From 098e3e5e57e9b0e23d1acec235709f3413b64837 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Wed, 23 Oct 2024 12:00:49 -0700 Subject: [PATCH 1/5] Add overview for provisioning users --- .../for-admins/provisioning/_index.md | 59 ++++++++++++++++++- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md index 07a0e00c5e35..cdac46960cba 100644 --- a/content/manuals/security/for-admins/provisioning/_index.md +++ b/content/manuals/security/for-admins/provisioning/_index.md @@ -1,6 +1,59 @@ --- -build: - render: never -title: Provisioning +description: Learn about provisioning users for your SSO configuration. +keywords: provision users, provisioning, JIT, SCIM, group mapping, sso, docker hub, hub, docker admin, admin, security +title: Provision users +linkTitle: Provision weight: 20 --- + +Once you've configured your SSO connection, the next step is to provision users. This process ensures that users can access your organization. +This guide provides an overview of user provisioning and supported provisioning methods. + +## What is provisioning? + +Provisioning helps manage users by automating tasks like creating, updating, and deactivating users based +on data from your identity provider (IdP). There are three methods for user provisioning, with benefits for +different organization needs: + +| Provisioning method | Description | Default setting in Docker | Recommended for | +| --- | --- | --- | --- | +| Just-in-Time (JIT) | Automatically create and provisions user accounts when they first log in via SSO | Enabled by default | Best for organizations who need minimal setup, who have smaller teams, or low-security environments | +| System for Cross-domain Identity Management (SCIM) | Continuously syncs user data between your IdP and Docker, ensuring user attributes remain updated without requiring manual updates | Disabled by default | Best for larger organizations or environments with frequent changes in user information or roles | +| Group mapping | Maps user groups from your IdP to specific roles and permissions within Docker, enabling fine-tuned access control based on group membership | Disabled by default | Best for organizations that require strict access control and for managing users based on their roles and permissions | + +## Default provisioning setup + +By default, Docker enables JIT provisioning when you configure an SSO connection. With JIT enabled, user accounts are automatically created the first time a user signs in using your SSO flow. + +JIT provisioning may not provide the level of control or security some organizations need. In such cases, SCIM or group mapping can be configured to give administrators more control over user access and attributes. Refer to the following guides to learn more about each provisioning method, and for steps to disable JIT if necessary: +- Guide +- Guide +- Guide + +## SSO attributes + +When a user signs in through SSO, Docker obtains several attributes from your IdP to manage the user's identity and permissions. These attributes include: +- **Email address**: The unique identifier for the user +- **Full name**: The user's complete name +- **Groups**: Optional. Used for group-based access control +- **Docker Org**: Optional. Specifies the organization the user belongs to +- **Docker Team**: Optional. Defines the team the user belongs to within the organization +- **Docker Role**: Optional. Determines the user's permission within Docker + +If your organization uses SAML for SSO, Docker retrieves these attributes from the SAML assertion message. Keep in mind that different IdPs may use different names for these attributes. The following reference table outlines possible SAML attributes used by Docker: + +| SSO Attribute | SAML Assertion Message Attributes | +| --- | --- | +| Email address | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"`, `email` | +| Full name | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"`, `name`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"` | +| Groups (optional) | `"http://schemas.xmlsoap.org/claims/Group"`, `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"`, `Groups`, `groups` | +| Docker Org (optional) | `dockerOrg` | +| Docker Team (optional) | `dockerTeam` | +| Docker Role (optional) | `dockerRole` | + +## What's next? + +Review the provisioning method guides for steps on configuring provisioning methods: +- [JIT](/manuals/security/for-admins/provisioning/just-in-time.md) +- [SCIM](/manuals/security/for-admins/provisioning/scim.md) +- [Group mapping](/manuals/security/for-admins/provisioning/group-mapping.md) \ No newline at end of file From e9a98e56553a56971e4740f3ae0461730b2e96d3 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Wed, 23 Oct 2024 12:04:53 -0700 Subject: [PATCH 2/5] Update table markdown --- content/manuals/security/for-admins/provisioning/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md index cdac46960cba..a8799caf4328 100644 --- a/content/manuals/security/for-admins/provisioning/_index.md +++ b/content/manuals/security/for-admins/provisioning/_index.md @@ -43,7 +43,7 @@ When a user signs in through SSO, Docker obtains several attributes from your Id If your organization uses SAML for SSO, Docker retrieves these attributes from the SAML assertion message. Keep in mind that different IdPs may use different names for these attributes. The following reference table outlines possible SAML attributes used by Docker: | SSO Attribute | SAML Assertion Message Attributes | -| --- | --- | +| :--- | :--- | | Email address | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"`, `email` | | Full name | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"`, `name`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"` | | Groups (optional) | `"http://schemas.xmlsoap.org/claims/Group"`, `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"`, `Groups`, `groups` | From b758c90db737c0896c2219422c194f12716f3f0f Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Wed, 23 Oct 2024 12:08:17 -0700 Subject: [PATCH 3/5] More table fine tuning --- content/manuals/security/for-admins/provisioning/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md index a8799caf4328..3e056f4a809c 100644 --- a/content/manuals/security/for-admins/provisioning/_index.md +++ b/content/manuals/security/for-admins/provisioning/_index.md @@ -16,7 +16,7 @@ on data from your identity provider (IdP). There are three methods for user prov different organization needs: | Provisioning method | Description | Default setting in Docker | Recommended for | -| --- | --- | --- | --- | +| :--- | :--- | :------------- | :--- | | Just-in-Time (JIT) | Automatically create and provisions user accounts when they first log in via SSO | Enabled by default | Best for organizations who need minimal setup, who have smaller teams, or low-security environments | | System for Cross-domain Identity Management (SCIM) | Continuously syncs user data between your IdP and Docker, ensuring user attributes remain updated without requiring manual updates | Disabled by default | Best for larger organizations or environments with frequent changes in user information or roles | | Group mapping | Maps user groups from your IdP to specific roles and permissions within Docker, enabling fine-tuned access control based on group membership | Disabled by default | Best for organizations that require strict access control and for managing users based on their roles and permissions | From cbda29bdae86504daab0c31a875dd71b2681b2fd Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Wed, 23 Oct 2024 13:39:48 -0700 Subject: [PATCH 4/5] Fix error found by vale --- content/manuals/security/for-admins/provisioning/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md index 3e056f4a809c..4dccc79b6cee 100644 --- a/content/manuals/security/for-admins/provisioning/_index.md +++ b/content/manuals/security/for-admins/provisioning/_index.md @@ -17,7 +17,7 @@ different organization needs: | Provisioning method | Description | Default setting in Docker | Recommended for | | :--- | :--- | :------------- | :--- | -| Just-in-Time (JIT) | Automatically create and provisions user accounts when they first log in via SSO | Enabled by default | Best for organizations who need minimal setup, who have smaller teams, or low-security environments | +| Just-in-Time (JIT) | Automatically create and provisions user accounts when they first sign in via SSO | Enabled by default | Best for organizations who need minimal setup, who have smaller teams, or low-security environments | | System for Cross-domain Identity Management (SCIM) | Continuously syncs user data between your IdP and Docker, ensuring user attributes remain updated without requiring manual updates | Disabled by default | Best for larger organizations or environments with frequent changes in user information or roles | | Group mapping | Maps user groups from your IdP to specific roles and permissions within Docker, enabling fine-tuned access control based on group membership | Disabled by default | Best for organizations that require strict access control and for managing users based on their roles and permissions | From d9fa61bb5c423edbf98ebfa940258d94da7cd4f8 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Thu, 24 Oct 2024 08:30:21 -0700 Subject: [PATCH 5/5] Update missing links --- content/manuals/security/for-admins/provisioning/_index.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md index 4dccc79b6cee..bed820562fd9 100644 --- a/content/manuals/security/for-admins/provisioning/_index.md +++ b/content/manuals/security/for-admins/provisioning/_index.md @@ -25,10 +25,7 @@ different organization needs: By default, Docker enables JIT provisioning when you configure an SSO connection. With JIT enabled, user accounts are automatically created the first time a user signs in using your SSO flow. -JIT provisioning may not provide the level of control or security some organizations need. In such cases, SCIM or group mapping can be configured to give administrators more control over user access and attributes. Refer to the following guides to learn more about each provisioning method, and for steps to disable JIT if necessary: -- Guide -- Guide -- Guide +JIT provisioning may not provide the level of control or security some organizations need. In such cases, SCIM or group mapping can be configured to give administrators more control over user access and attributes. ## SSO attributes