ContextQMD
Back to Docker

Single sign-on overview

content/manuals/enterprise/security/single-sign-on/_index.md

18.09-release2.5 KB
Original Source

{{< summary-bar feature_name="SSO" >}}

Single sign-on (SSO) lets users access Docker by authenticating through their identity providers (IdPs). SSO can be configured for an entire company, including all associated organizations, or for a single organization that has a Docker Business subscription.

How SSO works

When SSO is enabled, Docker supports a non-IdP-initiated flow for user sign-in. Instead of signing in with a Docker username and password, users are redirected to your IdP’s sign-in page. Users must initiate the SSO authentication process by signing in to Docker Hub or Docker Desktop.

The following diagram illustrates how SSO operates and is managed between Docker Hub, Docker Desktop, and your IdP.

Set up SSO

To configure SSO in Docker, follow these steps:

  1. Configure your domain by creating and verifying it.
  2. Create your SSO connection in Docker and your IdP.
  3. Link Docker to your identity provider.
  4. Test your SSO connection.
  5. Provision users in Docker.
  6. Optional. Enforce sign-in.
  7. Manage your SSO configuration.

Once configuration is complete, users can sign in to Docker services using their company email address. After signing in, users are added to your company, assigned to an organization, and added to a team.

Prerequisites

Before you begin, make sure the following conditions are met:

  • Notify your company about the upcoming SSO sign-in process.
  • Ensure all users have Docker Desktop version 4.42 or later installed.
  • Confirm that each Docker user has a valid IdP account using the same email address as their Unique Primary Identifier (UPN).
  • If you plan to enforce SSO, users accessing Docker through the CLI must create a personal access token (PAT). The PAT replaces their username and password for authentication.
  • Ensure CI/CD pipelines use PATs or OATs instead of passwords.

[!IMPORTANT]

Docker plans to deprecate CLI password-based sign-in in future releases. Using a PAT ensures continued CLI access. For more information, see the security announcement.

Next steps