From 74d586b886de0038cb76c311263e95194bade1dd Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Mon, 21 Oct 2024 13:18:09 -0700 Subject: [PATCH 1/3] Update SSO overview doc for clarity --- .../for-admins/single-sign-on/_index.md | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/content/manuals/security/for-admins/single-sign-on/_index.md b/content/manuals/security/for-admins/single-sign-on/_index.md index 9495f0663d2..5d509a7024f 100644 --- a/content/manuals/security/for-admins/single-sign-on/_index.md +++ b/content/manuals/security/for-admins/single-sign-on/_index.md @@ -10,11 +10,11 @@ aliases: weight: 10 --- -Single sign-on (SSO) allows users to authenticate using their identity providers (IdPs) to access Docker. SSO is available for a whole company, and all associated organizations, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). +Single sign-on (SSO) lets users access Docker by authenticating using their identity providers (IdPs). SSO is available for a whole company, and all associated organizations within that company, or an individual organization that has a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). ## How it works -When you enable SSO, your users can't authenticate using their Docker login credentials (Docker ID and password). Docker supports Service Provider Initiated SSO flow. Instead, they are redirected to your IdP's authentication page to sign in. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. +When you enable SSO, Docker supports a Identity Provider Initiated SSO flow for user login. Instead of users authenticating using their Docker username and password, they are redirected to your identity provider's authentication page to sign in. Users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP. @@ -22,17 +22,23 @@ The following diagram shows how SSO operates and is managed in Docker Hub and Do ## How to set it up -1. Configure SSO by adding and verify your domain for your organization, then create an SSO connection with your IdP. Docker provides the Assertion Consumer Service (ACS) URL and Entity ID needed to establish a connection between your IdP server and Docker Hub. -2. Test your connection by attempting to sign in to Docker Hub using your domain email address. -3. Optionally, you can [enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso) sign-in. -4. Complete SSO enablement. A first-time user can sign in to Docker Hub using their company's domain email address. They're then added to your company, assigned to an organization, and optionally assigned to a team. +SSO is configured using the following steps: +1. Configure SSO by creating and verifying a domain in Docker. +2. Create your SSO connection in Docker and your IdP. +3. Cross-connect Docker and your IdP. +4. Test your connection. +5. Provision users. +6. Optional. Enforce sign-in. +7. Manage your SSO configuration. -## Prerequisites +Once your SSO configuration is complete, a first-time user can sign in to Docker Hub or Docker Desktop using their company's domain email address. Once they sign in, they are added to your company, assigned to an organization, and if necessary, assigned to a team. -* You must first notify your company about the new SSO login procedures. -* Verify that your members have Docker Desktop version 4.4.2, or later, installed on their machines. -* If your organization is planning to [enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso), members using the Docker CLI are required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in instead of with a username and password. Docker plans to deprecate signing in to the CLI with a password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced). -* Ensure all your Docker users have a valid user on your IdP with the same email address as their Unique Primary Identifier (UPN) +## Prerequisites +Before configuring SSO, ensure you meet the following prerequisites: +* To ensure users are aware of the sign in change, you must first notify your company about the new SSO login procedures. +* Verify that your members have Docker Desktop version 4.4.2 or later installed on their machines. +* If your organization is planning to [enforce SSO](/security/for-admins/single-sign-on/connect/#optional-enforce-sso), members using the Docker CLI are required to [create a Personal Access Token (PAT)](/docker-hub/access-tokens/) to sign in. The PAT will be used instead of their username and password. Docker plans to deprecate signing in to the CLI with a password in the future, so using a PAT will be required to prevent issues with authentication. For more details see the [security announcement](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced). +* Ensure all your Docker users have a valid user on your IdP with the same email address as their Unique Primary Identifier (UPN). * Confirm that all CI/CD pipelines have replaced their passwords with PATs. * For your service accounts, add your additional domains or enable it in your IdP. From 5e9f9cf3e46bb66a4dffb3f9cc73bb75bfb11a17 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Tue, 22 Oct 2024 08:12:50 -0700 Subject: [PATCH 2/3] Update content/manuals/security/for-admins/single-sign-on/_index.md Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/manuals/security/for-admins/single-sign-on/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/manuals/security/for-admins/single-sign-on/_index.md b/content/manuals/security/for-admins/single-sign-on/_index.md index 5d509a7024f..a19ae2a05a0 100644 --- a/content/manuals/security/for-admins/single-sign-on/_index.md +++ b/content/manuals/security/for-admins/single-sign-on/_index.md @@ -34,6 +34,7 @@ SSO is configured using the following steps: Once your SSO configuration is complete, a first-time user can sign in to Docker Hub or Docker Desktop using their company's domain email address. Once they sign in, they are added to your company, assigned to an organization, and if necessary, assigned to a team. ## Prerequisites + Before configuring SSO, ensure you meet the following prerequisites: * To ensure users are aware of the sign in change, you must first notify your company about the new SSO login procedures. * Verify that your members have Docker Desktop version 4.4.2 or later installed on their machines. From 80f8c9f75af5a4332482de654e496a72460122ab Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Tue, 22 Oct 2024 08:12:56 -0700 Subject: [PATCH 3/3] Update content/manuals/security/for-admins/single-sign-on/_index.md Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/manuals/security/for-admins/single-sign-on/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/security/for-admins/single-sign-on/_index.md b/content/manuals/security/for-admins/single-sign-on/_index.md index a19ae2a05a0..3975b9eb148 100644 --- a/content/manuals/security/for-admins/single-sign-on/_index.md +++ b/content/manuals/security/for-admins/single-sign-on/_index.md @@ -14,7 +14,7 @@ Single sign-on (SSO) lets users access Docker by authenticating using their iden ## How it works -When you enable SSO, Docker supports a Identity Provider Initiated SSO flow for user login. Instead of users authenticating using their Docker username and password, they are redirected to your identity provider's authentication page to sign in. Users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. +When you enable SSO, Docker supports a IdP-initiated SSO flow for user login. Instead of users authenticating using their Docker username and password, they are redirected to your identity provider's authentication page to sign in. Users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. The following diagram shows how SSO operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdP.