admin Console" >}}

{{< include "admin-early-access.md" >}}

1. Navigate to your domain host, create a new TXT record, and paste the **TXT Record Value** from Docker.
2. TXT record verification can take 72 hours. Once you have waited for TXT record verification, return to the **Domain management** page of the Admin Console and select **Verify** next to your domain name.

{{< /tab >}}
{{< tab name="Docker Hub" >}}

1. Navigate to your domain host, create a new TXT record, and paste the **TXT Record Value** from Docker.
2. TXT Record Verification can take 72 hours. Once you have waited for TXT record verification, return to the **Security** page of Docker Hub and select **Verify** next to your domain name.

{{< /tab >}}
{{< /tabs >}}

Once you have added and verified your domain, you are ready to create an SSO connection between Docker and your identity provider (IdP).

## More resources

The following videos walk through verifying your domain to create your SSO connection in Docker.

- [Video: Verify your domain for SSO with Okta](https://youtu.be/c56YECO4YP4?feature=shared&t=529)
- [Video: Verify your domain for SSO with Azure AD (OIDC)](https://youtu.be/bGquA8qR9jU?feature=shared&t=496)

## What's next?

[Connect Docker and your IdP](../single-sign-on/connect.md).

69 changes: 0 additions & 69 deletions content/manuals/security/for-admins/single-sign-on/configure/_index.md
View file

This file was deleted.

Loading

0 comments on commit d126656

Please sign in to comment.