Skip to content

Commit

Permalink
Clarify how CLI auth works with SSO (#20327)
Browse files Browse the repository at this point in the history 
* refresh faqs

* style guide fix

* update acronym ref
  • Loading branch information
@stephaurelio
stephaurelio authored Jul 2, 2024
1 parent 1ea23dc commit e8a420f
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions content/security/faqs/single-sign-on/enforcement-faqs.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,9 @@ Yes. You must verify a domain before using it with an SSO connection.

### Does Docker SSO support authenticating through the command line?

Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../../../security/for-developers/access-tokens.md).
When SSO is enforced, you can't use passwords to access the Docker CLI, but you can still access the Docker CLI using a personal access token (PAT) for authentication.

Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](/security/for-developers/access-tokens/). Users who already used a PAT to sign in before SSO enforcement will still be able to use that PAT to authenticate.

### How does SSO affect our automation systems and CI/CD pipelines?

Expand All @@ -46,11 +48,11 @@ Yes, you can create a test organization. Companies can set up a new 5 seat Busin

### Once we enable SSO for Docker Desktop, what's the impact to the flow for Build systems that use service accounts?

If you enable SSO, there is no impact. Both username/password or personal access token sign-in are supported.
If you enable SSO, there is no impact. Both username/password or personal access token (PAT) sign-in are supported.
However, if you enforce SSO:

- Service Account domain email addresses must not be aliased and must be enabled in their IdP
- Username/password and personal access token will still work (but only if they exist, which they won't for new accounts)
- Username/password authentication won’t work, so you should update the build system to use a PAT instead of a password
- Those who know the IdP credentials can sign in as that Service Account through SSO on Hub and create or change the personal access token for that service account.

### Is the sign in required tracking at runtime or install time?
Expand Down

0 comments on commit e8a420f

Please sign in to comment.