Home Explore Blog CI



docker
2nd chunk of `content/manuals/security/troubleshoot/troubleshoot-sso.md`
487995e54dbecbf8c48865ca96e0beb58525efe009d1ce3d0000000100000da9
2. Check the groups assigned to the affected user.
3. Ensure each group follows the required format: `<organization>:<team>`
4. Update any incorrectly formatted groups to match this pattern.
5. Save changes and retry signing in with SSO.

## User is not assigned to the organization

### Error message

When this issue occurs, the following error message is common:
```text
User '$username' is not assigned to this SSO organization. Contact your administrator. TraceID: XXXXXXXXXXXXX
```

### Possible causes

- User is not assigned to the organization: If Just-in-Time (JIT) provisioning is disabled, the user may not be assigned to your organization.
- User is not invited to the organization: If JIT is disabled and you do not want to enable it, the user must be manually invited.
- SCIM provisioning is misconfigured: If you use SCIM for user provisioning, it may not be correctly syncing users from your IdP.

### Solutions

**Enable JIT provisioning**

JIT is enabled by default when you enable SSO. If you have JIT disabled and need
to re-enable it:

1. Sign in to the [Admin Console](https://app.docker.com/admin) and select your organization.
2. Select **SSO and SCIM**.
3. In the SSO connections table, select the **Action** menu and then **Enable JIT provisioning**.
4. Select **Enable** to confirm.

**Manually invite users**

When JIT is disabled, users are not automatically added to your organization when they authenticate through SSO.
To manually invite users, see [Invite members](/manuals/admin/organization/members.md#invite-members)

**Configure SCIM provisioning**

If you have SCIM enabled, troubleshoot your SCIM connection using the following steps:

1. Sign in to the [Admin Console](https://app.docker.com/admin) and select your organization.
2. Select **SSO and SCIM**.
3. In the SSO connections table, select the **Action** menu and then **View error logs**. For more details on specific errors, select **View error details** next to an error message. Note any errors you see on this page.
4. Navigate back to the **SSO and SCIM** page of the Admin Console and verify your SCIM configuration:
    - Ensure that the SCIM Base URL and API Token in your IdP match those provided in the Docker Admin Console.
    - Verify that SCIM is enabled in both Docker and your IdP.
5. Ensure that the attributes being synced from your IdP match Docker's [supported attributes](/manuals/security/for-admins/provisioning/scim.md#supported-attributes) for SCIM.
6. Test user provisioning by trying to provision a test user through your IdP and verify if they appear in Docker.

## IdP-initiated sign in is not enabled for connection

### Error message

When this issue occurs, the following error message is common:
```text
IdP-Initiated sign in is not enabled for connection '$ssoConnection'.
```

### Possible causes

Docker does not support an IdP-initiated SAML flow. This error occurs when a user attempts to authenticate from your IdP, such as using the Docker SSO app tile on the sign in page.

### Solutions

**Authenticate from Docker apps**

The user must initiate authentication from Docker applications (Hub, Desktop, etc). The user needs to enter their email address in a Docker app and they will get redirected to the configured SSO IdP for their domain.

**Hide the Docker SSO app**

You can hide the Docker SSO app from users in your IdP. This prevents users from attempting to start authentication from the IdP dashboard. You must hide and configure this in your IdP.
Title: Troubleshooting User Assignment and IdP-Initiated Sign-In Issues
Summary
This section addresses issues related to users not being assigned to the organization in Docker SSO, often indicated by the error "User '$username' is not assigned to this SSO organization." Possible causes include disabled Just-in-Time (JIT) provisioning, lack of manual invitation, or misconfigured SCIM provisioning. Solutions involve enabling JIT, manually inviting users, or troubleshooting the SCIM connection. Additionally, it covers the error "IdP-Initiated sign in is not enabled for connection '$ssoConnection'," which arises because Docker doesn't support IdP-initiated SAML flow. The solution is to ensure users authenticate from Docker applications or to hide the Docker SSO app in the IdP to prevent users from initiating authentication from there.