SCIM

This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.

SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company.

Similarly, if a user gets unassigned from the Docker application in the IdP, this removes the user from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for example the user’s first name and last name.

The following lists the supported provisioning features:

  • Creating new users
  • Push user profile updates
  • Remove users
  • Deactivate users
  • Re-activate users
  • Group mapping

The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.

AttributeDescription
userNameUser's primary email address. This is the unique identifier of the user.
name.givenNameUser’s first name
name.familyNameUser’s surname
activeIndicates if a user is enabled or disabled. Can be set to false to de-provision the user.

For additional details about supported attributes and SCIM, see Docker Hub API SCIM reference.

Important

SSO uses Just-in-Time (JIT) provisioning by default. If you enable SCIM, JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see SSO attributes.

Set up SCIM

You must make sure you have configured SSO before you enable SCIM. Enforcing SSO isn't required.


Step one: Enable SCIM in Docker

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Actions icon and Setup SCIM.
  4. Copy the SCIM Base URL and API Token and paste the values into your IdP.

Step two: Enable SCIM in your IdP

Follow the instructions provided by your IdP:

Set up role mapping

You can assign roles to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection.

Note

These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.

The following table lists the supported optional user-level attributes.

AttributePossible valuesConsiderations
dockerRolemember, editor, or owner. For a list of permissions for each role, see Roles and permissions.If you don't assign a role in the IdP, the value of the dockerRole attribute defaults to member. When you set the attribute, this overrides the default value.
dockerOrgorganizationName. For example, an organization named "moby" would be moby.Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and dockerTeam is also set, this provisions the user to the team within that org.
dockerTeamteamName. For example, a team named "developers" would be developers.Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See Group mapping.

After you set the role in the IdP, you need to sync to push the changes to Docker.

The external namespace to use to set up these attributes is urn:ietf:params:scim:schemas:extension:docker:2.0:User.

For how to add these attributes, see the documentation for your IdP:

Disable SCIM

If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Actions icon.
  4. Select Disable SCIM.

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Step one: Enable SCIM in Docker

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Actions icon and Setup SCIM.
  4. Copy the SCIM Base URL and API Token and paste the values into your IdP.

Step two: Enable SCIM in your IdP

Follow the instructions provided by your IdP:

Set up role mapping

You can assign roles to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection.

Note

These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.

The following table lists the supported optional user-level attributes.

AttributePossible valuesConsiderations
dockerRolemember, editor, or owner. For a list of permissions for each role, see Roles and permissions.If you don't assign a role in the IdP, the value of the dockerRole attribute defaults to member. When you set the attribute, this overrides the default value.
dockerOrgorganizationName. For example, an organization named "moby" would be moby.Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and dockerTeam is also set, this provisions the user to the team within that org.
dockerTeamteamName. For example, a team named "developers" would be developers.Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See Group mapping.

After you set the role in the IdP, you need to sync to push the changes to Docker.

The external namespace to use to set up these attributes is urn:ietf:params:scim:schemas:extension:docker:2.0:User.

For how to add these attributes, see the documentation for your IdP:

Disable SCIM

If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Actions icon.
  4. Select Disable SCIM.