Home Explore Blog Models CI



docker
3rd chunk of `content/manuals/security/faqs/single-sign-on/users-faqs.md`
152c7f95b5af208af8ec50c233265efa9b5486a6f0b119dd0000000100000e2f
Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.

[SCIM](../../../security/for-admins/provisioning/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.

Additionally, you can use the [Docker Hub API](/reference/api/hub/latest/) to complete this process.

### How does disabling Just-in-Time provisioning impact user sign-in?

The option to disable JIT is available when you use the Admin Console and enable SCIM. If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.

See [SSO authentication with JIT provisioning disabled](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled).

To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/provisioning/scim/).

### What's the best way to provision the Docker subscription without SSO?

Company or organization owners can invite users through Docker Hub or Admin Console, by email address (for any user) or by Docker ID (assuming the user has an existing Docker account).

### Can someone join an organization without an invitation? Is it possible to add specific users to an organization with existing email accounts?

Not without SSO. Joining requires an invite from an organization owner. When SSO is enforced, then the domains verified through SSO will let users automatically join the organization the next time they sign in as a user that has a domain email assigned.

### When we send an invitation to the user, will the existing account be consolidated and retained?

Yes, the existing user account will join the organization with all assets retained.

### How can I view, update, and remove multiple email addresses for my users?

We only support one email per user on the Docker platform.

### How can I remove invitees to the organization who haven't signed in?

You can go to the **Members** page for your organization in Docker Hub or Admin Console, view pending invites, and remove invitees as needed.

### Is the flow for service account authentication different from a UI user account?

No, we don't differentiate the two in product.

### Is user information visible in Docker Hub?

All Docker accounts have a public profile associated with their namespace. If you don't want user information (for example, full name) to be visible, you can remove those attributes from your SSO and SCIM mappings. Alternatively, you can use a different identifier to replace a user's full name.

### What happens to existing licensed users when SCIM is enabled?

Enabling SCIM does not immediately remove or modify existing licensed users in your Docker organization. They retain their current access and roles, but after enabling SCIM, you will manage them in your identity provider (IdP). If SCIM is later disabled, previously SCIM-managed users remain in Docker but are no longer automatically updated or removed based on your IdP.
Title: Docker SSO Provisioning, Invitations, User Management, and SCIM Impact
Summary
This section discusses various aspects of user provisioning and management within Docker, focusing on SSO, Just-in-Time (JIT) provisioning, SCIM, and invitations. It covers the impact of disabling JIT on user sign-in, the process of inviting users without SSO, and the behavior of existing accounts when invitations are sent. It also addresses questions about managing user email addresses, removing invitees, service account authentication, user information visibility, and the effects of enabling SCIM on existing licensed users.