iam: sso session limit (#22312)

sarahsanders-docker · web-flow · commit e20141cba174 · 2025-04-01T11:58:53.000-07:00
## Description - IAM is adding an SSO attribute `dockerSessionMinutes` to support IdP default session timeout - This PR adds the attribute, and fixes FAQs that says Docker does not support IdP default timeout ## Related issues or tickets - [IAM-1046](https://docker.atlassian.net/browse/IAM-1046) ## Reviews - [ ] Technical review - [ ] Editorial review - [ ] Product review [IAM-1046]: https://docker.atlassian.net/browse/IAM-1046?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
diff --git a/content/manuals/security/faqs/general.md b/content/manuals/security/faqs/general.md
@@ -31,13 +31,12 @@ You can configure this through SSO using your IdP. Check with your IdP if they s
 
 ### How are sessions managed and do they expire?
 
-Docker uses tokens to manage sessions after a user signs in:
+By default, Docker uses tokens to manage sessions after a user signs in:
 
 - Docker Desktop signs you out after 90 days, or 30 days of inactivity.
 - Docker Hub and Docker Home sign you out after 24 hours.
 
-Custom settings per organization for sessions aren't supported. Currently,
-Docker does not support your IdP's default session timeout for SSO users.
+Docker also supports your IdP's default session timeout. You can configure this by setting a Docker session minutes SAML attribute. For more information, see [SSO attributes](/manuals/security/for-admins/provisioning/_index.md#sso-attributes).
 
 ### How does Docker attribute downloads to us and what data is used to classify or verify the user is part of our organization?
 
diff --git a/content/manuals/security/faqs/single-sign-on/faqs.md b/content/manuals/security/faqs/single-sign-on/faqs.md
@@ -65,10 +65,5 @@ No. There are no specific firewall rules required for configuring SSO, as long a
 
 ### Does Docker use my IdP's default session timeout?
 
-No. Currently, Docker does not support your IdP's default session timeout for
-SSO users.
-
-Docker's default user session timeouts are as follows:
-
-- Docker Desktop signs you out after 90 days, or 30 days of inactivity.
-- Docker Hub and Docker Home sign you out after 24 hours.
+Yes, Docker supports your IdP's default session timeout using a custom SAML attribute.
+Instead of relying on the standard `SessionNotOnOrAfter` element from the SAML spec, Docker uses a custom `dockerSessionMinutes` attribute to control session duration. See [SSO attributes](/manuals/security/for-admins/provisioning/_index.md#sso-attributes) for more information.
diff --git a/content/manuals/security/for-admins/provisioning/_index.md b/content/manuals/security/for-admins/provisioning/_index.md
@@ -38,6 +38,10 @@ When a user signs in through SSO, Docker obtains several attributes from your Id
 - **Docker Org**: Optional. Specifies the organization the user belongs to
 - **Docker Team**: Optional. Defines the team the user belongs to within the organization
 - **Docker Role**: Optional. Determines the user's permission within Docker
+- **Docker session minutes**: Optional. Sets the duration of a user’s session before they must re-authenticate with their identity provider (IdP). The value must be a positive integer greater than 0.
+If this is attribute is not provided, by default:
+    - Docker Desktop signs you out after 90 days, or 30 days of inactivity.
+    - Docker Hub and Docker Home sign you out after 24 hours.
 
 If your organization uses SAML for SSO, Docker retrieves these attributes from the SAML assertion message. Keep in mind that different IdPs may use different names for these attributes. The following reference table outlines possible SAML attributes used by Docker:
 
@@ -49,6 +53,7 @@ If your organization uses SAML for SSO, Docker retrieves these attributes from t
 | Docker Org (optional)	| `dockerOrg` |
 | Docker Team (optional) |	`dockerTeam` |
 | Docker Role (optional) |	`dockerRole` |
+| Docker session minutes (optional) | `dockerSessionMinutes`, must be a positive integer > 0 |
 
 ## What's next?
 
diff --git a/content/manuals/security/for-admins/single-sign-on/connect.md b/content/manuals/security/for-admins/single-sign-on/connect.md
@@ -78,9 +78,10 @@ The user interface for your IdP may differ slightly from the following steps. Re
     - Name ID format: `EmailAddress`
     - Application username: `Email`
     - Update application on: `Create and update`
-11. Select **Next**.
-12. Select the **This is an internal app that we have created** checkbox.
-13. Select **Finish**.
+11. Optional. Add SAML attributes. See [SSO attributes](/manuals/security/for-admins/provisioning/_index.md#sso-attributes) for a table of SSO attributes.
+12. Select **Next**.
+13. Select the **This is an internal app that we have created** checkbox.
+14. Select **Finish**.
 
 {{< /tab >}}
 {{< tab name="Entra ID SAML 2.0" >}}
@@ -94,8 +95,9 @@ The user interface for your IdP may differ slightly from the following steps. Re
 7. Enter the following values from Docker into their corresponding Azure fields:
     - Docker Entity ID: **Identifier**
     - Docker ACS URL: **Reply URL**
-8. Save configuration.
-9. From the **SAML Signing Certificate** section, download your **Certificate (Base64)**.
+8. Optional. Add SAML attributes. See [SSO attributes](/manuals/security/for-admins/provisioning/_index.md#sso-attributes) for a table of SSO attributes.
+9. Save configuration.
+10. From the **SAML Signing Certificate** section, download your **Certificate (Base64)**.
 
 {{< /tab >}}
 {{< tab name="Azure Connect (OIDC)" >}}
