diff --git a/content/guides/admin-user-management/onboard.md b/content/guides/admin-user-management/onboard.md
index 93d11490bc7b..27b804cec585 100644
--- a/content/guides/admin-user-management/onboard.md
+++ b/content/guides/admin-user-management/onboard.md
@@ -67,4 +67,4 @@ It also:
- Ensures consistent access control policies.
- Help you scale permissions as teams grow or change.
-For more information on how it works, see [Group mapping](/manuals/enterprise/security/provisioning/group-mapping.md).
+For more information on how it works, see [Group mapping](/enterprise/security/provisioning/scim/group-mapping).
diff --git a/content/manuals/admin/company/_index.md b/content/manuals/admin/company/_index.md
index fb6f8ea723f8..481daaca7521 100644
--- a/content/manuals/admin/company/_index.md
+++ b/content/manuals/admin/company/_index.md
@@ -4,42 +4,44 @@ weight: 20
description: Learn how to manage multiple organizations using companies, including managing users, owners, and security.
keywords: company, multiple organizations, manage companies, admin console, Docker Business settings
grid:
-- title: Create a company
- description: Get started by learning how to create a company.
- icon: apartment
- link: /admin/company/new-company/
-- title: Manage organizations
- description: Learn how to add and manage organizations as well as seats within your
- company.
- icon: store
- link: /admin/company/organizations/
-- title: Manage company owners
- description: Find out more about company owners and how to manage them.
- icon: supervised_user_circle
- link: /admin/company/owners/
-- title: Manage users
- description: Explore how to manage users in all organizations.
- icon: group_add
- link: /admin/company/users/
-- title: Configure single sign-on
- description: Discover how to configure SSO for your entire company.
- icon: key
- link: /security/for-admins/single-sign-on/
-- title: Set up SCIM
- description: Set up SCIM to automatically provision and deprovision users in your
- company.
- icon: checklist
- link: /security/for-admins/provisioning/scim/
-- title: Domain management
- description: Add and verify your company's domains.
- icon: domain_verification
- link: /security/for-admins/domain-management/
-- title: FAQs
- description: Explore frequently asked questions about companies.
- link: /faq/admin/company-faqs/
- icon: help
+ - title: Create a company
+ description: Get started by learning how to create a company.
+ icon: apartment
+ link: /admin/company/new-company/
+ - title: Manage organizations
+ description:
+ Learn how to add and manage organizations as well as seats within your
+ company.
+ icon: store
+ link: /admin/company/organizations/
+ - title: Manage company owners
+ description: Find out more about company owners and how to manage them.
+ icon: supervised_user_circle
+ link: /admin/company/owners/
+ - title: Manage users
+ description: Explore how to manage users in all organizations.
+ icon: group_add
+ link: /admin/company/users/
+ - title: Configure single sign-on
+ description: Discover how to configure SSO for your entire company.
+ icon: key
+ link: /enterprise/security/single-sign-on/
+ - title: Set up SCIM
+ description:
+ Set up SCIM to automatically provision and deprovision users in your
+ company.
+ icon: checklist
+ link: /enterprise/security/provisioning/scim/
+ - title: Domain management
+ description: Add and verify your company's domains.
+ icon: domain_verification
+ link: /enterprise/security/domain-management/
+ - title: FAQs
+ description: Explore frequently asked questions about companies.
+ link: /faq/admin/company-faqs/
+ icon: help
aliases:
-- /docker-hub/creating-companies/
+ - /docker-hub/creating-companies/
---
{{< summary-bar feature_name="Company" >}}
diff --git a/content/manuals/admin/company/users.md b/content/manuals/admin/company/users.md
index 69d39614bbe1..e21b20538a92 100644
--- a/content/manuals/admin/company/users.md
+++ b/content/manuals/admin/company/users.md
@@ -33,7 +33,7 @@ to invite members to.
> [!NOTE]
>
> When you invite members, you assign them a role.
- > See [Roles and permissions](/security/for-admins/roles-and-permissions/)
+ > See [Roles and permissions](/enterprise/security/roles-and-permissions/core-roles/)
> for details about the access permissions for each role.
Pending invitations appear on the Members page. The invitees receive an
diff --git a/content/manuals/admin/organization/_index.md b/content/manuals/admin/organization/_index.md
index ec1d2bc1b07f..6d4393416427 100644
--- a/content/manuals/admin/organization/_index.md
+++ b/content/manuals/admin/organization/_index.md
@@ -5,44 +5,42 @@ weight: 10
description: Learn how to manage your Docker organization, including teams, members, permissions, and settings.
keywords: organizations, admin, overview, manage teams, roles
grid:
-- title: Onboard your organization
- description: Learn how to onboard and secure your organization.
- icon: explore
- link: /admin/organization/onboard
-- title: Manage members
- description: Explore how to manage members.
- icon: group_add
- link: /admin/organization/members/
-- title: Activity logs
- description: Learn how to audit the activities of your members.
- icon: text_snippet
- link: /admin/organization/activity-logs/
-- title: Image Access Management
- description: Control which types of images your developers can pull.
- icon: photo_library
- link: /admin/organization/image-access/
-- title: Registry Access Management
- description: Define which registries your developers can access.
- icon: home_storage
- link: /admin/organization/registry-access/
-- title: Organization settings
- description: Configure information for your organization and manage settings.
- icon: settings
- link: /admin/organization/general-settings/
-- title: SSO and SCIM
- description: 'Set up [Single Sign-On](/security/for-admins/single-sign-on/)
- and [SCIM](/security/for-admins/provisioning/scim/) for your organization.
-
- '
- icon: key
-- title: Domain management
- description: Add, verify, and audit your domains.
- link: /security/for-admins/domain-management/
- icon: domain_verification
-- title: FAQs
- description: Explore common organization FAQs.
- link: /faq/admin/organization-faqs/
- icon: help
+ - title: Onboard your organization
+ description: Learn how to onboard and secure your organization.
+ icon: explore
+ link: /admin/organization/onboard
+ - title: Manage members
+ description: Explore how to manage members.
+ icon: group_add
+ link: /admin/organization/members/
+ - title: Activity logs
+ description: Learn how to audit the activities of your members.
+ icon: text_snippet
+ link: /admin/organization/activity-logs/
+ - title: Image Access Management
+ description: Control which types of images your developers can pull.
+ icon: photo_library
+ link: /admin/organization/image-access/
+ - title: Registry Access Management
+ description: Define which registries your developers can access.
+ icon: home_storage
+ link: /admin/organization/registry-access/
+ - title: Organization settings
+ description: Configure information for your organization and manage settings.
+ icon: settings
+ link: /admin/organization/general-settings/
+ - title: SSO and SCIM
+ description: "Set up [Single Sign-On](/security/for-admins/single-sign-on/)
+ and [SCIM](/security/for-admins/provisioning/scim/) for your organization."
+ icon: key
+ - title: Domain management
+ description: Add, verify, and audit your domains.
+ link: /enterprise/security/domain-management/
+ icon: domain_verification
+ - title: FAQs
+ description: Explore common organization FAQs.
+ link: /faq/admin/organization-faqs/
+ icon: help
---
A Docker organization is a collection of teams and repositories with centralized
@@ -67,4 +65,4 @@ and simplify permission management.
Learn how to create and manage your organization in the following sections.
-{{< grid >}}
\ No newline at end of file
+{{< grid >}}
diff --git a/content/manuals/admin/organization/general-settings.md b/content/manuals/admin/organization/general-settings.md
index 4387e4ec4d9f..65bee0988015 100644
--- a/content/manuals/admin/organization/general-settings.md
+++ b/content/manuals/admin/organization/general-settings.md
@@ -31,5 +31,5 @@ After configuring your organization information, you can:
- [Configure single sign-on (SSO)](/manuals/enterprise/security/single-sign-on/connect.md)
- [Set up SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md)
-- [Manage domains](/manuals/enterprise/security/domain-management.md)
+- [Manage domains](/enterprise/security/domain-management)
- [Create a company](/manuals/admin/company/new-company.md)
diff --git a/content/manuals/admin/organization/onboard.md b/content/manuals/admin/organization/onboard.md
index 2c206bf5b6ca..e8f380d8faeb 100644
--- a/content/manuals/admin/organization/onboard.md
+++ b/content/manuals/admin/organization/onboard.md
@@ -6,9 +6,9 @@ keywords: business, team, organizations, get started, onboarding, Admin Console,
toc_min: 1
toc_max: 3
aliases:
-- /docker-hub/onboard/
-- /docker-hub/onboard-team/
-- /docker-hub/onboard-business/
+ - /docker-hub/onboard/
+ - /docker-hub/onboard-team/
+ - /docker-hub/onboard-business/
---
{{< summary-bar feature_name="Admin orgs" >}}
@@ -31,17 +31,17 @@ limits and other benefits when they are signed in.
Before you start onboarding your organization, ensure you:
- Have a Docker Team or Business subscription. For more details, see
-[Docker subscriptions and features](https://www.docker.com/pricing?ref=Docs&refAction=DocsAdminOnboard).
+ [Docker subscriptions and features](https://www.docker.com/pricing?ref=Docs&refAction=DocsAdminOnboard).
> [!NOTE]
>
> When purchasing a self-serve subscription, the on-screen instructions
- guide you through creating an organization. If you have purchased a
- subscription through Docker Sales and you have not yet created an
- organization, see [Create an organization](/manuals/admin/organization/orgs.md).
+ > guide you through creating an organization. If you have purchased a
+ > subscription through Docker Sales and you have not yet created an
+ > organization, see [Create an organization](/manuals/admin/organization/orgs.md).
- Familiarize yourself with Docker concepts and terminology in
-the [administration overview](../_index.md).
+ the [administration overview](../_index.md).
## Onboard with guided setup
@@ -58,9 +58,9 @@ The guided setup walks you through the following onboarding steps:
- **Invite your team**: Invite owners and members.
- **Manage user access**: Add and verify a domain, manage users with SSO, and
-enforce Docker Desktop sign-in.
+ enforce Docker Desktop sign-in.
- **Docker Desktop security**: Configure image access management, registry
-access management, and settings management.
+ access management, and settings management.
## Recommended onboarding steps
@@ -71,28 +71,28 @@ receive your Docker subscription benefits.
1. Identify the Docker users in your organization.
- If your organization uses device management software, like MDM or Jamf,
- you can use the device management software to help identify Docker users.
- See your device management software's documentation for details. You can
- identify Docker users by checking if Docker Desktop is installed at the
- following location on each user's machine:
- - Mac: `/Applications/Docker.app`
- - Windows: `C:\Program Files\Docker\Docker`
- - Linux: `/opt/docker-desktop`
+ you can use the device management software to help identify Docker users.
+ See your device management software's documentation for details. You can
+ identify Docker users by checking if Docker Desktop is installed at the
+ following location on each user's machine:
+ - Mac: `/Applications/Docker.app`
+ - Windows: `C:\Program Files\Docker\Docker`
+ - Linux: `/opt/docker-desktop`
- If your organization doesn't use device management software or your
- users haven't installed Docker Desktop yet, you can survey your users to
- identify who is using Docker Desktop.
+ users haven't installed Docker Desktop yet, you can survey your users to
+ identify who is using Docker Desktop.
1. Ask users to update their Docker account's email address to one associated
-with your organization's domain, or create a new account with that email.
+ with your organization's domain, or create a new account with that email.
- To update an account's email address, instruct your users to sign in
- to [Docker Hub](https://hub.docker.com), and update the email address to
- their email address in your organization's domain.
+ to [Docker Hub](https://hub.docker.com), and update the email address to
+ their email address in your organization's domain.
- To create a new account, instruct your users to
- [sign up](https://hub.docker.com/signup) using their email address associated
- with your organization's domain. Ensure your users verify their email address.
+ [sign up](https://hub.docker.com/signup) using their email address associated
+ with your organization's domain. Ensure your users verify their email address.
1. Identify Docker accounts associated with your organization's domain:
- Ask your Docker sales representative or
- [contact sales](https://www.docker.com/pricing/contact-sales/) to get a list
- of Docker accounts that use an email address in your organization's domain.
+ [contact sales](https://www.docker.com/pricing/contact-sales/) to get a list
+ of Docker accounts that use an email address in your organization's domain.
### Step two: Invite owners
@@ -125,22 +125,22 @@ subscription, see [Change your subscription](/manuals/subscription/change.md).
Use your identity provider (IdP) to manage members and provision them to Docker
automatically via SSO and SCIM. See the following for more details:
- - [Configure SSO](/manuals/enterprise/security/single-sign-on/connect.md)
- to authenticate and add members when they sign in to Docker through your
- identity provider.
- - Optional.
- [Enforce SSO](/manuals/enterprise/security/single-sign-on/connect.md) to
- ensure that when users sign in to Docker, they must use SSO.
+- [Configure SSO](/manuals/enterprise/security/single-sign-on/connect.md)
+ to authenticate and add members when they sign in to Docker through your
+ identity provider.
+- Optional.
+ [Enforce SSO](/manuals/enterprise/security/single-sign-on/connect.md) to
+ ensure that when users sign in to Docker, they must use SSO.
- > [!NOTE]
- >
- > Enforcing single sign-on (SSO) and enforcing Docker Desktop sign in
- are different features. For more details, see
- > [Enforcing sign-in versus enforcing single sign-on (SSO)](/manuals/enterprise/security/enforce-sign-in/_index.md#enforcing-sign-in-versus-enforcing-single-sign-on-sso).
+ > [!NOTE]
+ >
+ > Enforcing single sign-on (SSO) and enforcing Docker Desktop sign in
+ > are different features. For more details, see
+ > [Enforcing sign-in versus enforcing single sign-on (SSO)](/manuals/enterprise/security/enforce-sign-in/_index.md#enforcing-sign-in-versus-enforcing-single-sign-on-sso).
- - [Configure SCIM](/manuals/enterprise/security/provisioning/scim.md) to
- automatically provision, add, and de-provision members to Docker through
- your identity provider.
+- [Configure SCIM](/manuals/enterprise/security/provisioning/scim.md) to
+ automatically provision, add, and de-provision members to Docker through
+ your identity provider.
### Step five: Enforce sign-in for Docker Desktop
@@ -152,6 +152,7 @@ and they can circumvent [Docker’s security features](/manuals/enterprise/secur
There are multiple ways you can enforce sign-in, depending on your organization's
Docker configuration:
+
- [Registry key method (Windows only)](/manuals/enterprise/security/enforce-sign-in/methods.md#registry-key-method-windows-only)
- [`.plist` method (Mac only)](/manuals/enterprise/security/enforce-sign-in/methods.md#plist-method-mac-only)
- [`registry.json` method (All)](/manuals/enterprise/security/enforce-sign-in/methods.md#registryjson-method-all)
@@ -169,7 +170,7 @@ security posture:
- [Manage Docker products](./manage-products.md) to configure access and view usage.
- Configure [Hardened Docker Desktop](/desktop/hardened-desktop/) to improve your organization’s security posture for containerized development.
-- [Manage your domains](/manuals/enterprise/security/domain-management.md) to ensure that all Docker users in your domain are part of your organization.
+- [Manage your domains](/enterprise/security/domain-management) to ensure that all Docker users in your domain are part of your organization.
Your Docker subscription provides many more additional features. To learn more,
see [Docker subscriptions and features](https://www.docker.com/pricing?ref=Docs&refAction=DocsAdminOnboard).
diff --git a/content/manuals/enterprise/security/_index.md b/content/manuals/enterprise/security/_index.md
index 800adb38e106..a115acf1fa12 100644
--- a/content/manuals/enterprise/security/_index.md
+++ b/content/manuals/enterprise/security/_index.md
@@ -8,58 +8,58 @@ params:
sidebar:
group: Enterprise
grid_admins:
-- title: Settings Management
- description: Learn how Settings Management can secure your developers' workflows.
- icon: shield_locked
- link: /enterprise/security/hardened-desktop/settings-management/
-- title: Enhanced Container Isolation
- description: Understand how Enhanced Container Isolation can prevent container attacks.
- icon: security
- link: /enterprise/security/hardened-desktop/enhanced-container-isolation/
-- title: Registry Access Management
- description: Control the registries developers can access while using Docker Desktop.
- icon: home_storage
- link: /enterprise/security/hardened-desktop/registry-access-management/
-- title: Image Access Management
- description: Control the images developers can pull from Docker Hub.
- icon: photo_library
- link: /enterprise/security/hardened-desktop/image-access-management/
-- title: "Air-Gapped Containers"
- description: Restrict containers from accessing unwanted network resources.
- icon: "vpn_lock"
- link: /enterprise/security/hardened-desktop/air-gapped-containers/
-- title: Enforce sign-in
- description: Configure sign-in for members of your teams and organizations.
- link: /enterprise/security/enforce-sign-in/
- icon: passkey
-- title: Domain management
- description: Identify uncaptured users in your organization.
- link: /enterprise/security/domain-management/
- icon: person_search
-- title: Docker Scout
- description: Explore how Docker Scout can help you create a more secure software supply chain.
- icon: query_stats
- link: /scout/
-- title: SSO
- description: Learn how to configure SSO for your company or organization.
- icon: key
- link: /enterprise/security/single-sign-on/
-- title: SCIM
- description: Set up SCIM to automatically provision and deprovision users.
- icon: checklist
- link: /enterprise/security/provisioning/scim/
-- title: Roles and permissions
- description: Assign roles to individuals giving them different permissions within an organization.
- icon: badge
- link: /enterprise/security/roles-and-permissions/
-- title: Private marketplace for Extensions (Beta)
- description: Learn how to configure and set up a private marketplace with a curated list of extensions for your Docker Desktop users.
- icon: storefront
- link: /desktop/extensions/private-marketplace/
-- title: Organization access tokens
- description: Create organization access tokens as an alternative to a password.
- link: /enterprise/security/access-tokens/
- icon: password
+ - title: Settings Management
+ description: Learn how Settings Management can secure your developers' workflows.
+ icon: shield_locked
+ link: /enterprise/security/hardened-desktop/settings-management/
+ - title: Enhanced Container Isolation
+ description: Understand how Enhanced Container Isolation can prevent container attacks.
+ icon: security
+ link: /enterprise/security/hardened-desktop/enhanced-container-isolation/
+ - title: Registry Access Management
+ description: Control the registries developers can access while using Docker Desktop.
+ icon: home_storage
+ link: /enterprise/security/hardened-desktop/registry-access-management/
+ - title: Image Access Management
+ description: Control the images developers can pull from Docker Hub.
+ icon: photo_library
+ link: /enterprise/security/hardened-desktop/image-access-management/
+ - title: "Air-Gapped Containers"
+ description: Restrict containers from accessing unwanted network resources.
+ icon: "vpn_lock"
+ link: /enterprise/security/hardened-desktop/air-gapped-containers/
+ - title: Enforce sign-in
+ description: Configure sign-in for members of your teams and organizations.
+ link: /enterprise/security/enforce-sign-in/
+ icon: passkey
+ - title: Domain management
+ description: Identify uncaptured users in your organization.
+ link: /enterprise/security/domain-management/
+ icon: person_search
+ - title: Docker Scout
+ description: Explore how Docker Scout can help you create a more secure software supply chain.
+ icon: query_stats
+ link: /scout/
+ - title: SSO
+ description: Learn how to configure SSO for your company or organization.
+ icon: key
+ link: /enterprise/security/single-sign-on/
+ - title: SCIM
+ description: Set up SCIM to automatically provision and deprovision users.
+ icon: checklist
+ link: /enterprise/security/provisioning/scim/
+ - title: Roles and permissions
+ description: Assign roles to individuals giving them different permissions within an organization.
+ icon: badge
+ link: /enterprise/security/roles-and-permissions/
+ - title: Private marketplace for Extensions (Beta)
+ description: Learn how to configure and set up a private marketplace with a curated list of extensions for your Docker Desktop users.
+ icon: storefront
+ link: /desktop/extensions/private-marketplace/
+ - title: Organization access tokens
+ description: Create organization access tokens as an alternative to a password.
+ link: /enterprise/security/access-tokens/
+ icon: password
---
Docker provides security guardrails for both administrators and developers.
@@ -71,4 +71,4 @@ scale, manage, and secure your instances of Docker Desktop with DevOps security
Explore the security features Docker offers to satisfy your company's security policies.
-{{< grid items="grid_admins" >}}
\ No newline at end of file
+{{< grid items="grid_admins" >}}
diff --git a/content/manuals/enterprise/security/domain-management.md b/content/manuals/enterprise/security/domain-management.md
index de471bce6807..f5ac6a92c90a 100644
--- a/content/manuals/enterprise/security/domain-management.md
+++ b/content/manuals/enterprise/security/domain-management.md
@@ -1,11 +1,12 @@
---
-title: Manage domains
+title: Add and manage domains
description: Add, verify, and manage domains to control user access and enable auto-provisioning in Docker organizations
keywords: domain management, domain verification, auto-provisioning, user management, DNS, TXT record, Admin Console
-weight: 55
+weight: 10
aliases:
- - /security/for-admins/domain-management/
- - /docker-hub/domain-audit/
+ - /security/for-admins/domain-management/
+ - /docker-hub/domain-audit/
+ - /enterprise/security/provisioning/domain-management/
---
{{< summary-bar feature_name="Domain management" >}}
@@ -21,8 +22,8 @@ Adding a domain requires verification to confirm ownership. The verification pro
### Add a domain
1. Sign in to [Docker Home](https://app.docker.com) and select
-your organization. If your organization is part of a company, select the company
-and configure the domain for the organization at the company level.
+ your organization. If your organization is part of a company, select the company
+ and configure the domain for the organization at the company level.
1. Select **Admin Console**, then **Domain management**.
1. Select **Add a domain**.
1. Enter your domain and select **Add domain**.
@@ -45,8 +46,8 @@ your provider isn't listed, use the steps for "Other providers":
1. Add your TXT record to AWS by following [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html).
1. Wait up to 72 hours for TXT record verification.
1. Return to the **Domain management** page of the
-[Admin Console](https://app.docker.com/admin) and select **Verify** next to
-your domain name.
+ [Admin Console](https://app.docker.com/admin) and select **Verify** next to
+ your domain name.
{{< /tab >}}
{{< tab name="Google Cloud DNS" >}}
@@ -54,8 +55,8 @@ your domain name.
1. Add your TXT record to Google Cloud DNS by following [Verifying your domain with a TXT record](https://cloud.google.com/identity/docs/verify-domain-txt).
1. Wait up to 72 hours for TXT record verification.
1. Return to the **Domain management** page of the
-[Admin Console](https://app.docker.com/admin) and select **Verify** next to
-your domain name.
+ [Admin Console](https://app.docker.com/admin) and select **Verify** next to
+ your domain name.
{{< /tab >}}
{{< tab name="GoDaddy" >}}
@@ -63,8 +64,8 @@ your domain name.
1. Add your TXT record to GoDaddy by following [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232).
1. Wait up to 72 hours for TXT record verification.
1. Return to the **Domain management** page of the
-[Admin Console](https://app.docker.com/admin) and select **Verify** next to
-your domain name.
+ [Admin Console](https://app.docker.com/admin) and select **Verify** next to
+ your domain name.
{{< /tab >}}
{{< tab name="Other providers" >}}
@@ -73,62 +74,14 @@ your domain name.
1. Add a TXT record to your DNS settings using the **TXT Record Value** from Docker.
1. Wait up to 72 hours for TXT record verification.
1. Return to the **Domain management** page of the
-[Admin Console](https://app.docker.com/admin) and select **Verify** next to
-your domain name.
+ [Admin Console](https://app.docker.com/admin) and select **Verify** next to
+ your domain name.
{{< /tab >}}
{{< /tabs >}}
-## Configure auto-provisioning
-
-Auto-provisioning automatically adds users to your organization when they sign in with email addresses that match your verified domains. You must verify a domain before enabling auto-provisioning.
-
-> [!IMPORTANT]
->
-> For domains that are part of an SSO connection, Just-in-Time (JIT) provisioning takes precedence over auto-provisioning when adding users to an organization.
-
-### How auto-provisioning works
-
-When auto-provisioning is enabled for a verified domain:
-
-- Users who sign in to Docker with matching email addresses are automatically added to your organization.
-- Auto-provisioning only adds existing Docker users to your organization, it doesn't create new accounts.
-- Users experience no changes to their sign-in process.
-- Company and organization owners receive email notifications when new users are added.
-- You may need to [manage seats](/manuals/subscription/manage-seats.md) to accommodate new users.
-
-### Enable auto-provisioning
-
-Auto-provisioning is configured per domain. To enable it:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select
-your company or organization.
-1. Select **Admin Console**, then **Domain management**.
-1. Select the **Actions menu** next to the domain you want to enable
-auto-provisioning for.
-1. Select **Enable auto-provisioning**.
-1. Optional. If enabling auto-provisioning at the company level, select an
-organization.
-1. Select **Enable** to confirm.
-
-The **Auto-provisioning** column will update to **Enabled** for the domain.
-
-### Disable auto-provisioning
-
-To disable auto-provisioning for a user:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select
-your organization. If your organization is part of a company, select the company
-and configure the domain for the organization at the company level.
-1. Select **Admin Console**, then **Domain management**.
-1. Select the **Actions menu** next to your domain.
-1. Select **Disable auto-provisioning**.
-1. Select **Disable** to confirm.
-
## Audit domains for uncaptured users
-{{< summary-bar feature_name="Domain audit" >}}
-
Domain audit identifies uncaptured users. Uncaptured users are Docker users who have authenticated using an email address associated with your verified domains but aren't members of your Docker organization.
### Limitations
@@ -137,19 +90,20 @@ Domain audit can't identify:
- Users who access Docker Desktop without authenticating
- Users who authenticate using an account that doesn't have an
-email address associated with one of your verified domains
+ email address associated with one of your verified domains
To prevent unidentifiable users from accessing Docker Desktop, [enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md).
### Run a domain audit
1. Sign in to [Docker Home](https://app.docker.com) and choose your
-company.
+ company.
1. Select **Admin Console**, then **Domain management**.
1. In **Domain audit**, select **Export Users** to export a CSV file
-of uncaptured users.
+ of uncaptured users.
The CSV file contains the following columns:
+
- Name: Docker user's display name
- Username: Docker ID of the user
- Email: Email address of the user
@@ -164,16 +118,16 @@ CSV file. For more information on bulk inviting users, see
Deleting a domain removes its TXT record value and disables any associated auto-provisioning.
->[!WARNING]
+> [!WARNING]
>
> Deleting a domain will disable auto-provisioning for that domain and remove verification. This action cannot be undone.
To delete a domain:
1. Sign in to [Docker Home](https://app.docker.com) and select
-your organization. If your organization is part of a company, select the company
-and configure the domain for the organization at the company level.
+ your organization. If your organization is part of a company, select the company
+ and configure the domain for the organization at the company level.
1. Select **Admin Console**, then **Domain management**.
1. For the domain you want to delete, select the **Actions** menu, then
-**Delete domain**.
+ **Delete domain**.
1. To confirm, select **Delete domain** in the pop-up modal.
diff --git a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
index 71bcb57f3408..815469f13899 100644
--- a/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
+++ b/content/manuals/enterprise/security/hardened-desktop/settings-management/_index.md
@@ -5,8 +5,8 @@ tags: [admin]
title: Settings Management
linkTitle: Settings Management
aliases:
- - /desktop/hardened-desktop/settings-management/
- - /security/for-admins/hardened-desktop/settings-management/
+ - /desktop/hardened-desktop/settings-management/
+ - /security/for-admins/hardened-desktop/settings-management/
weight: 10
---
@@ -27,11 +27,11 @@ Settings Management is designed for organizations that:
Administrators can define settings using one of these methods:
- [Admin Console](/manuals/enterprise/security/hardened-desktop/settings-management/configure-admin-console.md): Create and assign settings policies through the
-Docker Admin Console. This provides a web-based interface for managing settings
-across your organization.
+ Docker Admin Console. This provides a web-based interface for managing settings
+ across your organization.
- [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md): Place a configuration file on the
-user's machine to enforce settings. This method works well for automated
-deployments and scripted installations.
+ user's machine to enforce settings. This method works well for automated
+ deployments and scripted installations.
Enforced settings override user-defined configurations and can't be modified by developers.
@@ -60,15 +60,15 @@ When multiple policies exist, Docker Desktop applies them in this order:
## Set up Settings Management
-You can create settings management policies at any time, but your organization needs to verify a domain before the policies take effect.
+You can create settings management policies at any time, but your organization needs to verify a domain before the policies take effect.
-1. Check that you have [added and verified](/manuals/enterprise/security/domain-management.md#add-and-verify-a-domain) your organization's domain.
+1. Check that you have [added and verified](/enterprise/security/domain-management/#add-and-verify-a-domain) your organization's domain.
2. [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) to
-ensure all developers authenticate with your organization.
+ ensure all developers authenticate with your organization.
3. Choose a configuration method:
- - Use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json`.
- - Manually create and configure the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md).
- - Create a settings policy in the [Docker Admin Console](configure-admin-console.md).
+ - Use the `--admin-settings` installer flag on [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) or [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json`.
+ - Manually create and configure the [`admin-settings.json` file](/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md).
+ - Create a settings policy in the [Docker Admin Console](configure-admin-console.md).
After configuration, developers receive the enforced settings when they:
@@ -99,9 +99,9 @@ apply via the Admin Console.
As a workaround, you can check the `settings-store.json` file to view all
applied settings:
- - Mac: `~/Library/Application Support/Docker/settings-store.json`
- - Windows: `%APPDATA%\Docker\settings-store.json`
- - Linux: `~/.docker/desktop/settings-store.json`
+- Mac: `~/Library/Application Support/Docker/settings-store.json`
+- Windows: `%APPDATA%\Docker\settings-store.json`
+- Linux: `~/.docker/desktop/settings-store.json`
The `settings-store.json` file contains all settings, including those that
may not appear in the Docker Desktop GUI.
@@ -119,4 +119,3 @@ Get started with Settings Management:
- [Configure Settings Management with the `admin-settings.json` file](configure-json-file.md)
- [Configure Settings Management with the Docker Admin Console](configure-admin-console.md)
-
diff --git a/content/manuals/enterprise/security/provisioning/_index.md b/content/manuals/enterprise/security/provisioning/_index.md
index fb5f329b931a..b7efa9039a8e 100644
--- a/content/manuals/enterprise/security/provisioning/_index.md
+++ b/content/manuals/enterprise/security/provisioning/_index.md
@@ -18,7 +18,7 @@ grid:
- title: "Group mapping"
description: "Configure role-based access control using IdP groups. Perfect for strict access control requirements."
icon: "group"
- link: "group-mapping/"
+ link: "scim/group-mapping/"
---
{{< summary-bar feature_name="SSO" >}}
diff --git a/content/manuals/enterprise/security/provisioning/auto-provisioning.md b/content/manuals/enterprise/security/provisioning/auto-provisioning.md
new file mode 100644
index 000000000000..951e416a5bd2
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/auto-provisioning.md
@@ -0,0 +1,51 @@
+---
+title: Auto-provisioning
+linkTitle: Auto-provisioning
+description: Learn how Just-in-Time provisioning works with your SSO connection.
+keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Admin, admin, security
+weight: 10
+---
+
+Auto-provisioning automatically adds users to your organization when they sign in with email addresses that match your verified domains. You must verify a domain before enabling auto-provisioning.
+
+> [!IMPORTANT]
+>
+> For domains that are part of an SSO connection, Just-in-Time (JIT) provisioning takes precedence over auto-provisioning when adding users to an organization.
+
+### Overview
+
+When auto-provisioning is enabled for a verified domain:
+
+- Users who sign in to Docker with matching email addresses are automatically added to your organization.
+- Auto-provisioning only adds existing Docker users to your organization, it doesn't create new accounts.
+- Users experience no changes to their sign-in process.
+- Company and organization owners receive email notifications when new users are added.
+- You may need to [manage seats](/manuals/subscription/manage-seats.md) to accommodate new users.
+
+### Enable auto-provisioning
+
+Auto-provisioning is configured per domain. To enable it:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select
+your company or organization.
+1. Select **Admin Console**, then **Domain management**.
+1. Select the **Actions menu** next to the domain you want to enable
+auto-provisioning for.
+1. Select **Enable auto-provisioning**.
+1. Optional. If enabling auto-provisioning at the company level, select an
+organization.
+1. Select **Enable** to confirm.
+
+The **Auto-provisioning** column will update to **Enabled** for the domain.
+
+### Disable auto-provisioning
+
+To disable auto-provisioning for a user:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select
+your organization. If your organization is part of a company, select the company
+and configure the domain for the organization at the company level.
+1. Select **Admin Console**, then **Domain management**.
+1. Select the **Actions menu** next to your domain.
+1. Select **Disable auto-provisioning**.
+1. Select **Disable** to confirm.
diff --git a/content/manuals/enterprise/security/provisioning/just-in-time.md b/content/manuals/enterprise/security/provisioning/just-in-time.md
index d03204bccf99..8d857666120b 100644
--- a/content/manuals/enterprise/security/provisioning/just-in-time.md
+++ b/content/manuals/enterprise/security/provisioning/just-in-time.md
@@ -3,7 +3,7 @@ description: Learn how Just-in-Time provisioning works with your SSO connection.
keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Admin, admin, security
title: Just-in-Time provisioning
linkTitle: Just-in-Time
-weight: 10
+weight: 30
aliases:
- /security/for-admins/provisioning/just-in-time/
---
@@ -84,6 +84,6 @@ Users are provisioned with JIT by default. If you enable SCIM, you can disable J
## Next steps
-- Configure [SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md) for advanced user management.
-- Set up [group mapping](/manuals/enterprise/security/provisioning/group-mapping.md) to automatically assign users to teams.
-- Review [Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
+- Configure [SCIM provisioning](/enterprise/security/provisioning/scim/) for advanced user management.
+- Set up [group mapping](/enterprise/security/provisioning/scim/group-mapping) to automatically assign users to teams.
+- Review [Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
diff --git a/content/manuals/enterprise/security/provisioning/scim/_index.md b/content/manuals/enterprise/security/provisioning/scim/_index.md
new file mode 100644
index 000000000000..4359b583240c
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/scim/_index.md
@@ -0,0 +1,59 @@
+---
+title: SCIM overview
+linkTitle: SCIM
+weight: 20
+description: Learn how System for Cross-domain Identity Management works and how to set it up.
+keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
+aliases:
+ - /security/for-admins/scim/
+ - /docker-hub/scim/
+ - /security/for-admins/provisioning/scim/
+---
+
+{{< summary-bar feature_name="SSO" >}}
+
+Automate user management for your Docker organization using System for
+Cross-domain Identity Management (SCIM). SCIM automatically provisions and
+de-provisions users, synchronizes team memberships, and keeps your Docker
+organization in sync with your identity provider.
+
+This page shows you how to automate user provisioning and de-provisioning for
+Docker using SCIM.
+
+## Prerequisites
+
+Before you begin, you must have:
+
+- SSO configured for your organization
+- Administrator access to Docker Home and your identity provider
+
+## How SCIM works
+
+SCIM automates user provisioning and de-provisioning for Docker through your
+identity provider. After you enable SCIM, any user assigned to your
+Docker application in your identity provider is automatically provisioned and
+added to your Docker organization. When a user is removed from the Docker
+application in your identity provider, SCIM deactivates and removes them from
+your Docker organization.
+
+In addition to provisioning and removal, SCIM also syncs profile updates like
+name changes made in your identity provider. You can use SCIM alongside Docker's
+default Just-in-Time (JIT) provisioning or on its own with JIT disabled.
+
+SCIM automates:
+
+- Creating users
+- Updating user profiles
+- Removing and deactivating users
+- Re-activating users
+- Group mapping
+
+> [!NOTE]
+>
+> SCIM only manages users provisioned through your identity provider after
+> SCIM is enabled. It cannot remove users who were manually added to your Docker
+> organization before SCIM was set up.
+>
+> To remove those users, delete them manually from your Docker organization.
+> For more information, see
+> [Manage organization members](/manuals/admin/organization/members.md).
diff --git a/content/manuals/enterprise/security/provisioning/group-mapping.md b/content/manuals/enterprise/security/provisioning/scim/group-mapping.md
similarity index 94%
rename from content/manuals/enterprise/security/provisioning/group-mapping.md
rename to content/manuals/enterprise/security/provisioning/scim/group-mapping.md
index 4e47b0d617e0..e0b4ad50b48c 100644
--- a/content/manuals/enterprise/security/provisioning/group-mapping.md
+++ b/content/manuals/enterprise/security/provisioning/scim/group-mapping.md
@@ -7,8 +7,8 @@ aliases:
- /admin/organization/security-settings/group-mapping/
- /docker-hub/group-mapping/
- /security/for-admins/group-mapping/
-- /security/for-admins/provisioning/group-mapping/
-weight: 30
+- /security/for-admins/provisioning/scim/group-mapping/
+weight: 20
---
{{< summary-bar feature_name="SSO" >}}
@@ -19,7 +19,7 @@ This page explains how group mapping works, and how to set up group mapping.
> [!TIP]
>
-> Group mapping is ideal for adding users to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, SCIM [user-level attributes](scim.md#set-up-role-mapping) may be a better fit for your needs.
+> Group mapping is ideal for adding users to multiple organizations or multiple teams within one organization. If you don't need to set up multi-organization or multi-team assignment, SCIM [user-level attributes](provision-scim.md#set-up-role-mapping) may be a better fit for your needs.
## Prerequisites
@@ -56,7 +56,7 @@ Create groups in your IdP using the format: `organization:team`.
For example:
-- For the "developers" team in the "moby" organization: `mobdy:developers`
+- For the "developers" team in the "moby" organization: `moby:developers`
- For multi-organization access: `moby:backend` and `whale:desktop`
Docker creates teams automatically if they don't already exist when groups sync.
@@ -125,7 +125,7 @@ The next time you sync your groups with Docker, your users will map to the Docke
## Configure group mapping with SCIM
-Use group mapping with SCIM for more advanced user lifecycle management. Before you begin, make sure you [set up SCIM](./scim.md#enable-scim) first.
+Use group mapping with SCIM for more advanced user lifecycle management. Before you begin, make sure you [set up SCIM](./provision-scim.md#enable-scim) first.
{{< tabs >}}
{{< tab name="Okta" >}}
@@ -190,4 +190,4 @@ Once complete, a user who signs in to Docker through SSO is automatically added
> [!TIP]
>
-> [Enable SCIM](scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
+> [Enable SCIM](provision-scim.md) to take advantage of automatic user provisioning and de-provisioning. If you don't enable SCIM users are only automatically provisioned. You have to de-provision them manually.
diff --git a/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md b/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md
new file mode 100644
index 000000000000..55aeb29a4c5c
--- /dev/null
+++ b/content/manuals/enterprise/security/provisioning/scim/migrate-scim.md
@@ -0,0 +1,176 @@
+---
+title: Migrate JIT to SCIM
+linkTitle: Migrate
+description: Learn how to migrate from just-in-time (JIT) to SCIM.
+weight: 30
+---
+
+## Migrate existing JIT users to SCIM
+
+If you already have users provisioned through Just-in-Time (JIT) and want to
+enable full SCIM lifecycle management, you need to migrate them. Users
+originally created by JIT cannot be automatically de-provisioned through SCIM,
+even after SCIM is enabled.
+
+### Why migrate
+
+Organizations using JIT provisioning may encounter limitations with user
+lifecycle management, particularly around de-provisioning. Migrating to SCIM
+provides:
+
+- Automatic user de-provisioning when users leave your organization. This is
+ the primary benefit for large organizations that need full automation.
+- Continuous synchronization of user attributes
+- Centralized user management through your identity provider
+- Enhanced security through automated access control
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This migration is most critical for larger organizations that require fully
+automated user de-provisioning when employees leave the company.
+
+### Prerequisites for migration
+
+Before migrating, ensure you have:
+
+- SCIM configured and tested in your organization
+- A maintenance window for the migration
+
+> [!WARNING]
+>
+> This migration temporarily disrupts user access. Plan to perform this
+> migration during a low-usage window and communicate the timeline to affected
+> users.
+
+### Prepare for migration
+
+#### Transfer ownership
+
+Before removing users, ensure that any repositories, teams, or organization
+resources they own are transferred to another administrator or service account.
+When a user is removed from the organization, any resources they own may
+become inaccessible.
+
+1. Review repositories, organization resources, and team ownership for affected
+ users.
+2. Transfer ownership to another administrator.
+
+> [!WARNING]
+>
+> If ownership is not transferred, repositories owned by removed users may
+> become inaccessible when the user is removed. Ensure all critical resources
+> are transferred before proceeding.
+
+#### Verify identity provider configuration
+
+1. Confirm all JIT-provisioned users are assigned to the Docker application in
+ your identity provider.
+2. Verify identity provider group to Docker team mappings are configured and
+ tested.
+
+Users not assigned to the Docker application in your identity provider are not
+re-created by SCIM after removal.
+
+#### Export user records
+
+Export a list of JIT-provisioned users from Docker Admin Console:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your
+ organization.
+2. Select **Admin Console**, then **Members**.
+3. Select **Export members** to download the member list as CSV for backup and
+ reference.
+
+Keep this CSV list of JIT-provisioned users as a rollback reference if needed.
+
+### Complete the migration
+
+#### Disable JIT provisioning
+
+> [!IMPORTANT]
+>
+> Before disabling JIT, ensure SCIM is fully configured and tested in your
+> organization. Do not disable JIT until you have verified SCIM is working
+> correctly.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **SSO and SCIM**.
+3. In the SSO connections table, select the **Actions** menu for your connection.
+4. Select **Disable JIT provisioning**.
+5. Select **Disable** to confirm.
+
+Disabling JIT prevents new users from being automatically added through SSO
+during the migration.
+
+#### Remove JIT-origin users
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This step is most critical for large organizations that require fully automated
+user de-provisioning when employees leave the company.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **Members**.
+3. Identify and remove JIT-provisioned users in manageable batches.
+4. Monitor for any errors during removal.
+
+> [!TIP]
+>
+> To efficiently identify JIT users, compare the member list exported before
+> SCIM was enabled with the current member list. Users who existed before SCIM
+> was enabled were likely provisioned via JIT.
+
+#### Verify SCIM re-provisioning
+
+After removing JIT users, SCIM automatically re-creates user accounts:
+
+1. In your identity provider system log, confirm "create app user" events for
+ Docker.
+2. In Docker Admin Console, confirm users reappear with SCIM provisioning.
+3. Verify users are added to the correct teams via group mapping.
+
+#### Validate user access
+
+Perform post-migration validation:
+
+1. Select a subset of migrated users to test sign-in and access.
+2. Verify team membership matches identity provider group assignments.
+3. Confirm repository access is restored.
+4. Test that de-provisioning works correctly by removing a test user from your
+ identity provider.
+
+Keep audit exports and logs for compliance purposes.
+
+### Migration results
+
+After completing the migration:
+
+- All users in your organization are SCIM-provisioned
+- User de-provisioning works reliably through your identity provider
+- No new JIT users are created
+- Consistent identity lifecycle management is maintained
+
+### Troubleshoot migration issues
+
+If a user fails to reappear after removal:
+
+1. Check that the user is assigned to the Docker application in your identity
+ provider.
+2. Verify SCIM is enabled in both Docker and your identity provider.
+3. Trigger a manual SCIM sync in your identity provider.
+4. Check provisioning logs in your identity provider for errors.
+
+For more troubleshooting guidance, see
+[Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
\ No newline at end of file
diff --git a/content/manuals/enterprise/security/provisioning/scim.md b/content/manuals/enterprise/security/provisioning/scim/provision-scim.md
similarity index 63%
rename from content/manuals/enterprise/security/provisioning/scim.md
rename to content/manuals/enterprise/security/provisioning/scim/provision-scim.md
index 390953c9fa84..a393f80fdbe1 100644
--- a/content/manuals/enterprise/security/provisioning/scim.md
+++ b/content/manuals/enterprise/security/provisioning/scim/provision-scim.md
@@ -1,63 +1,12 @@
---
-title: SCIM provisioning
-linkTitle: SCIM
+title: Set up SCIM provisioning
+linkTitle: Set up
description: Learn how System for Cross-domain Identity Management works and how to set it up.
-keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
-aliases:
- - /security/for-admins/scim/
- - /docker-hub/scim/
- - /security/for-admins/provisioning/scim/
-weight: 20
+weight: 10
---
{{< summary-bar feature_name="SSO" >}}
-Automate user management for your Docker organization using System for
-Cross-domain Identity Management (SCIM). SCIM automatically provisions and
-de-provisions users, synchronizes team memberships, and keeps your Docker
-organization in sync with your identity provider.
-
-This page shows you how to automate user provisioning and de-provisioning for
-Docker using SCIM.
-
-## Prerequisites
-
-Before you begin, you must have:
-
-- SSO configured for your organization
-- Administrator access to Docker Home and your identity provider
-
-## How SCIM works
-
-SCIM automates user provisioning and de-provisioning for Docker through your
-identity provider. After you enable SCIM, any user assigned to your
-Docker application in your identity provider is automatically provisioned and
-added to your Docker organization. When a user is removed from the Docker
-application in your identity provider, SCIM deactivates and removes them from
-your Docker organization.
-
-In addition to provisioning and removal, SCIM also syncs profile updates like
-name changes made in your identity provider. You can use SCIM alongside Docker's
-default Just-in-Time (JIT) provisioning or on its own with JIT disabled.
-
-SCIM automates:
-
-- Creating users
-- Updating user profiles
-- Removing and deactivating users
-- Re-activating users
-- Group mapping
-
-> [!NOTE]
->
-> SCIM only manages users provisioned through your identity provider after
-> SCIM is enabled. It cannot remove users who were manually added to your Docker
-> organization before SCIM was set up.
->
-> To remove those users, delete them manually from your Docker organization.
-> For more information, see
-> [Manage organization members](/manuals/admin/organization/members.md).
-
## Supported attributes
SCIM uses attributes (name, email, etc.) to sync user information between your
@@ -86,7 +35,7 @@ For additional details about supported attributes and SCIM, see
> your SCIM values.
>
> Alternatively, you can disable JIT provisioning to rely solely on SCIM.
-> For details, see [Just-in-Time](just-in-time.md).
+> For details, see [Just-in-Time](/enterprise/security/provisioning/just-in-time).
## Enable SCIM in Docker
@@ -201,7 +150,7 @@ Next, [set up role mapping](#set-up-role-mapping).
## Set up role mapping
-You can assign [Docker roles](../roles-and-permissions.md) to
+You can assign [Docker roles](/enterprise/security/roles-and-permissions/) to
users by adding optional SCIM attributes in your IdP. These attributes override
default role and team values set in your SSO configuration.
@@ -215,7 +164,7 @@ The following table lists the supported optional user-level attributes:
| Attribute | Possible values | Notes |
| ------------ | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `dockerRole` | `member`, `editor`, or `owner` | If not set, the user defaults to the `member` role. Setting this attribute overrides the default.
For role definitions, see [Roles and permissions](../roles-and-permissions.md). |
+| `dockerRole` | `member`, `editor`, or `owner` | If not set, the user defaults to the `member` role. Setting this attribute overrides the default.
For role definitions, see [Roles and permissions](/enterprise/security/roles-and-permissions/). |
| `dockerOrg` | Docker `organizationName` (e.g., `moby`) | Overrides the default organization configured in your SSO connection.
If unset, the user is provisioned to the default organization. If `dockerOrg` and `dockerTeam` are both set, the user is provisioned to the team within the specified organization. |
| `dockerTeam` | Docker `teamName` (e.g., `developers`) | Provisions the user to the specified team in the default or specified organization. If the team doesn't exist, it is automatically created.
You can still use [group mapping](group-mapping.md) to assign users to multiple teams across organizations. |
@@ -227,7 +176,7 @@ This value is required in your identity provider when creating custom SCIM attri
### Step one: Set up role mapping in Okta
-1. Setup [SSO](../single-sign-on/connect.md) and SCIM first.
+1. Setup [SSO](/enterprise/security/single-sign-on/connect) and SCIM first.
1. In the Okta admin portal, go to **Directory**, select **Profile Editor**,
and then **User (Default)**.
1. Select **Add Attribute** and configure the values for the role, organization,
@@ -270,7 +219,7 @@ group will inherit these attributes upon provisioning.
### Step one: Configure attribute mappings
-1. Complete the [SCIM provisioning setup](#enable-scim-in-docker).
+1. Complete the [SCIM provisioning setup](/enterprise/security/provisioning/scim/provision-scim/#enable-scim-in-docker).
1. In the Azure Portal, open **Microsoft Entra ID** >
**Enterprise Applications**, and select your SCIM application.
1. Go to **Provisioning** > **Mappings** >
@@ -279,7 +228,7 @@ group will inherit these attributes upon provisioning.
- `userPrincipalName` -> `userName`
- `mail` -> `emails.value`
- Optional. Map `dockerRole`, `dockerOrg`, or `dockerTeam` using one of the
- [mapping methods](#step-two-choose-a-role-mapping-method).
+ [mapping methods](/enterprise/security/provisioning/scim/provision-scim/#set-up-role-mapping).
1. Remove any unsupported attributes to prevent sync errors.
1. Optional. Go to **Mappings** > **Provision Azure Active Directory Groups**:
- If group provisioning causes errors, set **Enabled** to **No**.
@@ -403,176 +352,6 @@ After completing role mapping, you can test the configuration manually.
{{< /tab >}}
{{< /tabs >}}
-## Migrate existing JIT users to SCIM
-
-If you already have users provisioned through Just-in-Time (JIT) and want to
-enable full SCIM lifecycle management, you need to migrate them. Users
-originally created by JIT cannot be automatically de-provisioned through SCIM,
-even after SCIM is enabled.
-
-### Why migrate
-
-Organizations using JIT provisioning may encounter limitations with user
-lifecycle management, particularly around de-provisioning. Migrating to SCIM
-provides:
-
-- Automatic user de-provisioning when users leave your organization. This is
- the primary benefit for large organizations that need full automation.
-- Continuous synchronization of user attributes
-- Centralized user management through your identity provider
-- Enhanced security through automated access control
-
-> [!IMPORTANT]
->
-> Users originally created through JIT provisioning cannot be automatically
-> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
-> management including automatic de-provisioning through your identity provider,
-> you must manually remove these users so SCIM can re-create them with proper
-> lifecycle management capabilities.
-
-This migration is most critical for larger organizations that require fully
-automated user de-provisioning when employees leave the company.
-
-### Prerequisites for migration
-
-Before migrating, ensure you have:
-
-- SCIM configured and tested in your organization
-- A maintenance window for the migration
-
-> [!WARNING]
->
-> This migration temporarily disrupts user access. Plan to perform this
-> migration during a low-usage window and communicate the timeline to affected
-> users.
-
-### Prepare for migration
-
-#### Transfer ownership
-
-Before removing users, ensure that any repositories, teams, or organization
-resources they own are transferred to another administrator or service account.
-When a user is removed from the organization, any resources they own may
-become inaccessible.
-
-1. Review repositories, organization resources, and team ownership for affected
- users.
-2. Transfer ownership to another administrator.
-
-> [!WARNING]
->
-> If ownership is not transferred, repositories owned by removed users may
-> become inaccessible when the user is removed. Ensure all critical resources
-> are transferred before proceeding.
-
-#### Verify identity provider configuration
-
-1. Confirm all JIT-provisioned users are assigned to the Docker application in
- your identity provider.
-2. Verify identity provider group to Docker team mappings are configured and
- tested.
-
-Users not assigned to the Docker application in your identity provider are not
-re-created by SCIM after removal.
-
-#### Export user records
-
-Export a list of JIT-provisioned users from Docker Admin Console:
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your
- organization.
-2. Select **Admin Console**, then **Members**.
-3. Select **Export members** to download the member list as CSV for backup and
- reference.
-
-Keep this CSV list of JIT-provisioned users as a rollback reference if needed.
-
-### Complete the migration
-
-#### Disable JIT provisioning
-
-> [!IMPORTANT]
->
-> Before disabling JIT, ensure SCIM is fully configured and tested in your
-> organization. Do not disable JIT until you have verified SCIM is working
-> correctly.
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
-2. Select **Admin Console**, then **SSO and SCIM**.
-3. In the SSO connections table, select the **Actions** menu for your connection.
-4. Select **Disable JIT provisioning**.
-5. Select **Disable** to confirm.
-
-Disabling JIT prevents new users from being automatically added through SSO
-during the migration.
-
-#### Remove JIT-origin users
-
-> [!IMPORTANT]
->
-> Users originally created through JIT provisioning cannot be automatically
-> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
-> management including automatic de-provisioning through your identity provider,
-> you must manually remove these users so SCIM can re-create them with proper
-> lifecycle management capabilities.
-
-This step is most critical for large organizations that require fully automated
-user de-provisioning when employees leave the company.
-
-1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
-2. Select **Admin Console**, then **Members**.
-3. Identify and remove JIT-provisioned users in manageable batches.
-4. Monitor for any errors during removal.
-
-> [!TIP]
->
-> To efficiently identify JIT users, compare the member list exported before
-> SCIM was enabled with the current member list. Users who existed before SCIM
-> was enabled were likely provisioned via JIT.
-
-#### Verify SCIM re-provisioning
-
-After removing JIT users, SCIM automatically re-creates user accounts:
-
-1. In your identity provider system log, confirm "create app user" events for
- Docker.
-2. In Docker Admin Console, confirm users reappear with SCIM provisioning.
-3. Verify users are added to the correct teams via group mapping.
-
-#### Validate user access
-
-Perform post-migration validation:
-
-1. Select a subset of migrated users to test sign-in and access.
-2. Verify team membership matches identity provider group assignments.
-3. Confirm repository access is restored.
-4. Test that de-provisioning works correctly by removing a test user from your
- identity provider.
-
-Keep audit exports and logs for compliance purposes.
-
-### Migration results
-
-After completing the migration:
-
-- All users in your organization are SCIM-provisioned
-- User de-provisioning works reliably through your identity provider
-- No new JIT users are created
-- Consistent identity lifecycle management is maintained
-
-### Troubleshoot migration issues
-
-If a user fails to reappear after removal:
-
-1. Check that the user is assigned to the Docker application in your identity
- provider.
-2. Verify SCIM is enabled in both Docker and your identity provider.
-3. Trigger a manual SCIM sync in your identity provider.
-4. Check provisioning logs in your identity provider for errors.
-
-For more troubleshooting guidance, see
-[Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
-
## Disable SCIM
If SCIM is disabled, any user provisioned through SCIM will remain in the
@@ -589,5 +368,5 @@ To disable SCIM:
## Next steps
-- Set up [Group mapping](/manuals/enterprise/security/provisioning/group-mapping.md).
-- [Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).
+- Set up [Group mapping](/enterprise/security/provisioning/scim/group-mapping/).
+- [Troubleshoot provisioning](/enterprise/security/provisioning/troubleshoot-provisioning/).
diff --git a/content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md b/content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
similarity index 89%
rename from content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md
rename to content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
index 7dbaa148d02d..47a8338b6b67 100644
--- a/content/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md
+++ b/content/manuals/enterprise/security/provisioning/troubleshoot-provisioning.md
@@ -1,12 +1,12 @@
---
title: Troubleshoot provisioning
-linkTitle: Troubleshoot provisioning
+linkTitle: Troubleshoot
description: Troubleshoot common user provisioning issues with SCIM and Just-in-Time provisioning
keywords: SCIM troubleshooting, user provisioning, JIT provisioning, group mapping, attribute conflicts
tags: [Troubleshooting]
toc_max: 2
aliases:
- - /security/troubleshoot/troubleshoot-provisioning/
+ - /enterprise/troubleshoot/troubleshoot-provisioning/
---
This page helps troubleshoot common user provisioning issues including user roles, attributes, and unexpected account behavior with SCIM and Just-in-Time (JIT) provisioning.
@@ -21,10 +21,10 @@ IdP. This issue usually surfaces as incorrect role or team assignment.
### Causes
- JIT provisioning is enabled, and Docker is using values from your IdP's
-SSO login flow to provision the user, which overrides
-SCIM-provided attributes.
+ SSO login flow to provision the user, which overrides
+ SCIM-provided attributes.
- SCIM was enabled after the user was already provisioned via JIT, so SCIM
-updates don't take effect.
+ updates don't take effect.
### Affected environments
@@ -37,7 +37,7 @@ updates don't take effect.
1. Sign in to Docker as a user via SSO.
1. Enable SCIM and set role/team attributes for that user.
1. SCIM attempts to update the user's attributes, but the role or team
-assignment does not reflect changes.
+ assignment does not reflect changes.
### Solutions
@@ -58,7 +58,7 @@ and role assignment.
If you prefer to keep JIT enabled:
- Make sure your IdP's SSO attribute mappings match the values being sent
-by SCIM.
+ by SCIM.
- Avoid configuring SCIM to override attributes already set via JIT.
This option requires strict coordination between SSO and SCIM attributes
@@ -83,4 +83,4 @@ existing user:
> [!WARNING]
>
> Deleting a user removes their resource ownership (e.g., repositories).
-Transfer ownership before removing the user.
+> Transfer ownership before removing the user.
diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/general.md b/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
index 69e660b77c2c..ce25481d4df8 100644
--- a/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
+++ b/content/manuals/enterprise/security/single-sign-on/FAQs/general.md
@@ -3,7 +3,7 @@ description: Frequently asked questions about Docker single sign-on
keywords: Docker, Docker Hub, SSO FAQs, single sign-on, administration, security
title: General SSO FAQs
linkTitle: General
-weight: 10
+weight: 20
tags: [FAQ]
aliases:
- /single-sign-on/faqs/
diff --git a/content/manuals/enterprise/security/single-sign-on/_index.md b/content/manuals/enterprise/security/single-sign-on/_index.md
index a48866b973fa..c348636ed61a 100644
--- a/content/manuals/enterprise/security/single-sign-on/_index.md
+++ b/content/manuals/enterprise/security/single-sign-on/_index.md
@@ -49,11 +49,11 @@ assigned to an organization, and added to a team.
> [!IMPORTANT]
>
> Docker plans to deprecate CLI password-based sign-in in future releases.
-Using a PAT ensures continued CLI access. For more information, see the
-[security announcement](/manuals/security/security-announcements.md#deprecation-of-password-logins-on-cli-when-sso-enforced).
+> Using a PAT ensures continued CLI access. For more information, see the
+> [security announcement](/security/security-announcements.> md#deprecation-of-password-logins-on-cli-when-sso-enforced).
## Next steps
- Start [configuring SSO](connect.md).
-- Read the [FAQs](/manuals/enterprise/security/single-sign-on/faqs/general.md).
-- [Troubleshoot](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) SSO issues.
+- Read the [FAQs](/enterprise/security/single-sign-on/FAQs/general).
+- [Troubleshoot](/enterprise/security/single-sign-on/troubleshoot-sso) SSO issues.
diff --git a/content/manuals/enterprise/security/single-sign-on/connect.md b/content/manuals/enterprise/security/single-sign-on/connect.md
index 87d0056e5d63..ff216eea7da3 100644
--- a/content/manuals/enterprise/security/single-sign-on/connect.md
+++ b/content/manuals/enterprise/security/single-sign-on/connect.md
@@ -259,4 +259,4 @@ Docker Hub. If you want to use 2FA, you must enable 2FA through your IdP.
- [Provision users](/manuals/enterprise/security/provisioning/_index.md).
- [Enforce sign-in](../enforce-sign-in/_index.md).
- [Create personal access tokens](/manuals/enterprise/security/access-tokens.md).
-- [Troubleshoot SSO](/manuals/enterprise/troubleshoot/troubleshoot-sso.md) issues.
+- [Troubleshoot SSO](/enterprise/security/single-sign-on/faqs/troubleshoot-sso/) issues.
diff --git a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md b/content/manuals/enterprise/security/single-sign-on/troubleshoot-sso.md
similarity index 96%
rename from content/manuals/enterprise/troubleshoot/troubleshoot-sso.md
rename to content/manuals/enterprise/security/single-sign-on/troubleshoot-sso.md
index ce3b554270cd..d71d58eeab58 100644
--- a/content/manuals/enterprise/troubleshoot/troubleshoot-sso.md
+++ b/content/manuals/enterprise/security/single-sign-on/troubleshoot-sso.md
@@ -1,13 +1,15 @@
---
title: Troubleshoot single sign-on
-linkTitle: Troubleshoot SSO
+linkTitle: Troubleshoot
description: Troubleshoot common Docker single sign-on configuration and authentication issues
+weight: 10
keywords: sso troubleshooting, single sign-on errors, authentication issues, identity provider problems
tags: [Troubleshooting]
toc_max: 2
aliases:
- - /security/for-admins/single-sign-on/troubleshoot/
- - /security/troubleshoot/troubleshoot-sso/
+ - /security/for-admins/single-sign-on/troubleshoot/
+ - /security/troubleshoot/troubleshoot-sso/
+ - /enterprise/troubleshoot/troubleshoot-sso/
---
This page describes common single sign-on (SSO) errors and their solutions. Issues can stem from your identity provider (IdP) configuration or Docker settings.
@@ -39,6 +41,7 @@ For further troubleshooting, check your IdP's documentation or contact their sup
### Error message
When this issue occurs, the following error message is common:
+
```text
Some of the groups assigned to the user are not formatted as ':'. Directory groups will be ignored and user will be provisioned into the default organization and team.
```
@@ -56,6 +59,7 @@ Some of the groups assigned to the user are not formatted as ':`
@@ -74,6 +79,7 @@ Update group names in your IdP:
### Error message
When this issue occurs, the following error message is common:
+
```text
User '$username' is not assigned to this SSO organization. Contact your administrator. TraceID: XXXXXXXXXXXXX
```
@@ -109,8 +115,8 @@ If you have SCIM enabled, troubleshoot your SCIM connection using the following
1. Select **Admin Console**, then **SSO and SCIM**.
1. In the SSO connections table, select the **Action** menu and then **View error logs**. For more details on specific errors, select **View error details** next to an error message. Note any errors you see on this page.
1. Navigate back to the **SSO and SCIM** page of the Admin Console and verify your SCIM configuration:
- - Ensure that the SCIM Base URL and API Token in your IdP match those provided in the Docker Admin Console.
- - Verify that SCIM is enabled in both Docker and your IdP.
+ - Ensure that the SCIM Base URL and API Token in your IdP match those provided in the Docker Admin Console.
+ - Verify that SCIM is enabled in both Docker and your IdP.
1. Ensure that the attributes being synced from your IdP match Docker's [supported attributes](/manuals/enterprise/security/provisioning/scim.md#supported-attributes) for SCIM.
1. Test user provisioning by trying to provision a test user through your IdP and verify if they appear in Docker.
@@ -119,6 +125,7 @@ If you have SCIM enabled, troubleshoot your SCIM connection using the following
### Error message
When this issue occurs, the following error message is common:
+
```text
IdP-Initiated sign in is not enabled for connection '$ssoConnection'.
```
@@ -142,6 +149,7 @@ You can hide the Docker SSO app from users in your IdP. This prevents users from
### Error message
When this issue occurs, the following error message is common:
+
```text
Not enough seats in organization '$orgName'. Add more seats or contact your administrator.
```
@@ -165,6 +173,7 @@ Review your organization members and pending invitations. Remove inactive users
### Error message
When this issue occurs, the following error message is common:
+
```text
Domain '$emailDomain' is not verified for your SSO connection. Contact your company administrator. TraceID: XXXXXXXXXXXXXX
```
@@ -190,6 +199,7 @@ Add and verify all domains and subdomains used as UPN by your IdP and associate
### Error message
When this issue occurs, the following error message is common:
+
```text
We couldn't find your session. You may have pressed the back button, refreshed the page, opened too many sign-in dialogs, or there is some issue with cookies. Try signing in again. If the issue persists, contact your administrator.
```
@@ -197,6 +207,7 @@ We couldn't find your session. You may have pressed the back button, refreshed t
### Causes
The following causes may create this issue:
+
- The user pressed the back or refresh button during authentication.
- The authentication flow lost track of the initial request, preventing completion.
@@ -215,6 +226,7 @@ Close the browser tab and restart the authentication flow from the Docker applic
### Error message
When this issue occurs, the following error message is common:
+
```text
The name ID sent by the identity provider is not an email address. Contact your company administrator.
```
@@ -222,11 +234,13 @@ The name ID sent by the identity provider is not an email address. Contact your
### Causes
The following causes may create this issue:
+
- The IdP sends a Name ID (UPN) that does not comply with the email format required by Docker.
- Docker SSO requires the Name ID to be the primary email address of the user.
### Solutions
In your IdP, ensure the Name ID attribute format is correct:
+
1. Verify that the Name ID attribute format in your IdP is set to `EmailAddress`.
-2. Adjust your IdP settings to return the correct Name ID format.
\ No newline at end of file
+2. Adjust your IdP settings to return the correct Name ID format.
diff --git a/content/manuals/enterprise/troubleshoot/_index.md b/content/manuals/enterprise/troubleshoot/_index.md
deleted file mode 100644
index 76d4281d6f40..000000000000
--- a/content/manuals/enterprise/troubleshoot/_index.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-build:
- render: never
-title: Troubleshoot
-weight: 40
-params:
- sidebar:
- group: Enterprise
----
\ No newline at end of file
diff --git a/content/manuals/unassociated-machines/_index.md b/content/manuals/unassociated-machines/_index.md
index bcfdf1974af2..c359c6f10fe7 100644
--- a/content/manuals/unassociated-machines/_index.md
+++ b/content/manuals/unassociated-machines/_index.md
@@ -6,8 +6,8 @@ sitemap: false
pagefind_exclude: true
noindex: true
params:
- sidebar:
- group: Enterprise
+ sidebar:
+ group: Enterprise
---
{{% restricted title="About unassociated machines" %}}
@@ -39,25 +39,25 @@ Docker uses telemetry data to identify which machines likely belong to your
organization:
- Domain matching: Users signed in with email domains associated with your
-organization
+ organization
- Registry patterns: Analysis of container registry access patterns that
-indicate organizational usage
+ indicate organizational usage
## View unassociated machines
To see detailed information about unassociated machines:
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
The machine list displays:
- Machine ID (Docker-generated identifier)
- The registry address used to predict whether a user is part of your
-organization
+ organization
- User email (only displays if the user is signed into Docker Desktop while
-using it)
+ using it)
- Docker Desktop version
- Operating system (OS)
- Last activity date
@@ -73,12 +73,12 @@ You can:
> [!NOTE]
>
> Sign-in enforcement for unassociated machines is different from
-the [organization-level sign-in enforcement](/enterprise/security/enforce-sign-in/)
-available through `registry.json` and configuration profiles. This sign-in
-enforcement only requires users to sign in so admins can identify who is
-using the machine, meaning users can sign in with any email address. For more
-stringent security controls that limit sign-ins to users who are already part
-of your organization, see [Enforce sign-in](/enterprise/security/enforce-sign-in/).
+> the [organization-level sign-in enforcement](/enterprise/security/enforce-sign-in/)
+> available through `registry.json` and configuration profiles. This sign-in
+> enforcement only requires users to sign in so admins can identify who is
+> using the machine, meaning users can sign in with any email address. For more
+> stringent security controls that limit sign-ins to users who are already part
+> of your organization, see [Enforce sign-in](/enterprise/security/enforce-sign-in/).
Sign-in enforcement helps you identify who is using unassociated machines in
your organization. When you enable enforcement, users on these machines will
@@ -94,14 +94,14 @@ You can enable sign-in enforcement using two methods:
> [!IMPORTANT]
>
> Sign-in enforcement only takes effect after Docker Desktop is restarted.
-Users can continue using Docker Desktop until their next restart.
+> Users can continue using Docker Desktop until their next restart.
### Enable sign-in enforcement for all unassociated machines
To enable sign-in enforcement for all unassociated machines:
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Turn on the **Enforce sign-in** toggle.
1. In the pop-up modal, select **Require sign-in** to confirm.
@@ -112,18 +112,18 @@ The **Sign-in required** status will update for all unassociated machines to
> [!NOTE]
>
> When you enable sign-in enforcement for all unassociated machines, any new
-machines detected in the future will automatically have sign-in enforcement
-enabled. Sign-in enforcement requires Docker Desktop version 4.41 or later.
-Users with older versions will not be prompted to sign in and can continue
-using Docker Desktop normally until they update. Their status shows
-as **Pending** until they update to version 4.41 or later.
+> machines detected in the future will automatically have sign-in enforcement
+> enabled. Sign-in enforcement requires Docker Desktop version 4.41 or later.
+> Users with older versions will not be prompted to sign in and can continue
+> using Docker Desktop normally until they update. Their status shows
+> as **Pending** until they update to version 4.41 or later.
### Enable sign-in enforcement for individual unassociated machines
To enable sign-in enforcement for individual unassociated machines:
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Locate the machine you want to enable sign-in enforcement for.
1. Select the **Actions** menu and choose **Turn on sign-in enforcement**.
@@ -135,18 +135,18 @@ The **Sign-in required** status will update for the individual machine to
> [!NOTE]
>
> Sign-in enforcement requires Docker Desktop version 4.41 or later. Users
-with older versions will not be prompted to sign in and can continue using
-Docker Desktop normally until they update. Their status shows as **Pending**
-until they update to version 4.41 or later.
+> with older versions will not be prompted to sign in and can continue using
+> Docker Desktop normally until they update. Their status shows as **Pending**
+> until they update to version 4.41 or later.
### What happens when users sign in
After you enable sign-in enforcement:
1. Users must restart Docker Desktop. Enforcement only takes effect after
-restart.
+ restart.
1. When users open Docker Desktop, they see a sign-in prompt. They must sign
-in to continue using Docker Desktop.
+ in to continue using Docker Desktop.
1. User email addresses appear in the **Unassociated** list.
1. You can add users to your organization.
@@ -160,27 +160,27 @@ appear in the **Unassociated** list. You can add these users to your
organization in two ways:
- Automatic addition:
- - Auto-provisioning: If you have verified domains with auto-provisioning
+ - Auto-provisioning: If you have verified domains with auto-provisioning
enabled, users who sign in with a matching email domain will automatically
be added to your organization. For more information on verifying domains and
- auto-provisioning, see [Domain management](/manuals/enterprise/security/domain-management.md).
- - SSO user provisioning: If you have SSO configured with
+ auto-provisioning, see [Domain management](/enterprise/security/domain-management).
+ - SSO user provisioning: If you have SSO configured with
[Just-in-Time provisioning](/manuals/enterprise/security/provisioning/just-in-time.md),
users who sign in through your SSO connection will automatically be added
to your organization.
- Manual addition: If you don't have auto-provisioning or SSO set up, or if a
-user's email domain doesn't match your configured domains, their email will
-appear in the **Unassociated** list where you can choose to add them directly.
+ user's email domain doesn't match your configured domains, their email will
+ appear in the **Unassociated** list where you can choose to add them directly.
> [!NOTE]
>
> If you add users and do not have enough seats in your organization, a
-pop-up will appear prompting you to **Get more seats**.
+> pop-up will appear prompting you to **Get more seats**.
### Add individual users
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Locate the machine you want to add to your organization.
1. Select the **Actions** menu and choose **Add to organization**.
@@ -189,10 +189,10 @@ your organization.
### Bulk add users
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Use the **checkboxes** to select the machines you want to add to your
-organizations.
+ organizations.
1. Select the **Add to organization** button.
1. In the pop-up modal, select **Add users** to confirm.
@@ -201,7 +201,7 @@ organizations.
### Disable for all unassociated machines
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Turn off the **Enforce sign-in** toggle.
1. In the pop-up modal, select **Turn off sign-in requirement** to confirm.
@@ -212,7 +212,7 @@ The **Sign-in required** status will update for all unassociated machines to
### Disable for specific unassociated machines
1. Sign in to the [Admin Console](https://app.docker.com/admin) and select
-your organization.
+ your organization.
1. In **User management**, select **Unassociated**.
1. Locate the machine you want to disable sign-in enforcement for.
1. Select the **Actions** menu and choose **Turn off sign-in enforcement**.