SSO Attributes and Provisioning Methods

| System for Cross-domain Identity Management (SCIM) | Continuously syncs user data between your IdP and Docker, ensuring user attributes remain updated without requiring manual updates | Disabled by default | Best for larger organizations or environments with frequent changes in user information or roles | | Group mapping | Maps user groups from your IdP to specific roles and permissions within Docker, enabling fine-tuned access control based on group membership | Disabled by default | Best for organizations that require strict access control and for managing users based on their roles and permissions | ## Default provisioning setup By default, Docker enables JIT provisioning when you configure an SSO connection. With JIT enabled, user accounts are automatically created the first time a user signs in using your SSO flow. JIT provisioning may not provide the level of control or security some organizations need. In such cases, SCIM or group mapping can be configured to give administrators more control over user access and attributes. ## SSO attributes When a user signs in through SSO, Docker obtains several attributes from your IdP to manage the user's identity and permissions. These attributes include: - **Email address**: The unique identifier for the user - **Full name**: The user's complete name - **Groups**: Optional. Used for group-based access control - **Docker Org**: Optional. Specifies the organization the user belongs to - **Docker Team**: Optional. Defines the team the user belongs to within the organization - **Docker Role**: Optional. Determines the user's permission within Docker - **Docker session minutes**: Optional. Sets the duration of a user’s session before they must re-authenticate with their identity provider (IdP). The value must be a positive integer greater than 0. If this is attribute is not provided, by default: - Docker Desktop signs you out after 90 days, or 30 days of inactivity. - Docker Hub and Docker Home sign you out after 24 hours. If your organization uses SAML for SSO, Docker retrieves these attributes from the SAML assertion message. Keep in mind that different IdPs may use different names for these attributes. The following reference table outlines possible SAML attributes used by Docker: | SSO Attribute | SAML Assertion Message Attributes | | :--- | :--- | | Email address | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"`, `email` | | Full name | `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"`, `name`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"`, `"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"` | | Groups (optional) | `"http://schemas.xmlsoap.org/claims/Group"`, `"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"`, `Groups`, `groups` | | Docker Org (optional) | `dockerOrg` | | Docker Team (optional) | `dockerTeam` | | Docker Role (optional) | `dockerRole` | | Docker session minutes (optional) | `dockerSessionMinutes`, must be a positive integer > 0 | ## What's next? Review the provisioning method guides for steps on configuring provisioning methods: - [JIT](/manuals/security/for-admins/provisioning/just-in-time.md) - [SCIM](/manuals/security/for-admins/provisioning/scim.md) - [Group mapping](/manuals/security/for-admins/provisioning/group-mapping.md)

This section details the attributes Docker obtains from your Identity Provider (IdP) during SSO login, including email address, full name, groups, Docker Org, Docker Team, Docker Role, and Docker session minutes. It also outlines possible SAML attributes used by Docker and explains that Docker enables JIT provisioning by default, but SCIM or group mapping can be configured for more control. The document concludes by providing links to guides for configuring JIT, SCIM, and Group mapping.