Home Explore Blog Models CI



docker
5th chunk of `content/manuals/security/for-admins/single-sign-on/connect.md`
2126041b8cd4a401b031a62b32796f31720ca7a11d6a60290000000100000bac
2. Sign in to the Admin Console using your **domain email address**.
3. The browser will redirect to your identity provider's sign in page to authenticate. If you have [multiple IdPs](#optional-configure-multiple-idps), choose the sign sign-in option **Continue with SSO**.
4. Authenticate through your domain email instead of using your Docker ID.

You can also test your SSO connection through the command-line interface (CLI). If you want to test through the CLI, your users must have a personal access token (PAT).

## Optional: Configure multiple IdPs

Docker supports multiple IdP configurations. With multiple IdPs configured, one domain can be associated with multiple SSO identity providers. To configure multiple IdPs, repeat steps 1-4 in this guide for each IdP. Ensure each IdP configuration uses the same domain.

When a user signs in to a Docker organization that has multiple IdPs, on the sign-in page, they must choose the option **Continue with SSO**. This prompts them to choose their identity provider and authenticate through their domain email.

## Optional: Enforce SSO

> [!IMPORTANT]
>
> If SSO isn't enforced, users can choose to sign in with either their Docker username and password or SSO.

Enforcing SSO requires users to use SSO when signing into Docker. This centralizes authentication and enforces policies set by the IdP.

1. Sign in to the [Admin Console](https://admin.docker.com/).
2. Select your organization or company from the **Choose profile** page. Note that when an organization is part of a company, you must select the company and configure the domain for the organization at the company level.
3. Under Security and access, select **SSO and SCIM**.
4. In the SSO connections table, select the **Action** icon and then **Enable enforcement**. When SSO is enforced, your users are unable to modify their email address and password, convert a user account to an organization, or set up 2FA through Docker Hub. If you want to use 2FA, you must enable 2FA through your IdP.
5. Continue with the on-screen instructions and verify you've completed all tasks.
6. Select **Turn on enforcement** to complete.

Your users must now sign in to Docker with SSO.

> [!NOTE]
>
> When SSO is enforced, [users can't use passwords to access the Docker CLI](/security/security-announcements/#deprecation-of-password-logins-on-cli-when-sso-enforced). Users must use a [personal access token](/manuals/security/for-admins/access-tokens.md) (PAT) for authentication to access the Docker CLI.

## More resources

The following videos demonstrate how to enforce SSO.

- [Video: Enforce SSO with Okta SAML](https://youtu.be/c56YECO4YP4?feature=shared&t=1072)
- [Video: Enforce SSO with Azure AD (OIDC)](https://youtu.be/bGquA8qR9jU?feature=shared&t=1087)


## What's next

- [Provision users](/manuals/security/for-admins/provisioning/_index.md)
- [Enforce sign-in](../enforce-sign-in/_index.md)
- [Create access tokens](/manuals/security/for-admins/access-tokens.md)
Title: Testing SSO, Configuring Multiple IdPs, Enforcing SSO, and Additional Resources
Summary
This section details how to test the SSO connection through the Admin Console or CLI using a personal access token (PAT). It explains the process of configuring multiple IdPs for a Docker organization and how to enforce SSO, requiring users to authenticate via SSO and centralizing authentication policies. Enforcing SSO disables password-based access to the CLI, mandating the use of personal access tokens (PATs). The section also provides links to video tutorials on enforcing SSO with Okta SAML and Azure AD (OIDC), and suggests next steps like user provisioning and creating access tokens.