Update provisioning references (#19735)

stephaurelio · web-flow · commit f1777ac06e5b · 2024-04-10T08:25:46.000-07:00
* update jit callouts and add step

* separate management steps and update callouts

* update conditional steps

* add diagram and add cross-links

* remove old diagram

* update diagram

* add details about multi-org sso

* implement feedback

* move beta feature banner and link to section

* update tab order

* update diagram and provide clarity around sso error

* remove image and update faq
diff --git a/content/faq/security/single-sign-on/idp-faqs.md b/content/faq/security/single-sign-on/idp-faqs.md
@@ -42,9 +42,14 @@ You can add a bot account to your IDP and create an access token for it to repla
 
 Yes, bot accounts need a seat, similar to a regular end user, having a non-aliased domain email enabled in the IdP and using a seat in Hub.
 
-### Does Docker plan to release SAML Just-In-Time (JIT) provisioning?
+### Does SAML SSO use Just-in-Time provisioning?
 
-The SSO implementation is already Just-In-Time. Administrators don't have to create user's accounts on Hub, they can just enable it on the IdP and have the users sign in through their domain email on Hub.
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
+{ .experimental }
+
+The SSO implementation uses Just-in-Time (JIT) provisioning by default. You can optionally disable JIT if you prefer not to auto-provision users, or if you opt for auto-provisioning using SCIM.
 
 ### Will there be IdP-initiated logins?
 
diff --git a/content/faq/security/single-sign-on/users-faqs.md b/content/faq/security/single-sign-on/users-faqs.md
@@ -57,10 +57,30 @@ When SSO is enabled and enforced, your users just have to sign in using the emai
 
 ### Is Docker SSO fully synced with the IdP?
 
-Docker SSO provides Just-In-Time (JIT) provisioning by default. This provisioning only happens when a user signs in. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization. [SCIM](../../../security/for-admins/scim.md) is available to provide full synchronization with users and groups.
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
+{ .experimental }
+
+Docker SSO provides Just-in-Time (JIT) provisioning by default, with an option to disable JIT. Users are provisioned when a user authenticates with SSO. If a user leaves the organization, administrators must sign in to Docker Hub and manually [remove the user](../../../admin/organization/members.md#remove-a-member-or-invitee) from the organization.
+
+[SCIM](../../../security/for-admins/scim/) is available to provide full synchronization with users and groups. When you auto-provision users with SCIM, the recommended configuration is to disable JIT so that all auto-provisioning is handled by SCIM.
 
 Additionally, you can use the [Docker Hub API](/docker-hub/api/latest/) to complete this process.
 
+### How does disabling Just-in-Time provisioning impact user sign-in?
+
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning configuration is only available in Private Beta when you use the Admin Console. Otherwise, JIT is enabled by default. This feature will be available for all users soon.
+{ .experimental }
+
+If a user attempts to sign in to Docker using an email address that is a verified domain for your SSO connection, they need to be a member of the organization to access it, or have a pending invitation to the organization. Users who don't meet these criteria will encounter an `Access denied` error, and will need an administrator to invite them to the organization.
+
+See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
+
+To auto-provision users without JIT provisioning, you can use [SCIM](/security/for-admins/scim/).
+
 ### What's the best way to provision the Docker subscription without SSO?
 
 Company or organization owners can invite users through Docker Hub UI, by email address (for any user) or by Docker ID (assuming the user has created a user account on Hub already).
diff --git a/content/security/for-admins/group-mapping.md b/content/security/for-admins/group-mapping.md
@@ -21,6 +21,8 @@ IdPs share with Docker the main attributes of every authorized user through SSO,
 
 Docker uses the email address of the user to identify them on the platform. Every Docker account must have a unique email address at all times.
 
+### SSO authentication with JIT provisioning enabled
+
 After every successful SSO sign-in authentication, the JIT provisioner performs the following actions:
 
 1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
@@ -29,13 +31,40 @@ After every successful SSO sign-in authentication, the JIT provisioner performs
 
    b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed.
 
-2. Checks if the IdP shared group mappings while authenticating the user.
+2. Checks for any pending invitations to the SSO organization to auto-accept the invitation. If the invitation is specific to a group, the user is added to the invited group along with group mappings in the following step.
+
+3. Checks if the IdP shared group mappings while authenticating the user.
 
    a) If the IdP provided group mappings for the user, the user gets added to the organizations and teams indicated by the group mappings.
 
    b) If the IdP didn't provide group mappings, it checks if the user is already a member of the organization, or if the SSO connection is for multiple organizations (only at company level) and if the user is a member of any of those organizations. If the user isn't a member, it adds the user to the default team and organization configured in the SSO connection.
 
-![JIT provisioning](../images/group-mapping.png)
+![JIT provisioning enabled](../images/jit-enabled-flow.svg)
+
+### SSO authentication with JIT provisioning disabled
+
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users.
+{ .experimental }
+
+When you opt to disable JIT provisioning in your SSO connection, the following actions occur:
+
+1. Checks if there's an existing Docker account with the email address of the user that just authenticated.
+
+   a) If no account is found with the same email address, it creates a new Docker account using basic user attributes (email, name, and surname). Authentication with SSO generates a new username for this new account by using the email, name, and random numbers to make sure that all account usernames are unique in the platform.
+
+   b) If an account exists for this email address, it uses this account and updates the full name of the user’s profile if needed.
+
+2. Checks if there are any pending invitations to the SSO organization (or, SSO organizations if the SSO connection is managed at the company level) in order to auto-accept the invitation.
+
+   a) If the user isn't already a member of the organization, or doesn't have a pending invitation to join, sign in fails and the user encounters an `Access denied` error. This blocks the user from joining the organization. They need to contact an administrator to invite them to join.
+
+   b) If the user is a member of the organization, or has a pending invitation to join, then sign in is successful.
+
+If you disable JIT provisioning when you create or edit your SSO connection, you can still use group mapping as long as you have also [enabled SCIM](/security/for-admins/scim/#enable-scim-in-docker). When JIT provisioning is disabled and SCIM isn't enabled, users won't be auto-provisioned to groups. For instructions on disabling JIT provisioning, see [Manage how users are provisioned](/security/for-admins/single-sign-on/manage/#manage-how-users-are-provisioned).
+
+![JIT provisioning disabled](../images/jit-disabled-flow.svg)
 
 ## Use group mapping
 
diff --git a/content/security/for-admins/scim.md b/content/security/for-admins/scim.md
@@ -39,9 +39,14 @@ For additional details about supported attributes and SCIM, see [Docker Hub API
 
 > **Important**
 >
->SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes).
+> SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](scim.md#set-up-scim), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For more information, see [SSO attributes](../for-admins/single-sign-on/configure/configure-idp.md#sso-attributes).
 {.important}
 
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
+{ .experimental }
+
 ## Enable SCIM in Docker
 
 You must make sure you have [configured SSO](single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required.
diff --git a/content/security/for-admins/single-sign-on/configure/_index.md b/content/security/for-admins/single-sign-on/configure/_index.md
@@ -25,34 +25,34 @@ This page walks through steps 1 and 2 using Docker Hub or the Admin Console.
 ## Step one: Add and verify your domain
 
 {{< tabs >}}
-{{< tab name="Docker Hub" >}}
-
-{{% admin-domains product="hub" %}}
-
-{{< /tab >}}
 {{< tab name="Admin Console" >}}
 
 {{< include "admin-early-access.md" >}}
 
 {{% admin-domains product="admin" %}}
 
+{{< /tab >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-domains product="hub" %}}
+
 {{< /tab >}}
 {{< /tabs >}}
 
 ## Step two: Create an SSO connection in Docker
 
 {{< tabs >}}
-{{< tab name="Docker Hub" >}}
-
-{{% admin-sso-config product="hub" %}}
-
-{{< /tab >}}
 {{< tab name="Admin Console" >}}
 
 {{< include "admin-early-access.md" >}}
 
 {{% admin-sso-config product="admin" %}}
 
+{{< /tab >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-sso-config product="hub" %}}
+
 {{< /tab >}}
 {{< /tabs >}}
 
diff --git a/content/security/for-admins/single-sign-on/configure/configure-idp.md b/content/security/for-admins/single-sign-on/configure/configure-idp.md
@@ -41,6 +41,11 @@ If you use SAML for your SSO connection, Docker obtains these attributes from th
 >SSO uses Just-in-Time (JIT) provisioning by default. If you [enable SCIM](../../scim.md), JIT values still overwrite the attribute values set by SCIM provisioning whenever users log in. To avoid conflicts, make sure your JIT values match your SCIM values. For example, to make sure that the full name of a user displays in your organization, you would set a `name` attribute in your SAML attributes and ensure the value includes their first name and last name. The exact method for setting these values (for example, constructing it with `user.firstName + " " + user.lastName`) varies depending on your IdP.
 {.important}
 
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you can avoid conflicts between SCIM and JIT by disabling JIT provisioning in your SSO connection. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
+{ .experimental }
+
 You can also configure attributes to override default values, such as default team or organization. See [role mapping](../../scim.md#set-up-role-mapping).
 
 | SSO attribute | SAML assertion message attributes |
diff --git a/content/security/for-admins/single-sign-on/connect/_index.md b/content/security/for-admins/single-sign-on/connect/_index.md
@@ -26,15 +26,20 @@ Make sure you have completed the following before you begin:
 
 ## Step four: Complete your SSO connection
 
+> **Beta feature**
+>
+> Optional Just-in-Time (JIT) provisioning is available in Private Beta when you use the Admin Console. If you're participating in this program, you have the option to turn off this default provisioning and disable JIT. This configuration is recommended if you're using SCIM to auto-provision users. See [SSO authentication with JIT provisioning disabled](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled).
+{ .experimental }
+
 {{< tabs >}}
-{{< tab name="Docker Hub" >}}
+{{< tab name="Admin Console" >}}
 
-{{% admin-sso-connect product="hub" %}}
+{{% admin-sso-connect product="admin" %}}
 
 {{< /tab >}}
-{{< tab name="Admin Console" >}}
+{{< tab name="Docker Hub" >}}
 
-{{% admin-sso-connect product="admin" %}}
+{{% admin-sso-connect product="hub" %}}
 
 {{< /tab >}}
 {{< /tabs >}}
diff --git a/content/security/for-admins/single-sign-on/manage/_index.md b/content/security/for-admins/single-sign-on/manage/_index.md
@@ -14,33 +14,67 @@ aliases:
 > You must have a [company](/admin/company/) to manage more than one organization.
 
 {{< tabs >}}
+{{< tab name="Admin Console" >}}
+
+{{< include "admin-early-access.md" >}}
+
+{{% admin-sso-management-orgs product="admin" %}}
+
+{{< /tab >}}
 {{< tab name="Docker Hub" >}}
 
 {{% admin-sso-management-orgs product="hub" %}}
 
 {{< /tab >}}
+{{< /tabs >}}
+
+## Manage domains
+
+{{< tabs >}}
 {{< tab name="Admin Console" >}}
 
 {{< include "admin-early-access.md" >}}
 
-{{% admin-sso-management-orgs product="admin" %}}
+{{% admin-sso-management product="admin" %}}
+
+{{< /tab >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-sso-management product="hub" %}}
 
 {{< /tab >}}
 {{< /tabs >}}
 
-## Manage domains
+## Manage SSO connections
 
 {{< tabs >}}
+{{< tab name="Admin Console" >}}
+
+{{< include "admin-early-access.md" >}}
+
+{{% admin-sso-management-connections product="admin" %}}
+
+{{< /tab >}}
 {{< tab name="Docker Hub" >}}
 
-{{% admin-sso-management product="hub" %}}
+{{% admin-sso-management-connections product="hub" %}}
 
 {{< /tab >}}
+{{< /tabs >}}
+
+## Manage users
+
+{{< tabs >}}
 {{< tab name="Admin Console" >}}
 
 {{< include "admin-early-access.md" >}}
 
-{{% admin-sso-management product="admin" %}}
+{{% admin-sso-management-users product="admin" %}}
+
+{{< /tab >}}
+{{< tab name="Docker Hub" >}}
+
+{{% admin-sso-management-users product="hub" %}}
 
 {{< /tab >}}
 {{< /tabs >}}
diff --git a/content/security/images/group-mapping.png b/content/security/images/group-mapping.png
diff --git a/content/security/images/jit-disabled-flow.svg b/content/security/images/jit-disabled-flow.svg
diff --git a/content/security/images/jit-enabled-flow.svg b/content/security/images/jit-enabled-flow.svg
diff --git a/layouts/shortcodes/admin-sso-connect.md b/layouts/shortcodes/admin-sso-connect.md
@@ -2,15 +2,19 @@
 {{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
    - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
    - Company: Select **Organizations**, your company, and then **Settings**.` }}
+{{ $provisioning_step := "4. Review your summary and select **Create Connection**." }}
 
 {{ if eq (.Get "product") "admin" }}
   {{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
   {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM.**" }}
+  {{ $provisioning_step = `
+3. **Beta feature** - Choose how you want to provision users by enabling Just-in-Time (JIT) provisioning (default), or disabling JIT provisioning.
+4. Review your summary and select **Create Connection**.` }}
 {{ end }}
 
 1. In {{ $product_link }}, select the verified domains you want to apply the connection to.
 2. To provision your users, select the organization(s) and/or team(s).
-3. Review your summary and select **Create Connection**.
+{{ $provisioning_step }}
 
 ## Test your SSO configuration
 
@@ -21,7 +25,7 @@ After you’ve completed the SSO configuration process in Docker, you can test t
 
 >**Important**
 >
-> SSO has Just-In-Time (JIT) Provisioning enabled by default. This means your users are auto-provisioned to your organization on Docker Hub.
+> SSO has Just-in-Time (JIT) provisioning enabled by default, unless you have [disabled it](/security/for-admins/group-mapping/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization on Docker Hub.
 >
 > You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
 >
diff --git a/layouts/shortcodes/admin-sso-management-connections.md b/layouts/shortcodes/admin-sso-management-connections.md
@@ -0,0 +1,29 @@
+{{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
+{{ $sso_navigation := `Navigate to the SSO settings page for your organization or company.
+   - Organization: Select **Organizations**, your organization, **Settings**, and then **Security**.
+   - Company: Select **Organizations**, your company, and then **Settings**.` }}
+
+{{ if eq (.Get "product") "admin" }}
+  {{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
+  {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO & SCIM**." }}
+{{ end }}
+
+### Edit a connection
+
+1. Sign in to {{ $product_link }}.
+2. {{ $sso_navigation }}
+3. In the SSO connections table, select the **Action** icon.
+4. Select **Edit connection** to edit your connection.
+5. Follow the on-screen instructions to edit the connection.
+
+### Delete a connection
+
+1. Sign in to {{ $product_link }}.
+2. {{ $sso_navigation }}
+3. In the SSO connections table, select the **Action** icon.
+4. Select **Delete connection**.
+5. Follow the on-screen instructions to delete a connection.
+
+### Deleting SSO
+
+When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md
diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md
