SCIM provisioning

Table of contents

This section is for administrators who want to enable System for Cross-domain Identity Management (SCIM) 2.0 for their business. It is available for Docker Business customers.

SCIM provides automated user provisioning and de-provisioning for your Docker organization or company through your identity provider (IdP). Once you enable SCIM in Docker and your IdP, any user assigned to the Docker application in the IdP is automatically provisioned in Docker and added to the organization or company.

Similarly, if a user gets unassigned from the Docker application in the IdP, this removes the user from the organization or company in Docker. SCIM also synchronizes changes made to a user's attributes in the IdP, for example the user’s first name and last name.

The following lists the supported provisioning features:

  • Creating new users
  • Push user profile updates
  • Remove users
  • Deactivate users
  • Re-activate users
  • Group mapping

Supported attributes

The following table lists the supported attributes. Note that your attribute mappings must match for SSO to prevent duplicating your members.

AttributeDescription
userNameUser's primary email address. This is the unique identifier of the user.
name.givenNameUser’s first name
name.familyNameUser’s surname
activeIndicates if a user is enabled or disabled. Can be set to false to de-provision the user.

For additional details about supported attributes and SCIM, see Docker Hub API SCIM reference.

Important

SSO uses Just-in-Time (JIT) provisioning by default. If you enable SCIM,JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see SSO attributes.

Tip

Optional Just-in-Time (JIT) provisioning is available when you use the Admin Console and enable SCIM. With this feature, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See SSO authentication with JIT provisioning disabled.

Enable SCIM in Docker

You must make sure you have configured SSObefore you enable SCIM. Enforcing SSO isn't required.

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: SelectOrganizations,your organization,Settings,and thenSecurity.
    • Company: SelectOrganizations,your company, and thenSettings.
  3. In the SSO connections table, select theActionsicon andSetup SCIM.
  4. Copy theSCIM Base URLandAPI Tokenand paste the values into your IdP.

Early Access

The Docker Admin Console is an early accessproduct.

It's available to all company owners and organization owners. You can still manage organizations in Docker Hub, but the Admin Console includes company-level management and enhanced features for organization management.

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then selectSSO and SCIM.
  3. In the SSO connections table, select theActionsicon andSetup SCIM.
  4. Copy theSCIM Base URLandAPI Tokenand paste the values into your IdP.

Enable SCIM in your IdP

The user interface for your IdP may differ slightly from the following steps. You can refer to the documentation for your IdP to verify.

Enable SCIM

  1. Go to the Okta admin portal.
  2. Go to the app you created when you configured your SSO connection.
  3. On the app page, go to theGeneraltab and selectEdit App Settings.
  4. Enable SCIM provisioning, then selectSave.
  5. Now you can access theProvisioningtab. Navigate to this tab, then selectEdit SCIM Connection.
  6. To configure SCIM in Okta, set up your connection like the following:
    • SCIM Base URL: SCIM connector base URL (copied from Docker Hub)
    • Unique identifier field for users:email
    • Supported provisioning actions:Push New UsersandPush Profile Updates
    • Authentication Mode: HTTP Header
    • SCIM Bearer Token: HTTP Header Authorization Bearer Token (copied from Docker Hub)
  7. SelectTest Connector Configuration.
  8. Review the test results.
  9. SelectSave.

Enable synchronization

  1. Go toProvisioning > To App > Edit.
  2. EnableCreate Users,Update User Attributes,andDeactivate Users.
  3. SelectSave.
  4. Remove unnecessary mappings. The necessary mappings are:
    • Username
    • Given name
    • Family name
    • Email
  1. In the Azure admin portal, go toEnterprise Applications,then select theDockerapplication you created when you set up your SSO connection.
  2. Go toProvisioningand selectGet Started.
  3. SelectAutomaticprovisioning mode.
  4. Enter the SCIM Base URL and API Token from Docker Hub into theAdmin Credentialsform.
  5. Test the connection, then selectSave.
  6. Go toMappings,then selectProvision Azure Active Directory Groups.
  7. Set theEnabledvalue toNo.
  8. SelectProvision Azure Active Directory Users.
  9. Remove all unsupported attributes.
  10. SelectSave.
  11. Set the provisioning status toOn.

See the documentation for your IdP for additional details:

Set up role mapping

You can assign rolesto members in your organization in the IdP. To set up a role, you can use optional user-level attributes for the person you want to assign a role. In addition to roles, you can set an organization or team to override the default provisioning values set by the SSO connection.

Note

These mappings are supported for both SCIM and JIT provisioning. With JIT provisioning, role mapping only applies when a user is initially provisioned to the organization.

The following table lists the supported optional user-level attributes.

AttributePossible valuesConsiderations
dockerRolemember,editor,orowner.For a list of permissions for each role, see Roles and permissions.If you don't assign a role in the IdP, the value of thedockerRoleattribute defaults tomember.When you set the attribute, this overrides the default value.
dockerOrgorganizationName.For example, an organization named "moby" would bemoby.Setting this attribute overrides the default organization configured by the SSO connection. Also, this won't add the user to the default team. If this attribute isn't set, the user is provisioned to the default organization and the default team. If set anddockerTeamis also set, this provisions the user to the team within that organization.
dockerTeamteamName.For example, a team named "developers" would bedevelopers.Setting this attribute provisions the user to the default organization and to the specified team, instead of the SSO connection's default team. This also creates the team if it doesn't exist. You can still use group mapping to provision users to teams in multiple organizations. See Group mapping.

After you set the role in the IdP, you need to sync to push the changes to Docker.

The external namespace to use to set up these attributes isurn:ietf:params:scim:schemas:extension:docker:2.0:User.

Set up

  1. Setup SSOand SCIM first.
  2. In the Okta admin portal, go toDirectory > Profile Editorand selectUser (Default).
  3. SelectAdd Attributeand configure the values for the role, org, or team you want to add. Exact naming isn't required.
  4. Return to theProfile Editorand select your application.
  5. SelectAdd Attributeand enter the required values. TheExternal NameandExternal Namespacemust be exact. The external name values for org/team/role mapping aredockerOrg,dockerTeam,anddockerRolerespectively, as listed in the previous table. The external namespace is the same for all of them:urn:ietf:params:scim:schemas:extension:docker:2.0:User.
  6. After creating the attributes, go to the top and selectMappings > Okta User to YOUR APP.
  7. Go to the newly created attributes and map the variable names selected above to the external names, then selectSave Mappings.If you’re using JIT provisioning, continue to the following step.
  8. Go toApplications > YOUR APP > General > SAML Settings > Edit > Step 2and configure the mapping from the user attribute to the docker variables.

Assign roles by user

  1. Go toDirectory > People > YOUR USER > Profile,then selectEditonAttributes.
  2. Update the attributes to the desired values.

Assign roles by group

  1. Go toDirectory > People > YOUR GROUP > Applications > YOUR APPLICATION,then select theEditicon.
  2. Update the attributes to the desired values.

If a user doesn't already have attributes set up, users who are added to the group will inherit these attributes upon provsioning.

Set up

  1. Setup SSOand SCIM first.
  2. In the Azure AD admin portal, go toEnterprise Apps > YOUR APP > Provisioning > Mappings > Provision Azure Active Directory Users.
  3. To set up the new mapping, checkShow advanced options,then selectEdit attribute options.
  4. Create new entries with the desired mapping for role, org, or group (for example,urn:ietf:params:scim:schemas:extension:docker:2.0:User:dockerRole) as a string type.
  5. Go back toAttribute Mappingfor users and clickAdd new mapping.

Expression mapping

This implementation works best for roles, but can't be used along with organization and team mapping using the same method. With this approach, you can assign attributes at a group level, which members can inherit. This is the recommended approach for role mapping.

  1. In theEdit Attributeview, select theExpressionmapping type.

  2. If you can create app roles named as the role directly (for example,owneroreditor), in theExpressionfield, you can useSingleAppRoleAssignment([appRoleAssignments]).

    Alternatively, if you’re restricted to using app roles you have already defined (for example,My Corp Administrators) you’ll need to setup a switch for these roles. For example:

    Switch(SingleAppRoleAssignment([appRoleAssignments]), "member", "My Corp Administrator", "owner", "My Corp Editor", "editor" )`

  3. Set the following fields:

    • Target attribute:urn:ietf:params:scim:schemas:extension:docker:2.0:User:dockerRole.
    • Match objects using this attribute:No
    • Apply this mapping:Always

  4. Save your configuration.

Direct mapping

Direct mapping is an alternative to expression mapping. This implementation works for all three mapping types at the same time. In order to assign users, you'll need to use the Microsoft Graph API.

  1. In theEdit Attributeview, select theDirectmapping type.

  2. Set the following fields:

    • Source attribute:choose one of the allowed extension attributes in Entra (for example,extensionAttribute1)
    • Target attribute:urn:ietf:params:scim:schemas:extension:docker:2.0:User:dockerRole
    • Match objects using this attribute:No
    • Apply this mapping:Always

    If you're setting more than one attribute, for example role and organization, you need to choose a different extension attribute for each one.

  3. Save your configuration.

Assign users

If you used expression mapping in the previous step, go toApp registrations > YOUR APP > App Rolesand create an app role for each Docker role. If possible, create it with a display name that is directly equivalent to the role in Docker, for example,ownerinstead ofOwner.If set up this way, then you can use expression mapping toSingleAppRoleAssignment([appRoleAssignments]).Otherwise, a custom switch will have to be used. See Expression mapping.

To add a user:

  1. Go toYOUR APP > Users and groups.SelectAdd user/group.
  2. Select the user you want to add, thenSelecttheir desired role.

To add a group:

  1. Go toYOUR APP > Users and groups.SelectAdd user/group.
  2. Select the group you want to add, thenSelectthe desired role for the users in that group.

If you used direct mapping in the previous step, go toMicrosoft Graph Explorerand sign in to your tenant. You need to be a tenant admin to use this feature. Use the Microsoft Graph API to assign the extension attribute to the user with the value that corresponds to what the attribute was mapped to. See the Microsoft Graph API documentationon adding or updating data in extension attributes.

See the documentation for your IdP for additional details:

Disable SCIM

If SCIM is disabled, any user provisioned through SCIM will remain in the organization. Future changes for your users will not sync from your IdP. User de-provisioning is only possible when manually removing the user from the organization.

  1. Sign in to Docker Hub.
  2. Navigate to the SSO settings page for your organization or company.
    • Organization: SelectOrganizations,your organization,Settings,and thenSecurity.
    • Company: SelectOrganizations,your company, and thenSettings.
  3. In the SSO connections table, select theActionsicon.
  4. SelectDisable SCIM.

Early Access

The Docker Admin Console is an early accessproduct.

It's available to all company owners and organization owners. You can still manage organizations in Docker Hub, but the Admin Console includes company-level management and enhanced features for organization management.

  1. Sign in to the Admin Console.
  2. Select your organization or company in the left navigation drop-down menu, and then selectSSO and SCIM.
  3. In the SSO connections table, select theActionsicon.
  4. SelectDisable SCIM.

More resources

The following videos demonstrate how to configure SCIM for your IdP.