SCIM
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.
SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company.
Similarly, if a user gets unassigned from the Docker application in the IdP, this removes the user from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for example the user’s first name and last name.
The following lists the supported provisioning features:
- Creating new users
- Push user profile updates
- Remove users
- Deactivate users
- Re-activate users
- Group mapping
The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.
| Attribute | Description |
|---|---|
| userName | User's primary email address. This is the unique identifier of the user. |
| name.givenName | User’s first name |
| name.familyName | User’s surname |
| active | Indicates if a user is enabled or disabled. Can be set to false to de-provision the user. |
For additional details about supported attributes and SCIM, see Docker Hub API SCIM reference.
Set up SCIM
You must make sure you have configured SSO before you enable SCIM. Enforcing SSO isn't required.
Step one: Enable SCIM in Docker
- Sign in to Docker Hubopen_in_new.
- Navigate to the SSO settings page for your organization or company.
- Organization: Select Organizations, your organization, Settings, and then Security.
- Company: Select Organizations, your company, and then Settings.
- In the SSO connections table, select the Actions icon and Setup SCIM.
- Copy the SCIM Base URL and API Token and paste the values into your IdP.
Step two: Enable SCIM in your IdP
Follow the instructions provided by your IdP:
Set up role mapping
You can assign roles to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection.
Note
These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.
The following table lists the supported optional user-level attributes.
| Attribute | Possible values | Considerations |
|---|---|---|
dockerRole | member, editor, or owner. For a list of permissions for each role, see
Roles and permissions. | If you don't assign a role in the IdP, the value of the dockerRole attribute defaults to member. When you set the attribute, this overrides the default value. |
dockerOrg | organizationName. For example, an organization named "moby" would be moby. | Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and dockerTeam is also set, this provisions the user to the team within that org. |
dockerTeam | teamName. For example, a team named "developers" would be developers. | Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See Group mapping. |
After you set the role in the IdP, you need to sync to push the changes to Docker.
The external namespace to use to set up these attributes is urn:ietf:params:scim:schemas:extension:docker:2.0:User.
For how to add these attributes, see the documentation for your IdP:
Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
- Sign in to Docker Hubopen_in_new.
- Navigate to the SSO settings page for your organization or company.
- Organization: Select Organizations, your organization, Settings, and then Security.
- Company: Select Organizations, your company, and then Settings.
- In the SSO connections table, select the Actions icon.
- Select Disable SCIM.
Early Access
Docker Admin is an early access product.
It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see Administration.
Step one: Enable SCIM in Docker
- Sign in to Docker Adminopen_in_new.
- Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
- In the SSO connections table, select the Actions icon and Setup SCIM.
- Copy the SCIM Base URL and API Token and paste the values into your IdP.
Step two: Enable SCIM in your IdP
Follow the instructions provided by your IdP:
Set up role mapping
You can assign roles to members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization and team to override the default provisioning values set by the SSO connection.
Note
These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.
The following table lists the supported optional user-level attributes.
| Attribute | Possible values | Considerations |
|---|---|---|
dockerRole | member, editor, or owner. For a list of permissions for each role, see
Roles and permissions. | If you don't assign a role in the IdP, the value of the dockerRole attribute defaults to member. When you set the attribute, this overrides the default value. |
dockerOrg | organizationName. For example, an organization named "moby" would be moby. | Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set and dockerTeam is also set, this provisions the user to the team within that org. |
dockerTeam | teamName. For example, a team named "developers" would be developers. | Setting this attribute provisions the user to the default org and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple orgs. See Group mapping. |
After you set the role in the IdP, you need to sync to push the changes to Docker.
The external namespace to use to set up these attributes is urn:ietf:params:scim:schemas:extension:docker:2.0:User.
For how to add these attributes, see the documentation for your IdP:
Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.
- Sign in to Docker Adminopen_in_new.
- Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
- In the SSO connections table, select the Actions icon.
- Select Disable SCIM.