Users are managed through organizations in Docker Hub. When you configure SSO in Docker, you need to make sure an account exists for each user in your IdP account. When a user signs in to Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
No, you don’t need to manually add users to your organization in Docker Hub. You just need to make sure an account for your users exists in your IdP. When users sign in to Docker Hub, they're automatically assigned to the organization using their domain email address.
When a user signs into Docker for the first time using their domain email address, they will be automatically added to the organization after a successful authentication.
During the SSO setup, you’ll have to specify the company email domains that are allowed to authenticate. All users in your organization must authenticate using the email domain specified during SSO setup. Some of your users may want to maintain a different account for their personal projects.
Users with a public domain email address will be added as guests.
Can Docker org owners/admins/company owners approve users to an organization and use a seat, rather than having them automatically added when SSO is enabled?
Admins, organization owners, and company owners can approve users by configuring their permissions through their IdP. If the user account is configured in the IdP, the user will be automatically added to the organization in Docker Hub as long as there’s an available seat.
When SSO is enabled, users will be prompted to authenticate through SSO the next time they try to sign in to Docker Hub or Docker Desktop. The system will see the end-user has a domain email associated with the docker ID they're trying to authenticate with, and prompts them to sign in with SSO email and credentials instead.
If users attempt to sign in through the CLI, they must authenticate using a personal access token (PAT).
Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain?
Yes. Admins can force users to authenticate with Docker Desktop by provisioning a
registry.json configuration file. The
registry.json file will force users to authenticate as a user that's configured in the
allowedOrgs list in the
Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password).
Users may still be able to authenticate as a "guest" account using a non-domain email address. However, they can only authenticate as guests if that non-domain email was invited.
Yes, you can convert existing users to an SSO account. To convert users from a non-SSO account:
- Ensure your users have a company domain email address and they have an account in your IdP
- Verify that all users have Docker Desktop version 4.4.2 or later installed on their machines
- Each user has created a PAT to replace their passwords to allow them to sign in through Docker CLI
- Confirm that all CI/CD pipelines automation systems have replaced their passwords with PATs.
For detailed prerequisites and instructions on how to enable SSO, see Configure Single Sign-on.
When SSO is enabled and enforced, your users just have to sign in using the email address and password.
Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually remove the user from the organization. SCIM is available to provide full synchronization with users and groups.
Additionally, you can use the Docker Hub API to complete this process.
Company or organization owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
If we add a user manually for the first time, can I register in the dashboard and will the user get an invitation link through email?
Yes, if the user is added through email address to an org, they will receive an email invite. If invited through Docker ID as an existing user instead, they'll be added to the organization automatically. A new invite flow will occur in the near future that will require an email invite (so the user can choose to opt out). If the org later sets up SSO for zeiss.comopen_in_new domain, the user will automatically be added to the domain SSO org next sign in which requires SSO auth with the identity provider (Hub login will automatically redirect to the identity provider).
Can someone join an organization without an invitation? Is it possible to put specific users to an organization with existing email accounts?
Not without SSO. Joining requires an invite from a member of the Owners group. When SSO is enforced, then the domains verified through SSO will allow users to automatically join the organization the next time they sign in as a user that has a domain email assigned.
Yes, the existing user account will join the organization with all assets retained.
We only support one email per user on the Docker platform.
You can go to the invitee list in the org view and remove them.
No, we don't differentiate the two in product.
All Docker accounts have a public profile associated with their namespace. If you don't want user information (for example, full name) to be visible, you can remove those attributes from your SSO and SCIM mappings. Alternatively, you can use a different identifier to replace a user's full name.