Manage Single Sign-On

Manage organizations

Note

You must have a company to manage more than one organization.

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Connect an organization

  1. Sign in to the Admin Console.
  2. Select your company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where connected organizations are listed.
  5. In the Organizations drop-down, select the organization to add to the connection.
  6. Select Next to confirm or change the default organization and team provisioning.
  7. Review the Connection Summary and select Save.

Remove an organization

  1. Sign in to the Admin Console.
  2. Select your company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where connected organizations are listed.
  5. In the Organizations drop-down, select Remove to remove the connection.
  6. Select Next to confirm or change the default organization and team provisioning.
  7. Review the Connection Summary and select Save.

Connect an organization

  1. Sign in to Docker Hub.
  2. Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where connected organizations are listed.
  5. In the Organizations drop-down, select the organization to add to the connection.
  6. Select Next to confirm or change the default organization and team provisioning.
  7. Review the Connection Summary and select Save.

Remove an organization

  1. Sign in to Docker Hub.
  2. Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where connected organizations are listed.
  5. In the Organizations drop-down, select Remove to remove the connection.
  6. Select Next to confirm or change the default organization and team provisioning.
  7. Review the Connection Summary and select Save.

Manage domains

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Remove a domain from an SSO connection

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where the connected domains are listed.
  5. In the Domain drop-down, select the x icon next to the domain that you want to remove.
  6. Select Next to confirm or change the connected organization(s).
  7. Select Next to confirm or change the default organization and team provisioning selections.
  8. Review the Connection Summary and select Save.

Note

If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.

Remove a domain from an SSO connection

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where the connected domains are listed.
  5. In the Domain drop-down, select the x icon next to the domain that you want to remove.
  6. Select Next to confirm or change the connected organization(s).
  7. Select Next to confirm or change the default organization and team provisioning selections.
  8. Review the Connection Summary and select Save.

Note

If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.

Manage SSO connections

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Edit a connection

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon.
  4. Select Edit connection to edit your connection.
  5. Follow the on-screen instructions to edit the connection.

Delete a connection

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon.
  4. Select Delete connection.
  5. Follow the on-screen instructions to delete a connection.

Deleting SSO

When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.

Edit a connection

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Action icon.
  4. Select Edit connection to edit your connection.
  5. Follow the on-screen instructions to edit the connection.

Delete a connection

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: Select Organizations, your organization, Settings, and then Security.
    • Company: Select Organizations, your company, and then Settings.
  3. In the SSO connections table, select the Action icon.
  4. Select Delete connection.
  5. Follow the on-screen instructions to delete a connection.

Deleting SSO

When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.

Manage users

Early Access

The Docker Admin Console is an early access product.

It's available to all company owners and organization owners. You can still manage companies and organizations in Docker Hub, but the Admin Console includes enhanced features for company-level management.

Important

SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization.

You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:

Alternatively, see Manage how users are provisioned.

Add guest users when SSO is enabled

To add a guest that isn't verified through your IdP:

  1. Sign in to the Admin Console.
  2. Navigate to the user management page for your organization or company.
    • Organization: Select your organization in the left navigation drop-down menu, and then select Members.
    • Company: Select your company in the left navigation drop-down menu, and then select Users.
  3. Select Invite.
  4. Follow the on-screen instructions to invite the user.

Remove users from the SSO company

To remove a user:

  1. Sign in to the Admin Console.
  2. Navigate to the user management page for your organization or company.
    • Organization: Select your organization in the left navigation drop-down menu, and then select Members.
    • Company: Select your company in the left navigation drop-down menu, and then select Users.
  3. Select the action icon next to a user’s name, and then select Remove member, if you're an organization, or Remove user, is you're a company.
  4. Follow the on-screen instructions to remove the user.

Manage how users are provisioned

Beta feature

Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See SSO authentication with JIT provisioning disabled.

To choose how your users are provisioned:

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then select SSO & SCIM.
  3. In the SSO connections table, select the Action icon and then Edit connection.
  4. Select Next to navigate to the section where you can choose how to provision users.
  5. Choose to enable or disable Just-in-Time (JIT) provisioning (default).
  6. Follow the on-screen instructions to save your configuration.

Important

SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization.

You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:

Alternatively, see Manage how users are provisioned.

Add guest users when SSO is enabled

To add a guest that isn't verified through your IdP:

  1. Sign in to Docker Hub.
  2. Select Organizations, your organization, and then Members.
  3. Select Invite members.
  4. Follow the on-screen instructions to invite the user.

Remove users from the SSO company

To remove a user:

  1. Sign in to Docker Hub.
  2. Select Organizations, your organization, and then Members.
  3. Select the action icon next to a user’s name, and then select Remove member.
  4. Follow the on-screen instructions to remove the user.

Manage how users are provisioned

Beta feature

Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See SSO authentication with JIT provisioning disabled.

This feature is only available in the Admin Console.

What's next?