Troubleshooting SSO Errors: Domain Verification, Session Issues, and Name ID Format

```text Not enough seats in organization '$orgName'. Add more seats or contact your administrator. ``` ### Possible causes This error occurs when the organization has no available seats for the user when provisioning via Just-in-Time (JIT) provisioning or SCIM. ### Solutions **Add more seats to the organization** Purchase additional Docker Business subscription seats. For details, see [Manage subscription seats](/manuals/subscription/manage-seats.md). **Remove users or pending invitations** Review your organization members and pending invitations. Remove inactive users or pending invitations to free up seats. For more details, see [Manage organization members](/manuals/admin/organization/members.md). ## Domain is not verified for SSO connection ### Error message When this issue occurs, the following error message is common: ```text Domain '$emailDomain' is not verified for your SSO connection. Contact your company administrator. TraceID: XXXXXXXXXXXXXX ``` ### Possible causes This error occurs if the IdP authenticated a user through SSO and the User Principal Name (UPN) returned to Docker doesn’t match any of the verified domains associated to the SSO connection configured in Docker. ### Solutions **Verify UPN attribute mapping** Ensure that the IdP SSO connection is returning the correct UPN value in the assertion attributes. **Add and verify all domains** Add and verify all domains and subdomains used as UPN by your IdP and associate them with your Docker SSO connection. For details, see [Configure single sign-on](/manuals/security/for-admins/single-sign-on/configure.md). ## Unable to find session ### Error message When this issue occurs, the following error message is common: ```text We couldn't find your session. You may have pressed the back button, refreshed the page, opened too many sign-in dialogs, or there is some issue with cookies. Try signing in again. If the issue persists, contact your administrator. ``` ### Possible causes The following causes may create this issue: - The user pressed the back or refresh button during authentication. - The authentication flow lost track of the initial request, preventing completion. ### Solutions **Do not disrupt the authentication flow** Do not press the back or refresh button during sign-in. **Restart authentication** Close the browser tab and restart the authentication flow from the Docker application (Desktop, Hub, etc). ## Name ID is not an email address ### Error message When this issue occurs, the following error message is common: ```text The name ID sent by the identity provider is not an email address. Contact your company administrator. ``` ### Possible causes The following causes may create this issue: - The IdP sends a Name ID (UPN) that does not comply with the email format required by Docker. - Docker SSO requires the Name ID to be the primary email address of the user. ### Solutions In your IdP, ensure the Name ID attribute format is correct: 1. Verify that the Name ID attribute format in your IdP is set to `EmailAddress`. 2. Adjust your IdP settings to return the correct Name ID format.

This section details troubleshooting steps for three common Docker SSO errors. First, it addresses the "Domain '$emailDomain' is not verified" error, caused by a mismatch between the UPN returned by the IdP and the verified domains in Docker. Solutions involve verifying UPN attribute mapping and adding/verifying all relevant domains. Second, it covers the "Unable to find session" error, often caused by disrupting the authentication flow. The solution is to restart the authentication from the Docker application. Finally, it discusses the "Name ID is not an email address" error, which occurs when the IdP sends a Name ID that doesn't comply with Docker's email format requirement, requiring adjustments to the IdP settings to ensure the Name ID attribute format is set to `EmailAddress`.