diff --git a/content/manuals/admin/organization/general-settings.md b/content/manuals/admin/organization/general-settings.md index 6dd0c475ac7f..d5399eca3f1f 100644 --- a/content/manuals/admin/organization/general-settings.md +++ b/content/manuals/admin/organization/general-settings.md @@ -29,7 +29,7 @@ select your organization from the top-left account drop-down. After configuring your organization information, you can: -- [Configure single sign-on (SSO)](/manuals/enterprise/security/single-sign-on/configure.md) +- [Configure single sign-on (SSO)](/manuals/enterprise/security/single-sign-on/connect.md) - [Set up SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md) - [Manage domains](/manuals/enterprise/security/domain-management.md) - [Create a company](new-company.md) diff --git a/content/manuals/admin/organization/onboard.md b/content/manuals/admin/organization/onboard.md index 0d788b15f901..1d30b7f4541b 100644 --- a/content/manuals/admin/organization/onboard.md +++ b/content/manuals/admin/organization/onboard.md @@ -125,7 +125,7 @@ subscription, see [Change your subscription](/manuals/subscription/change.md). Use your identity provider (IdP) to manage members and provision them to Docker automatically via SSO and SCIM. See the following for more details: - - [Configure SSO](/manuals/enterprise/security/single-sign-on/configure.md) + - [Configure SSO](/manuals/enterprise/security/single-sign-on/connect.md) to authenticate and add members when they sign in to Docker through your identity provider. - Optional. diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md index f2b5d7b8b571..97db0ff639a3 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/compliance-reporting.md @@ -17,7 +17,7 @@ Desktop settings reporting tracks user compliance with Docker Desktop settings p Before you can use Docker Desktop settings reporting, make sure you have: - [Docker Desktop 4.37.1 or later](/manuals/desktop/release-notes.md) installed across your organization -- [A verified domain](/manuals/enterprise/security/single-sign-on/configure.md#step-one-add-and-verify-your-domain) +- [A verified domain](/manuals/enterprise/security/single-sign-on/connect.md) - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for your organization - A Docker Business subscription - At least one settings policy configured diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md index 620b4264eae7..5d7cb6eb7941 100644 --- a/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md +++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md @@ -17,7 +17,7 @@ Use the Docker Admin Console to create and manage settings policies for Docker D Before you begin, make sure you have: - [Docker Desktop 4.37.1 or later](/manuals/desktop/release-notes.md) installed -- [A verified domain](/manuals/enterprise/security/single-sign-on/configure.md#step-one-add-and-verify-your-domain) +- [A verified domain](/manuals/enterprise/security/single-sign-on/connect.md#step-one-add-and-verify-your-domain) - [Enforced sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for your organization - A Docker Business subscription diff --git a/content/manuals/enterprise/security/provisioning/scim.md b/content/manuals/enterprise/security/provisioning/scim.md index 330b148a98ea..390953c9fa84 100644 --- a/content/manuals/enterprise/security/provisioning/scim.md +++ b/content/manuals/enterprise/security/provisioning/scim.md @@ -227,7 +227,7 @@ This value is required in your identity provider when creating custom SCIM attri ### Step one: Set up role mapping in Okta -1. Setup [SSO](../single-sign-on/configure/_index.md) and SCIM first. +1. Setup [SSO](../single-sign-on/connect.md) and SCIM first. 1. In the Okta admin portal, go to **Directory**, select **Profile Editor**, and then **User (Default)**. 1. Select **Add Attribute** and configure the values for the role, organization, diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/_index.md b/content/manuals/enterprise/security/single-sign-on/FAQs/_index.md index 77e521a20c5c..12795647b7b5 100644 --- a/content/manuals/enterprise/security/single-sign-on/FAQs/_index.md +++ b/content/manuals/enterprise/security/single-sign-on/FAQs/_index.md @@ -2,4 +2,5 @@ build: render: never title: FAQs +weight: 3 --- \ No newline at end of file diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/users-faqs.md b/content/manuals/enterprise/security/single-sign-on/FAQs/users-faqs.md index 83b7db65cd04..8e55d51e67db 100644 --- a/content/manuals/enterprise/security/single-sign-on/FAQs/users-faqs.md +++ b/content/manuals/enterprise/security/single-sign-on/FAQs/users-faqs.md @@ -33,7 +33,7 @@ Yes, you can convert existing users to SSO accounts. Ensure users have: - Personal access tokens created to replace passwords for CLI access - CI/CD pipelines updated to use PATs instead of passwords -For detailed instructions, see [Configure single sign-on](/manuals/enterprise/security/single-sign-on/configure.md). +For detailed instructions, see [Configure single sign-on](/manuals/enterprise/security/single-sign-on/connect.md). ## Is Docker SSO fully synced with the IdP? diff --git a/content/manuals/enterprise/security/single-sign-on/_index.md b/content/manuals/enterprise/security/single-sign-on/_index.md index ea92c380295f..a48866b973fa 100644 --- a/content/manuals/enterprise/security/single-sign-on/_index.md +++ b/content/manuals/enterprise/security/single-sign-on/_index.md @@ -34,7 +34,7 @@ Docker Hub, Docker Desktop, and your IdP. To configure SSO in Docker, follow these steps: -1. [Configure your domain](configure.md) by creating and verifying it. +1. [Configure your domain](connect.md) by creating and verifying it. 1. [Create your SSO connection](connect.md) in Docker and your IdP. 1. Link Docker to your identity provider. 1. Test your SSO connection. @@ -46,18 +46,6 @@ Once configuration is complete, users can sign in to Docker services using their company email address. After signing in, users are added to your company, assigned to an organization, and added to a team. -## Prerequisites - -Before you begin, make sure the following conditions are met: - -- Notify your company about the upcoming SSO sign-in process. -- Ensure all users have Docker Desktop version 4.42 or later installed. -- Confirm that each Docker user has a valid IdP account using the same -email address as their Unique Primary Identifier (UPN). -- If you plan to [enforce SSO](/manuals/enterprise/security/single-sign-on/connect.md#optional-enforce-sso), -users accessing Docker through the CLI must [create a personal access token (PAT)](/docker-hub/access-tokens/). The PAT replaces their username and password for authentication. -- Ensure CI/CD pipelines use PATs or OATs instead of passwords. - > [!IMPORTANT] > > Docker plans to deprecate CLI password-based sign-in in future releases. @@ -66,6 +54,6 @@ Using a PAT ensures continued CLI access. For more information, see the ## Next steps -- Start [configuring SSO](configure.md). +- Start [configuring SSO](connect.md). - Read the [FAQs](/manuals/enterprise/security/single-sign-on/faqs/general.md). - [Troubleshoot](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) SSO issues. diff --git a/content/manuals/enterprise/security/single-sign-on/configure.md b/content/manuals/enterprise/security/single-sign-on/configure.md deleted file mode 100644 index cda92ecd6473..000000000000 --- a/content/manuals/enterprise/security/single-sign-on/configure.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Configure single sign-on -linkTitle: Configure -description: Learn how to configure single sign-on for your organization or company. -keywords: configure, sso, docker hub, hub, docker admin, admin, security -aliases: - - /docker-hub/domains/ - - /docker-hub/sso-connection/ - - /docker-hub/enforcing-sso/ - - /single-sign-on/configure/ - - /admin/company/settings/sso-configuration/ - - /admin/organization/security-settings/sso-configuration/ - - /security/for-admins/single-sign-on/configure/ ---- - -{{< summary-bar feature_name="SSO" >}} - -Learn how to set up single sign-on (SSO) for your Docker organization by adding -and verifying the domains your members use to sign in. - -## Step one: Add a domain - -> [!NOTE] -> -> Docker supports multiple identity provider (IdP) configurations. You can -associate one domain with more than one IdP. - -To add a domain: - -1. Sign in to [Docker Home](https://app.docker.com) and choose your -organization. If it's part of a company, select the company first to manage -the domain at that level. -1. Select **Admin Console**, then **Domain management**. -1. Select **Add a domain**. -1. Enter your domain in the text box and select **Add domain**. -1. In the modal, copy the **TXT Record Value** provided for domain verification. - -## Step two: Verify your domain - -To confirm domain ownership, add a TXT record to your Domain Name System (DNS) -host using the TXT Record Value from Docker. DNS propagation can take up to -72 hours. Docker automatically checks for the record during this time. - -> [!TIP] -> -> When adding a record name, **use `@` or leave it empty** for root domains like `example.com`. **Avoid common values** like `docker`, `docker-verification`, `www`, or your domain name itself. Always **check your DNS provider's documentation** to verify their specific record name requirements. - -{{< tabs >}} -{{< tab name="AWS Route 53" >}} - -1. To add your TXT record to AWS, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html). -1. Wait up to 72 hours for TXT record verification. -1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. - -{{< /tab >}} -{{< tab name="Google Cloud DNS" >}} - -1. To add your TXT record to Google Cloud DNS, see [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt). -1. Wait up to 72 hours for TXT record verification. -1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. - -{{< /tab >}} -{{< tab name="GoDaddy" >}} - -1. To add your TXT record to GoDaddy, see [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232). -1. Wait up to 72 hours for TXT record verification. -1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. - -{{< /tab >}} -{{< tab name="Other providers" >}} - -1. Sign in to your domain host. -1. Add a TXT record to your DNS settings and save the record. -1. Wait up to 72 hours for TXT record verification. -1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. - -{{< /tab >}} -{{< /tabs >}} - -## Next steps - -- [Connect Docker and your IdP](connect.md). -- [Troubleshoot](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) SSO issues. diff --git a/content/manuals/enterprise/security/single-sign-on/connect.md b/content/manuals/enterprise/security/single-sign-on/connect.md index d8c3b46a6ff8..9b44b646a67a 100644 --- a/content/manuals/enterprise/security/single-sign-on/connect.md +++ b/content/manuals/enterprise/security/single-sign-on/connect.md @@ -1,120 +1,166 @@ --- -title: Connect single sign-on -linkTitle: Connect +title: Set up single sign-on +linkTitle: Set up SSO +weight: 1 description: Connect Docker and your identity provider, test the setup, and enable enforcement keywords: configure sso, set up sso, docker sso setup, docker identity provider, sso enforcement, docker hub, security aliases: - - /security/for-admins/single-sign-on/connect/ + - /security/for-admins/single-sign-on/connect/ + - /docker-hub/domains/ + - /docker-hub/sso-connection/ + - /docker-hub/enforcing-sso/ + - /single-sign-on/configure/ + - /admin/company/settings/sso-configuration/ + - /admin/organization/security-settings/sso-configuration/ + - /security/for-admins/single-sign-on/configure/ + - /enterprise/security/single-sign-on/configure --- {{< summary-bar feature_name="SSO" >}} -Setting up a single sign-on (SSO) connection involves configuring both Docker -and your identity provider (IdP). This guide walks you through setup -in Docker, setup in your IdP, and final connection. +To set up a single sign-on (SSO), you need to establish a connection between Docker +and your identity provider (IdP). While this guide +uses Okta and Microsoft Entra ID as a working example, the general process remains the same for other IdPs. + +If you're unfamiliar with the SSO process, first review the [SSO overview](/enterprise/security/single-sign-on/) doc to learn about how SSO works. + +## Prerequisites + +Docker supports any SAML 2.0 or OIDC-compatible identity provider. Before you begin, make sure the following conditions are met: + +- Notify your company about the upcoming SSO sign-in process. +- Confirm that each Docker user has a valid IdP account using the same +email address as their Unique Primary Identifier (UPN). +- Ensure CI/CD pipelines use PATs or OATs instead of passwords. + +## Set up an SSO connection + +> [!TIP] +> These procedures have you copy and paste values between Docker and your IdP. Complete this guide in one session with separate browser windows open for Docker and your IdP. + +### Step 1: Add a domain + +To add a domain: + +1. Sign in to [app.docker.com](https://app.docker.com), then choose your +organization. If your organization is part of a company, then select the company to manage +the domain at the company level. +1. Select **Admin Console**, then **Domain management**. +1. Select **Add a domain**. +1. Enter your domain in the text box and select **Add domain**. +1. In the modal, copy the **TXT Record Value** provided for domain verification. + +### Step 2: Verify your domain + +To confirm domain ownership, add a TXT record to your Domain Name System (DNS) +host using the TXT Record Value from Docker. DNS propagation can take up to +72 hours. Docker automatically checks for the record during this time. > [!TIP] > -> You’ll copy and paste values between Docker and your IdP. Complete this guide -in one session with separate browser windows open for Docker and your IdP. +> When adding a record name, **use `@` or leave it empty** for root domains like `example.com`. **Avoid common values** like `docker`, `docker-verification`, `www`, or your domain name itself. Always **check your DNS provider's documentation** to verify their specific record name requirements. -## Supported identity providers +{{< tabs >}} +{{< tab name="AWS Route 53" >}} -Docker supports any SAML 2.0 or OIDC-compatible identity provider. This guide -provides detailed setup instructions for the most commonly -used providers: Okta and Microsoft Entra ID. +1. To add your TXT record to AWS, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html). +1. Wait up to 72 hours for TXT record verification. +1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. -If you're using a -different IdP, the general process remains the same: +{{< /tab >}} +{{< tab name="Google Cloud DNS" >}} -1. Configure the connection in Docker. -1. Set up the application in your IdP using the values from Docker. -1. Complete the connection by entering your IdP's values back into Docker. -1. Test the connection. +1. To add your TXT record to Google Cloud DNS, see [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt). +1. Wait up to 72 hours for TXT record verification. +1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. -## Prerequisites +{{< /tab >}} +{{< tab name="GoDaddy" >}} -Before you begin: +1. To add your TXT record to GoDaddy, see [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232). +1. Wait up to 72 hours for TXT record verification. +1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. -- Verify your domain -- Set up an account with your identity provider (IdP) -- Complete the steps in the [Configure single sign-on](configure.md) guide +{{< /tab >}} +{{< tab name="Other providers" >}} -## Step one: Create an SSO connection in Docker +1. Sign in to your domain host. +1. Add a TXT record to your DNS settings and save the record. +1. Wait up to 72 hours for TXT record verification. +1. After the record is live, go to **Domain management** in the [Admin Console](https://app.docker.com/admin) and select **Verify**. -> [!NOTE] -> -> You must [verify at least one domain](/manuals/enterprise/security/single-sign-on/configure.md) before creating an SSO connection. +{{< /tab >}} +{{< /tabs >}} -1. Sign in to [Docker Home](https://app.docker.com) and choose your -organization. -1. Select **Admin Console**, then **SSO and SCIM**. -1. Select **Create Connection** and provide a name for the connection. -1. Select an authentication method: **SAML** or **Azure AD (OIDC)**. -1. Copy the required values for your IdP: +### Step 3. Create an SSO connection in Docker + +1. From [app.docker.com](https://app.docker.com), choose your +organization then select **Admin Console**. Select **SSO and SCIM** from the **Security** section. +1. Select **Create Connection** and name the connection. Choose either **SAML** or **Azure AD (OIDC)** for your authentication method. +1. Copy the required values for your IdP and store these values in a text editor: - Okta SAML: **Entity ID**, **ACS URL** - Azure OIDC: **Redirect URL** -Keep this window open to paste values from your IdP later. +Keep this window open. You will use it later when you paste values from your IdP. -## Step two: Create an SSO connection in your IdP +### Step 4. Create an SSO connection in your IdP Use the following tabs based on your IdP provider. {{< tabs >}} {{< tab name="Okta SAML" >}} -1. Sign in to your Okta account and open the Admin portal. -1. Select **Administration** and then **Create App Integration**. -1. Select **SAML 2.0**, then **Next**. -1. Name your app "Docker". -1. Optional. Upload a logo. -1. Paste values from Docker: - - Docker ACS URL -> **Single Sign On URL** - - Docker Entity ID -> **Audience URI (SP Entity ID)** -1. Configure the following settings: +To enable SSO with Okta, you need [super admin](https://help.okta.com/en-us/content/topics/security/administrators-super-admin.htm) permissions for the Okta org. + +1. Open the Admin portal from your Okta account and select **Administration**. +1. Choose **Create App Integration** and select **SAML 2.0**. + - When prompted, name your app "Docker." + - You may upload a logo, but it's not required. +1. Paste the values you copied from creating an SSO connection in Docker: + - For the **Single Sign On URL** value, paste the Docker ACS URL. + - For the **Audience URI (SP Entity ID)** value, paste the Docker Entity ID. +1. Configure the following settings. These settings determine the primary identification method your IdP sends to Docker for verification: - Name ID format: `EmailAddress` - Application username: `Email` - Update application on: `Create and update` -1. Optional. Add SAML attributes. See [SSO attributes](/manuals/enterprise/security/provisioning/_index.md#sso-attributes). -1. Select **Next**. -1. Select the **This is an internal app that we have created** checkbox. -1. Select **Finish**. +1. Optional. Add [SAML attributes](/manuals/enterprise/security/provisioning/_index.md#sso-attributes), if required by your org. +1. Select the **This is an internal app that we have created** checkbox before finishing. {{< /tab >}} {{< tab name="Entra ID SAML 2.0" >}} -1. Sign in to Microsoft Entra (formerly Azure AD). -1. Select **Default Directory** > **Add** > **Enterprise Application**. -1. Choose **Create your own application**, name it "Docker", and choose **Non-gallery**. +To enable SSO with Microsoft Entra, you need [Cloud Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) permissions. + +1. From Microsoft Entra admin center, select **Entra ID**, then go to **Enterprise apps**. Select **All applications**. +1. Choose **Create your own application** and name your app "Docker". Select **Non-gallery**. 1. After creating your app, go to **Single Sign-On** and select **SAML**. -1. Select **Edit** on the **Basic SAML configuration** section. -1. Edit **Basic SAML configuration** and paste values from Docker: - - Docker Entity ID -> **Identifier** - - Docker ACS URL -> **Reply URL** -1. Optional. Add SAML attributes. See [SSO attributes](/manuals/enterprise/security/provisioning/_index.md#sso-attributes). -1. Save the configuration. +1. Select **Edit** on the **Basic SAML configuration** section. From **Basic SAML configuration**, choose **Edit** and paste the values you copied from creating an SSO connection in Docker: + - For the **Identifier** value, paste the Docker Entity ID. + - For the **Reply URL** value, paste Docker ACS URL. +1. Optional. Add [SAML attributes](/manuals/enterprise/security/provisioning/_index.md#sso-attributes), if required by your org. 1. From the **SAML Signing Certificate** section, download your **Certificate (Base64)**. {{< /tab >}} -{{< tab name="Azure Connect (OIDC)" >}} +{{< tab name="Azure OpenID Connect (OIDC)" >}} + +The following procedures reproduce instructions from Microsoft Learn documentation for [configuring an app service with OIDC](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-openid-connect#-register-your-app-with-the-oidc-identity-provider). If you're uncertain, review the official Microsoft documentation and return here for the rest of the procedures. -### Register the app +#### Register the app -1. Sign in to Microsoft Entra (formerly Azure AD). -1. Select **App Registration** > **New Registration**. +1. Sign in to [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Go to **App Registration** and select **New Registration**. 1. Name the application "Docker". 1. Set account types and paste the **Redirect URI** from Docker. 1. Select **Register**. 1. Copy the **Client ID**. -### Create client secrets +#### Create client secrets 1. In your app, go to **Certificates & secrets**. 1. Select **New client secret**, describe and configure duration, then **Add**. 1. Copy the **value** of the new secret. -### Set API permissions +#### Set API permissions 1. In your app, go to **API permissions**. 1. Select **Grant admin consent** and confirm. @@ -125,22 +171,21 @@ Use the following tabs based on your IdP provider. {{< /tab >}} {{< /tabs >}} -## Step three: Connect Docker to your IdP +### Step 5. Connect Docker to your IdP Complete the integration by pasting your IdP values into Docker. +> [!IMPORTANT] +> When prompted to copy a certificate, copy the entire certificate starting with +> `----BEGIN CERTIFICATE----` and including the `----END CERTIFICATE----` lines. + {{< tabs >}} {{< tab name="Okta SAML" >}} 1. In Okta, select your app and go to **View SAML setup instructions**. -1. Copy the **SAML Sign-in URL** and **x509 Certificate**. - - > [!IMPORTANT] - > - > Copy the entire certificate, including `----BEGIN CERTIFICATE----` and `----END CERTIFICATE----` lines. -1. Return to the Docker Admin Console. +1. Copy the **SAML Sign-in URL** and **x509 Certificate**, then return to the Docker Admin Console. 1. Paste the **SAML Sign-in URL** and **x509 Certificate** values. -1. Optional. Select a default team. +1. Optional. Select a default team, if required by your org. 1. Review and select **Create connection**. {{< /tab >}} @@ -150,53 +195,51 @@ Complete the integration by pasting your IdP values into Docker. 1. Copy the following values: - From Azure AD: **Login URL** - **Certificate (Base64)** contents - - > [!IMPORTANT] - > - > Copy the entire certificate, including `----BEGIN CERTIFICATE----` and `----END CERTIFICATE----` lines. -1. Return to the Docker Admin Console. -1. Paste the **Login URL** and **Certificate (Base64)** values. -1. Optional. Select a default team. +1. Return to the Docker Admin Console, then paste the **Login URL** and **Certificate (Base64)** values. +1. Optional. Select a default team, if required by your org. 1. Review and select **Create connection**. {{< /tab >}} -{{< tab name="Azure Connect (OIDC)" >}} +{{< tab name="Azure OpenID Connect (OIDC)" >}} 1. Return to the Docker Admin Console. 1. Paste the following values: - **Client ID** - **Client Secret** - **Azure AD Domain** -1. Optional. Select a default team. +1. Optional. Select a default team, if required by your org. 1. Review and select **Create connection**. {{< /tab >}} {{< /tabs >}} -## Step four: Test the connection +### Step 6. Test the connection -1. Open an incognito browser window. -1. Sign in to the Admin Console using your **domain email address**. -1. The browser will redirect to your identity provider's sign in page to authenticate. If you have [multiple IdPs](#optional-configure-multiple-idps), choose the sign sign-in option **Continue with SSO**. -1. Authenticate through your domain email instead of using your Docker ID. +IdPs like Microsoft Entra and Okta may require that you assign a user to an application before testing SSO. You can review [Microsoft Entra](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso#test-single-sign-on)'s documentation and [Okta](https://help.okta.com/wf/en-us/content/topics/workflows/connector-reference/okta/actions/assignusertoapplicationforsso.htm)'s documentation to learn how to assign yourself or other users to an app. -If you're using the CLI, you must authenticate using a personal access token. +After assigning yourself to an app: -## Optional: Configure multiple IdPs +1. Open an incognito browser window and sign in to the Admin Console using your domain email address. +1. When redirected to your IdP's sign in page, authenticate with your domain email instead of using your Docker ID. -Docker supports multiple IdP configurations. To use multiple IdPs with one domain: +If you have multiple IdPs, choose the sign-in option **Continue with SSO**. If you're using the CLI, you must authenticate using a personal access token. -- Repeat Steps 1-4 on this page for each IdP. -- Each connection must use the same domain. -- Users will select **Continue with SSO** to choose their IdP at sign in. +## Configure multiple IdPs -## Optional: Enforce SSO +Docker supports multiple identity provider (IdP) configurations by letting you associate one domain with more than one IdP. Each connection must use the same domain, which lets users choose their IdP when they select **Continue with SSO** at login. -> [!IMPORTANT] -> -> If SSO is not enforced, users can still sign in using Docker usernames and passwords. +To add multiple IdPs: + +1. Use the same domain for each connection. +1. Repeat steps 3-6 from the [Set up an SSO connection] procedures on this page. Repeat these steps for each IdP your organization intends to use. + +Because you must use the same domain for each IdP, you don't need to repeat steps 1 and 2. + +## Enforce SSO + +If SSO is not enforced, users can still sign in using Docker usernames and passwords. Enforcing SSO requires users to use SSO when signing into Docker, which centralizes authentication and enforces policies set by the IdP. -Enforcing SSO requires users to use SSO when signing into Docker. This centralizes authentication and enforces policies set by the IdP. +Before enforcing SSO, users accessing Docker through the CLI must [create a personal access token (PAT)](/docker-hub/access-tokens/). The PAT replaces their username and password for authentication. 1. Sign in to [Docker Home](https://app.docker.com/) and select your organization or company. @@ -205,7 +248,7 @@ your organization or company. 1. Follow the on-screen instructions. 1. Select **Turn on enforcement**. -When SSO is enforced, your users are unable to modify their email address and +When you enforce SSO, your users cannot modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. If you want to use 2FA, you must enable 2FA through your IdP. diff --git a/content/manuals/enterprise/security/single-sign-on/manage.md b/content/manuals/enterprise/security/single-sign-on/manage.md index 246119dc8377..6d042aad8e32 100644 --- a/content/manuals/enterprise/security/single-sign-on/manage.md +++ b/content/manuals/enterprise/security/single-sign-on/manage.md @@ -1,6 +1,7 @@ --- -title: Manage single sign-on -linkTitle: Manage +title: Manage SSO domains and connections +linkTitle: Manage SSO connections +weight: 2 description: Learn how to manage Single Sign-On for your organization or company. keywords: manage, single sign-on, SSO, sign-on, admin console, admin, security, domains, connections, users, provisioning aliases: diff --git a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md b/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md index e26c77c7ca62..ce3b554270cd 100644 --- a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md +++ b/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md @@ -183,7 +183,7 @@ Ensure that the IdP SSO connection is returning the correct UPN value in the ass **Add and verify all domains** -Add and verify all domains and subdomains used as UPN by your IdP and associate them with your Docker SSO connection. For details, see [Configure single sign-on](/manuals/enterprise/security/single-sign-on/configure.md). +Add and verify all domains and subdomains used as UPN by your IdP and associate them with your Docker SSO connection. For details, see [Configure single sign-on](/manuals/enterprise/security/single-sign-on/connect.md). ## Unable to find session