From 22138707c71cd4112320b8a92d7e1bcde57f29ed Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Tue, 29 Oct 2024 14:58:57 -0700 Subject: [PATCH 1/4] Update Manage SSO guide --- .../manuals/security/for-admins/single-sign-on/manage.md | 2 +- layouts/shortcodes/admin-sso-management-connections.md | 6 +++--- layouts/shortcodes/admin-sso-management-orgs.md | 6 +++--- layouts/shortcodes/admin-sso-management-users.md | 4 ++-- layouts/shortcodes/admin-sso-management.md | 6 +++--- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/content/manuals/security/for-admins/single-sign-on/manage.md b/content/manuals/security/for-admins/single-sign-on/manage.md index ddc54606846e..20be64bd24dd 100644 --- a/content/manuals/security/for-admins/single-sign-on/manage.md +++ b/content/manuals/security/for-admins/single-sign-on/manage.md @@ -71,7 +71,7 @@ aliases: ## Manage provisioning -Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) [Just-in-Time](/manuals/security/for-admins/provisioning/just-in-time.md) guides. +Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide. ## What's next? diff --git a/layouts/shortcodes/admin-sso-management-connections.md b/layouts/shortcodes/admin-sso-management-connections.md index 740e195a6bb5..fe185d858186 100644 --- a/layouts/shortcodes/admin-sso-management-connections.md +++ b/layouts/shortcodes/admin-sso-management-connections.md @@ -2,7 +2,7 @@ {{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }} {{ if eq (.Get "product") "admin" }} - {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }} {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**. Note that when an organization is part of a company, you must select the company and configure SSO for that organization at the company level. Each organization can have its own SSO configuration and domain, but it must be configured at the company level." }} {{ end }} @@ -11,7 +11,7 @@ 1. Sign in to {{ $product_link }}. 2. {{ $sso_navigation }} 3. In the SSO connections table, select the **Action** icon. -4. Select **Edit connection** to edit your connection. +4. Select **Edit connection**. 5. Follow the on-screen instructions to edit the connection. ### Delete a connection @@ -24,4 +24,4 @@ ### Deleting SSO -When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one. \ No newline at end of file +When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. If an SSO connection is deleted, Docker users must authenticate with their Docker ID and password. \ No newline at end of file diff --git a/layouts/shortcodes/admin-sso-management-orgs.md b/layouts/shortcodes/admin-sso-management-orgs.md index 232c3b1164b4..db97b8b12d4a 100644 --- a/layouts/shortcodes/admin-sso-management-orgs.md +++ b/layouts/shortcodes/admin-sso-management-orgs.md @@ -1,7 +1,7 @@ {{ $product_link := "[Docker Hub](https://hub.docker.com)" }} {{ $sso_navigation := "Select **Organizations**, your company, and then **Settings**." }} {{ if eq (.Get "product") "admin" }} - {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }} {{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO and SCIM**." }} {{ end }} @@ -13,7 +13,7 @@ 4. Select **Next** to navigate to the section where connected organizations are listed. 5. In the **Organizations** drop-down, select the organization to add to the connection. 6. Select **Next** to confirm or change the default organization and team provisioning. -7. Review the **Connection Summary** and select **Save**. +7. Review the **Connection Summary** and select **Update connection**. ### Remove an organization @@ -23,4 +23,4 @@ 4. Select **Next** to navigate to the section where connected organizations are listed. 5. In the **Organizations** drop-down, select **Remove** to remove the connection. 6. Select **Next** to confirm or change the default organization and team provisioning. -7. Review the **Connection Summary** and select **Save**. +7. Review the **Connection Summary** and select **Update connection**. diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md index baf6a15ebeca..852d043eda43 100644 --- a/layouts/shortcodes/admin-sso-management-users.md +++ b/layouts/shortcodes/admin-sso-management-users.md @@ -8,10 +8,10 @@ {{ $provisioning_steps := "This feature is only available in the Admin Console."}} {{ if eq (.Get "product") "admin" }} - {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }} {{ $invite_button = "**Invite**" }} {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }} - {{ $member_navigation = `Navigate to the user management page for your organization or company. + {{ $member_navigation = `Navigate to the user management page for your organization or company. - Organization: Select your organization in the left navigation drop-down menu, and then select **Members**. - Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }} {{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, if you're a company" }} diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md index fe1d218cccf8..bbf168e306ed 100644 --- a/layouts/shortcodes/admin-sso-management.md +++ b/layouts/shortcodes/admin-sso-management.md @@ -2,7 +2,7 @@ {{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }} {{ if eq (.Get "product") "admin" }} - {{ $product_link = "the [Admin Console](https://admin.docker.com)" }} + {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }} {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }} {{ end }} @@ -15,8 +15,8 @@ 5. In the **Domain** drop-down, select the **x** icon next to the domain that you want to remove. 6. Select **Next** to confirm or change the connected organization(s). 7. Select **Next** to confirm or change the default organization and team provisioning selections. -8. Review the **Connection Summary** and select **Save**. +8. Review the **Connection Summary** and select **Update connection**. -> **Note** +> [!Note] > > If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value. From 07bf87ede27e3b752da8998f81192ea852547c99 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Tue, 29 Oct 2024 15:10:46 -0700 Subject: [PATCH 2/4] Remove Hub tab on manage users heading --- .../security/for-admins/single-sign-on/manage.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/content/manuals/security/for-admins/single-sign-on/manage.md b/content/manuals/security/for-admins/single-sign-on/manage.md index 20be64bd24dd..4b2586535fc8 100644 --- a/content/manuals/security/for-admins/single-sign-on/manage.md +++ b/content/manuals/security/for-admins/single-sign-on/manage.md @@ -54,21 +54,10 @@ aliases: ## Manage users -{{< tabs >}} -{{< tab name="Admin Console" >}} - {{< include "admin-early-access.md" >}} {{% admin-sso-management-users product="admin" %}} -{{< /tab >}} -{{< tab name="Docker Hub" >}} - -{{% admin-sso-management-users product="hub" %}} - -{{< /tab >}} -{{< /tabs >}} - ## Manage provisioning Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide. From 68effdcf4525641983582bb3b046149076a0088b Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Wed, 30 Oct 2024 09:35:24 -0700 Subject: [PATCH 3/4] Remove shortcode file --- .../for-admins/single-sign-on/manage.md | 30 +++++++++++- .../shortcodes/admin-sso-management-users.md | 48 ------------------- 2 files changed, 28 insertions(+), 50 deletions(-) delete mode 100644 layouts/shortcodes/admin-sso-management-users.md diff --git a/content/manuals/security/for-admins/single-sign-on/manage.md b/content/manuals/security/for-admins/single-sign-on/manage.md index 4b2586535fc8..7976289faf96 100644 --- a/content/manuals/security/for-admins/single-sign-on/manage.md +++ b/content/manuals/security/for-admins/single-sign-on/manage.md @@ -54,9 +54,35 @@ aliases: ## Manage users -{{< include "admin-early-access.md" >}} +> [!IMPORTANT] +> +> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization. +> +> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: +> +> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) +> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) +> +> Alternatively, see [Manage how users are provisioned](/manuals/security/for-admins/single-sign-on/manage.md). + + +### Add guest users when SSO is enabled + +To add a guest that isn't verified through your IdP: + +1. Sign in to the [Admin Console](https://app.docker.com/admin). +2. Select **Organizations**, your organization, and then **Members**. +3. Select **Invite**. +4. Follow the on-screen instructions to invite the user. + +### Remove users from the SSO company + +To remove a user: -{{% admin-sso-management-users product="admin" %}} +1. Sign in to [Admin Console](https://app.docker.com/admin). +2. Select **Organizations**, your organization, and then **Members**. +3. Select the action icon next to a user’s name, and then select **Remove member**, if you're an organization, or **Remove user**, if you're a company. +4. Follow the on-screen instructions to remove the user. ## Manage provisioning diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md deleted file mode 100644 index 852d043eda43..000000000000 --- a/layouts/shortcodes/admin-sso-management-users.md +++ /dev/null @@ -1,48 +0,0 @@ -{{ $product_link := "[Docker Hub](https://hub.docker.com)" }} -{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company. - - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**. - - Company: Select **Organizations**, your company, and then **Settings**.` }} -{{ $member_navigation := "Select **Organizations**, your organization, and then **Members**." }} -{{ $invite_button := "**Invite members**" }} -{{ $remove_button := "**Remove member**" }} -{{ $provisioning_steps := "This feature is only available in the Admin Console."}} - -{{ if eq (.Get "product") "admin" }} - {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }} - {{ $invite_button = "**Invite**" }} - {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }} - {{ $member_navigation = `Navigate to the user management page for your organization or company. - - Organization: Select your organization in the left navigation drop-down menu, and then select **Members**. - - Company: Select your company in the left navigation drop-down menu, and then select **Users**.` }} - {{ $remove_button = "**Remove member**, if you're an organization, or **Remove user**, if you're a company" }} - -> [!IMPORTANT] -> -> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization. -> -> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP: -> -> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) -> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) -> -> Alternatively, see [Manage how users are provisioned](/manuals/security/for-admins/single-sign-on/manage.md). - - -### Add guest users when SSO is enabled - -To add a guest that isn't verified through your IdP: - -1. Sign in to {{ $product_link }}. -2. {{ $member_navigation }} -3. Select {{ $invite_button }}. -4. Follow the on-screen instructions to invite the user. - -### Remove users from the SSO company - -To remove a user: - -1. Sign in to {{ $product_link }}. -2. {{ $member_navigation }} -3. Select the action icon next to a user’s name, and then select {{ $remove_button }}. -4. Follow the on-screen instructions to remove the user. -{{ end }} \ No newline at end of file From 08283b6228d3c1f07bb9786ab7155753fb580f05 Mon Sep 17 00:00:00 2001 From: Sarah Sanders Date: Mon, 4 Nov 2024 13:46:11 -0800 Subject: [PATCH 4/4] Update manage.md --- content/manuals/security/for-admins/single-sign-on/manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/security/for-admins/single-sign-on/manage.md b/content/manuals/security/for-admins/single-sign-on/manage.md index 7976289faf96..26455b24794f 100644 --- a/content/manuals/security/for-admins/single-sign-on/manage.md +++ b/content/manuals/security/for-admins/single-sign-on/manage.md @@ -63,7 +63,7 @@ aliases: > - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm) > - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) > -> Alternatively, see [Manage how users are provisioned](/manuals/security/for-admins/single-sign-on/manage.md). +> Alternatively, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide. ### Add guest users when SSO is enabled