| description | keywords | title |
|---|---|---|
System for Cross-domain Identity Maagement |
SCIM, SSO |
System for Cross-domain Identity Management |
Important
SCIM for Okta is now available for early access. SCIM support for Azure AD is coming soon. {: .important}
This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. SCIM is a provisioning system that lets you manage users within your identity provider (IdP). You can enable SCIM on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see Upgrade your subscription{:target="blank" rel="noopener" class=""}.
SCIM provides automated user provisioning and de-provisioning for your Docker organization through your IdP. Once SCIM is enabled in your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker Hub and added to the organization. Also, if a user gets unassigned from the Docker application in the IdP, the user is removed from the organization in Docker Hub. SCIM also synchronizes changes made to users’ attributes in the IdP, for instance, the user’s first and last names. Group management is currently not supported.
We currently support the following provisioning features: creating new users, pushing user profile updates, removing users, deactivating users and reactivating users.
SAML-based SSO must be properly set up and functional for your organization before you start configuring automated provisioning. In addition, you must verify your company domain and have the appropriate connectors in your IdP. Your user email domain must be the same company domain you use for Single Sign-on (SSO). Enforcing SSO is not required to enable SCIM. However, you must configure SAML SSO{: target="blank" rel="noopener" class=""} before you enable SCIM.
Before making SCIM configuration changes in your IdP, navigate to Docker Hub{: target="blank" rel="noopener" class=""} and select Organizations > Settings > Security. SCIM is locked until you complete the SSO configuration and verify your company domain. Enable SCIM and access your Base URL and API Token ( the same as Bearer Token in Okta).
{:width="700px"}
-
In Okta, navigate to Applications > Create App Integration, SAML 2.0, and click Next.
-
In the General tab, select Edit App Settings to enable SCIM provisioning and click Save.
-
In the Provisioning tab, edit the SCIM Connection and complete the following:
- SCIM connector base URL: SCIM Base URL from Docker Hub
- Unique identifier field for users: enter email
- Supported Provisioning actions: select Push New Users, Push Profile Updates
- Authorization/Bearer: SCIM API Token from Docker Hub
-
Click Test Connection Configuration to complete the configuration and Save.
-
Navigate to Provisioning > To App > Edit and enable Create Users, Update User Attributes and Deactivates Users, and click Save.
{:width="700px"} -
Remove all fields that are not supported from your Docker Hub Attributes Mappings.
{:width="700px"}
The synchronization of user data is now automated, and the members in your Docker organization will now be automatically provisioned, updated, and de-provisioned based on the access control managed through your identity provider, Okta.
You must run full-sync after enabling SCIM, if you already have users assigned to the Docker Hub app when you enable SCIM. The full sync provisions the users that are assigned in the IdP Directory to Docker Hub.
-
Navigate to Applications > Applications and select the Docker Hub app.
-
In the Assignments tab, click Provision User if you have pending users.
-
Click Apply to All > Reapply Mappings and Confirm.
Note
Any user that was not previously provisioned is now provisioned in Docker Hub.
{:width="700px"}
If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. Users provisioning is through just-in-time provisioning from SSO.
{:width="700px"}