Configure single sign-on

Table of contents

Get started creating a single sign-on (SSO) connection for your organization or company.

The steps to set up your SSO configuration are:

  1. Add and verify the domain or domains that your members use to sign in to Docker.
  2. Create your SSO connection in Docker.
  3. Configure your IdP to work with Docker.
  4. Complete your SSO connection in Docker.

This page walks through steps 1 and 2 using Docker Hub or the Admin Console.

Step one: Add and verify your domain

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

  1. Sign in to the Admin Console.

  2. Select your organization or company in the left navigation drop-down menu, and then select Domain management.

  3. Select Add a domain.

  4. Continue with the on-screen instructions to get a verification code for your domain as a TXT Record Value.

    Note

    Format your domains without protocol or www information, for example, yourcompany.example. This should include all email domains and subdomains users will use to access Docker, for example yourcompany.example and us.yourcompany.example. Public domains such as gmail.com, outlook.com, etc. aren’t permitted.

    Tip

    Make sure that the TXT record name that you create on your DNS matches the domain you registered on Docker in Step 4. For example, if you registered the subdomain us.yourcompany.example, you need to create a TXT record within the same name/zone us. A root domain such as yourcompany.example needs a TXT record on the root zone, which is typically denoted with the @ name for the record.

  5. Once you have waited 72 hours for the TXT record verification, you can then select Verify next to the domain you've added, and follow the on-screen instructions.

  1. Sign in to Docker Hub.

  2. Navigate to the domain settings page for your organization or company.

    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.

  3. Select Add a domain.

  4. Continue with the on-screen instructions to get a verification code for your domain as a TXT Record Value.

    Note

    Format your domains without protocol or www information, for example, yourcompany.example. This should include all email domains and subdomains users will use to access Docker, for example yourcompany.example and us.yourcompany.example. Public domains such as gmail.com, outlook.com, etc. aren’t permitted.

    Tip

    Make sure that the TXT record name that you create on your DNS matches the domain you registered on Docker in Step 4. For example, if you registered the subdomain us.yourcompany.example, you need to create a TXT record within the same name/zone us. A root domain such as yourcompany.example needs a TXT record on the root zone, which is typically denoted with the @ name for the record.

  5. Once you have waited 72 hours for the TXT record verification, you can then select Verify next to the domain you've added, and follow the on-screen instructions.

Step two: Create an SSO connection in Docker

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Important

If your IdP setup requires an Entity ID and the ACS URL, you must select the SAML tab in the Authentication Method section. For example, if your Entra ID (formerly Azure AD) Open ID Connect (OIDC) setup uses SAML configuration within Azure AD, you must select SAML. If you are configuring Open ID Connect with Entra ID (formerly Azure AD) select Azure AD (OIDC) as the authentication method. Also, IdP initiated connections aren't supported at this time.

After your domain is verified, create an SSO connection.

  1. Sign in to the Admin Console.

  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.

  3. In the SSO connections table select Create Connection, and create a name for the connection.

    Note

    You have to verify at least one domain before creating the connections.

  4. Select an authentication method, SAML or Azure AD (OIDC).

  5. Copy the following fields to add to your IdP:

    • SAML: Entity ID, ACS URL
    • Azure AD (OIDC): Redirect URL
    SAML
    Azure AD

Important

If your IdP setup requires an Entity ID and the ACS URL, you must select the SAML tab in the Authentication Method section. For example, if your Entra ID (formerly Azure AD) Open ID Connect (OIDC) setup uses SAML configuration within Azure AD, you must select SAML. If you are configuring Open ID Connect with Entra ID (formerly Azure AD) select Azure AD (OIDC) as the authentication method. Also, IdP initiated connections aren't supported at this time.

After your domain is verified, create an SSO connection.

  1. Sign in to Docker Hub.

  2. Navigate to the SSO settings page for your organization or company.

    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.

  3. In the SSO connections table select Create Connection, and create a name for the connection.

    Note

    You have to verify at least one domain before creating the connections.

  4. Select an authentication method, SAML or Azure AD (OIDC).

  5. Copy the following fields to add to your IdP:

    • SAML: Entity ID, ACS URL
    • Azure AD (OIDC): Redirect URL
    SAML
    Azure AD

More resources

The following videos walk through verifying your domain to create your SSO connection in Docker.

What's next?

Continue configuration in your IdP.