Home Explore Blog CI



docker

3rd chunk of `content/manuals/security/troubleshoot/troubleshoot-sso.md`
cb3c6535d6272712268cd0429ade54b63b209cecf40a54c90000000100000861
6. Test user provisioning by trying to provision a test user through your IdP and verify if they appear in Docker.

## IdP-initiated sign in is not enabled for connection

### Error message

When this issue occurs, the following error message is common:
```text
IdP-Initiated sign in is not enabled for connection '$ssoConnection'.
```

### Possible causes

Docker does not support an IdP-initiated SAML flow. This error occurs when a user attempts to authenticate from your IdP, such as using the Docker SSO app tile on the sign in page.

### Solutions

**Authenticate from Docker apps**

The user must initiate authentication from Docker applications (Hub, Desktop, etc). The user needs to enter their email address in a Docker app and they will get redirected to the configured SSO IdP for their domain.

**Hide the Docker SSO app**

You can hide the Docker SSO app from users in your IdP. This prevents users from attempting to start authentication from the IdP dashboard. You must hide and configure this in your IdP.

## Not enough seats in organization

### Error message

When this issue occurs, the following error message is common:
```text
Not enough seats in organization '$orgName'. Add more seats or contact your administrator.
```

### Possible causes

This error occurs when the organization has no available seats for the user when provisioning via Just-in-Time (JIT) provisioning or SCIM.

### Solutions

**Add more seats to the organization**

Purchase additional Docker Business subscription seats. For details, see [Manage subscription seats](/manuals/subscription/manage-seats.md).

**Remove users or pending invitations**

Review your organization members and pending invitations. Remove inactive users or pending invitations to free up seats. For more details, see [Manage organization members](/manuals/admin/organization/members.md).

## Domain is not verified for SSO connection

### Error message

When this issue occurs, the following error message is common:
```text
Domain '$emailDomain' is not verified for your SSO connection. Contact your company administrator. TraceID: XXXXXXXXXXXXXX
```

### Possible causes

Title: Troubleshooting IdP-Initiated Sign-In, Seat Limits, and Domain Verification Issues
Summary
This section covers three distinct SSO-related issues in Docker. First, it addresses the error "IdP-Initiated sign in is not enabled for connection '$ssoConnection'," explaining that Docker doesn't support IdP-initiated SAML flow and instructing users to authenticate from Docker apps instead or to hide the Docker SSO app in their IdP. Second, it discusses the "Not enough seats in organization '$orgName'" error, which occurs when an organization has no available seats for new users. Solutions involve purchasing more seats or removing inactive users/pending invitations. Finally, it begins to address the error "Domain '$emailDomain' is not verified for your SSO connection," indicating a domain verification problem.