Estimated reading time: 11 minutes Show
This section is for administrators who want to enable Docker Single Sign-on (SSO) for their businesses. Docker SSO allows users to authenticate using their identity providers (IdPs) to access Docker. You can enable SSO on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see Upgrade your subscription. When SSO is enabled, users are redirected to your provider’s authentication page to log in. They cannot authenticate using their Docker login credentials (Docker ID and password). Docker currently supports Service Provider Initiated SSO flow. Your users must sign in to Docker Hub or Docker Desktop to initiate the SSO authentication process. Before enabling SSO in Docker Hub, administrators must configure their identity provider to configure their IdP to work with Docker Hub. Docker provides the Assertion Consumer Service (ACS) URL and the Entity ID. Administrators use this information to establish a connection between their IdP server and Docker Hub. After establishing the connection between the IdP server and Docker Hub, administrators log in to the organization in Docker Hub and complete the SSO enablement process. See the section Enable SSO in Docker Hub for detailed instructions. To enable SSO in Docker Hub, you need the following information from your identity provider:
We currently support enabling SSO on a single organization. However, we do not support single logout. If you have any users in your organization with a different domain (including social domains), they will be added to the organization as guests. Guests will continue to authenticate through Docker with their Docker login credentials (Docker ID and password). Single Sign-on architecture flowThe following diagram shows how Single Sign-on (SSO) operates and is managed in Docker Hub and Docker Desktop. In addition, it provides information on how to authenticate between your IdPs. Prerequisites
Create a Personal Access Token (PAT)Before you configure SSO for your organization, new members of your organization must create an access token to log in to the CLI. There is currently a grace period for existing users, which will expire in the near future. Before the grace period ends, your users will be able to log in from Docker Desktop CLI using their previous credentials until PATs are mandatory. In addition, all email addresses should be added to your IdP. ConfigureTo configure SSO, log in to Docker Hub to complete the IdP server configuration process. You can only configure SSO with a single IdP. When this is complete, log back in to Docker Hub and complete the SSO enablement process.
The following video walks you through the process of configuring SSO. SAML 2.0 IdP configuration
Domain controlClick Add Domain and specify the corporate domain you’d like to manage with SSO. Domains should be formatted without protocol or www information, for example, yourcompany.com. Docker currently supports multiple domains that are part of your IdP. Make sure that your domain is reachable through email.
Domain verificationTo verify ownership of a domain, add a TXT record to your Domain Name System (DNS) settings.
Once you’ve verified your domain, you can move forward to test your configuration and enforce SSO, or you can Configure your System Cross-domain Identity Management (SCIM). Test your SSO configurationAfter you’ve completed the SSO configuration process in Docker Hub, you can test the configuration when you log in to Docker Hub using an incognito browser. Login using your domain email address and IdP password. You will then get redirected to your identity provider’s login page to authenticate.
Enforce SSO in Docker HubBefore you enforce SSO in Docker Hub, you must complete the following: Test SSO by logging in and out successfully, confirm that all members in your org have upgraded to Docker Desktop version 4.4.2, PATs are created for each member, CI/CD passwords are converted to PAT. Also, when using Docker partner products (for example, VS Code), you must use a PAT when you enforce SSO. For your service accounts add your additional domains in Add Domains or enable the accounts in your IdP. Admins can force users to authenticate with Docker Desktop by provisioning a registry.json configuration file. The registry.json file will force users to authenticate as a user that is configured in the allowedOrgs list in the registry.json file. For info on how to configure a registry.json file see Configure registry.json
Manage users when SSO is enabledYou don’t need to add users to your organization in Docker Hub manually. You just need to make sure an account for your users exists in your IdP.
To add a guest to your organization in Docker Hub if they aren’t verified through your IdP:
Remove members from the SSO organizationTo remove a member from an organization:
FAQsTo learn more see our FAQs. Deleting SSOWhen you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it cannot be undone. Users must authenticate with their Docker ID and password or create a password reset if they do not have one. How do I enable SSO on Windows Server?To enable the SSO system using the MMC Snap-In
Click Start, click Programs, click Microsoft Enterprise Single Sign-On, and then click SSO Administration. In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node. Right-click System, and then click Enable.
How do I enable Single SignSelect Setup > Authentication > Authentication Settings. The Authentication Settings dialog box appears. Select the Single Sign-On tab. Select the Enable Single Sign-On (SSO) with Active Directory check box.
How do I enable Single SignTo enable Integrated Windows Authentication for Edge:. Open the Windows Settings and search Internet Options. The following window opens.. Click Local intranet > Sites.. Click Advanced.. Enter the tenant specific URL into the Websites text box.. Click Close.. How do I enable seamless Single SignSign in to the Azure Active Directory administrative center with the global administrator or hybrid identity administrator credentials for your tenant. Select Azure Active Directory in the left pane. Select Azure AD Connect. Verify that the Seamless single sign-on feature appears as Enabled.
|