Early Access

Docker Admin is an early access product.

It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see Administration and security.

Follow the steps on this page to manage SCIM for your company. To manage SCIM for an organization, see SCIM for an organization.

This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.

SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company.

Similarly, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for instance the user’s first name and last name.

The following provisioning features are supported:

  • Creating new users
  • Push user profile updates
  • Remove users
  • Deactivate users
  • Re-activate users
  • Group mapping

The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.

userNameUser's primary email address. This is used as the unique identifier of the user.
name.givenNameUser’s first name
name.familyNameUser’s surname
activeIndicates if a user is enabled or disabled. Can be set to false to de-provision the user.

For additional details about supported attributes and SCIM, see Docker Hub API SCIM reference.

Set up SCIM

You must make sure you have configured SSO before you enable SCIM. Enforcing SSO is not required.

Step one: Enable SCIM in Docker

  1. Sign in to Docker Adminopen_in_new.
  2. Select your company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Actions icon and Setup SCIM.
  4. Copy the SCIM Base URL and API Token and paste the values into your IdP.

Step two: Enable SCIM in your IdP

Follow the instructions provided by your IdP:

Set up role mapping

You can assign roles to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection.


These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.

The following table lists the supported optional user-level attributes.

AttributePossible valuesConsiderations
dockerRolemember, editor, or owner. For a list of permissions for each role, see Roles and permissions.If you don't assign a role in the IdP, the value of the dockerRole attribute defaults to member. When you set the attribute, this overrides the default value.
dockerOrgorganizationName. For example, an organization named "moby" would be moby.Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and dockerTeam is also set, this provisions the user to the team within that org.
dockerTeamteamName. For example, a team named "developers" would be developers.Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See Group mapping.

After you set the role in the IdP, you need to sync to push the changes to Docker.

The external namespace to use to set up these attributes is urn:ietf:params:scim:schemas:extension:docker:2.0:User.

For how to add these attributes, see the documentation for your IdP:

Disable SCIM

If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.

  1. Sign in to Docker Adminopen_in_new.
  2. Select your company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Actions icon.
  4. Select Disable SCIM.