Home Explore Blog Models CI



docker
1st chunk of `content/manuals/security/for-admins/provisioning/_index.md`
b3d1b56024f77c6395f0c0f13de1eb6e31ab02a545c84396000000010000094c
---
description: Learn about provisioning users for your SSO configuration.
keywords: provision users, provisioning, JIT, SCIM, group mapping, sso, docker hub, hub, docker admin, admin, security
title: Provision users
linkTitle: Provision
weight: 20
---

{{< summary-bar feature_name="SSO" >}}

Once you've configured your SSO connection, the next step is to provision users. This process ensures that users can access your organization.
This guide provides an overview of user provisioning and supported provisioning methods.

## What is provisioning?

Provisioning helps manage users by automating tasks like creating, updating, and deactivating users based
on data from your identity provider (IdP). There are three methods for user provisioning, with benefits for
different organization needs:

| Provisioning method | Description | Default setting in Docker | Recommended for |
| :--- | :--- | :------------- | :--- |
| Just-in-Time (JIT) | Automatically create and provisions user accounts when they first sign in via SSO | Enabled by default | Best for organizations who need minimal setup, who have smaller teams, or low-security environments |
| System for Cross-domain Identity Management (SCIM) | Continuously syncs user data between your IdP and Docker, ensuring user attributes remain updated without requiring manual updates | Disabled by default | Best for larger organizations or environments with frequent changes in user information or roles |
| Group mapping | Maps user groups from your IdP to specific roles and permissions within Docker, enabling fine-tuned access control based on group membership | Disabled by default | Best for organizations that require strict access control and for managing users based on their roles and permissions |

## Default provisioning setup

By default, Docker enables JIT provisioning when you configure an SSO connection. With JIT enabled, user accounts are automatically created the first time a user signs in using your SSO flow.

JIT provisioning may not provide the level of control or security some organizations need. In such cases, SCIM or group mapping can be configured to give administrators more control over user access and attributes.

## SSO attributes

When a user signs in through SSO, Docker obtains several attributes from your IdP to manage the user's identity and permissions. These attributes include:
Title: Provision Users for SSO
Summary
This document provides an overview of user provisioning methods for SSO, including Just-in-Time (JIT), System for Cross-domain Identity Management (SCIM), and Group Mapping. It explains how these methods automate user management tasks like creating, updating, and deactivating users based on data from your identity provider (IdP). JIT is enabled by default and is suitable for smaller teams, while SCIM and group mapping offer more control for larger organizations with frequent user changes or strict access control requirements.