Configure Single Sign-On

Follow the steps on this page to configure SSO for your organization or company.

Step one: Add and verify your domain

1. Sign in to Docker Hubopen_in_new.

2. Navigate to the domain settings page for your organization or company.

   • Organization: Select Organizations, your organization, Settings, and then Security.
   • Company: Select Organizations, your company, and then Settings.

3. Select Add a domain.

4. Continue with the on-screen instructions to get a verification code for your domain as a TXT Record Value.

   Note

   Format your domains without protocol or www information, for example, yourcompany.example. This should include all email domains and subdomains users will use to access Docker, for example yourcompany.example and us.yourcompany.example. Public domains such as gmail.com, outlook.com, etc. aren’t permitted.

5. Once you have waited 72 hours for the TXT Record verification, you can then select Verify next to the domain you've added, and follow the on-screen instructions.

   Note

   Make sure that the TXT record name that you create on your DNS matches the domain you registered on Docker in Step 4. For example, if you registered the subdomain us.yourcompany.example, you need to create a TXT record within the same name/zone us. A root domain such as yourcompany.example needs a TXT record on the root zone, which is typically denoted with the @ name for the record.

6. Once you have waited 72 hours for the TXT record verification, you can then select Verify next to the domain you've added, and follow the on-screen instructions.

Step two: Create an SSO connection

Important

If your IdP setup requires an Entity ID and the ACS URL, you must select the SAML tab in the Authentication Method section. For example, if your Azure AD Open ID Connect (OIDC) setup uses SAML configuration within Azure AD, you must select SAML. If you are configuring Open ID Connect with Azure ADopen_in_new select Azure AD as the authentication method. Also, IdP initiated connections aren't supported at this time.

After your domain is verified, create an SSO connection.

1. Sign in to Docker Hubopen_in_new.

2. Navigate to the SSO settings page for your organization or company.

   • Organization: Select Organizations, your organization, Settings, and then Security.
   • Company: Select Organizations, your company, and then Settings.

3. In the SSO connections table select Create Connection, and create a name for the connection.

   Note

   You have to verify at least one domain before creating the connections.

4. Select an authentication method, SAML or Azure AD (OIDC).

5. Copy the following fields and add them to your IdP:

   • SAML: Entity ID, ACS URL
   • Azure AD (OIDC): Redirect URL
   
   

6. From your IdP, copy and paste the following values into the settings in the Docker console:

   • SAML: SAML Sign-on URL, x509 Certificate
   • Azure AD (OIDC): Client ID, Client Secret, Azure AD Domain

7. Select the verified domains you want to apply the connection to.

8. To provision your users, select the organization(s) and/or team(s).

9. Review your summary and select Create Connection.

Step three: Test your SSO configuration

After you’ve completed the SSO configuration process in Docker, you can test the configuration when you sign in to Docker Hubopen_in_new using an incognito browser. Sign in to Docker Hubopen_in_new using your domain email address. You are then redirected to your IdP's login page to authenticate.

1. Authenticate through email instead of using your Docker ID, and test the login process.
2. To authenticate through CLI, your users must have a PAT before you enforce SSO for CLI users.

Important

SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned into a team called 'Company' within your organization on Docker Hub.

You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:

• Oktaopen_in_new
• AzureADopen_in_new

The SSO connection is now created. You can continue to set up SCIM without enforcing SSO log-in. For more information about setting up SCIM, see Set up SCIM.

Optional step four: Enforce SSO

1. Sign in to Docker Hubopen_in_new.

2. Navigate to the SSO settings page for your organization or company.

   • Organization: Select Organizations, your organization, Settings, and then Security.
   • Company: Select Organizations, your company, and then Settings.

3. In the SSO connections table, select the Action icon and then Enable enforcement.

   When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. You must enable 2FA through your IdP.

4. Continue with the on-screen instructions and verify that you’ve completed the tasks.

5. Select Turn on enforcement to complete.

Your users must now sign in to Docker with SSO.

Important

If SSO isn't enforced, users can choose to sign in with either their Docker ID or SSO.

What's next?

• Manage your SSO connections
• Set up SCIM
• Enable Group mapping