docker · sarahsanders-docker · Nov 4, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 30, 2024
@@ -54,24 +54,39 @@
 
 ## Manage users
 
-{{< tabs >}}
-{{< tab name="Admin Console" >}}
+> [!IMPORTANT]
+>
+> SSO has Just-In-Time (JIT) Provisioning enabled by default unless you have [disabled it](/security/for-admins/provisioning/just-in-time/#sso-authentication-with-jit-provisioning-disabled). This means your users are auto-provisioned to your organization.
+>
+> You can change this on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
+>
+> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
+> - [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
+>
+> Alternatively, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide.
 
-{{< include "admin-early-access.md" >}}
 
-{{% admin-sso-management-users product="admin" %}}
+### Add guest users when SSO is enabled
 
-{{< /tab >}}
-{{< tab name="Docker Hub" >}}
+To add a guest that isn't verified through your IdP:
 
-{{% admin-sso-management-users product="hub" %}}
+1. Sign in to the [Admin Console](https://app.docker.com/admin).
+2. Select **Organizations**, your organization, and then **Members**.
+3. Select **Invite**.
+4. Follow the on-screen instructions to invite the user.
 
-{{< /tab >}}
-{{< /tabs >}}
+### Remove users from the SSO company
+
+To remove a user:
+
+1. Sign in to [Admin Console](https://app.docker.com/admin).
+2. Select **Organizations**, your organization, and then **Members**.
+3. Select the action icon next to a user’s name, and then select **Remove member**, if you're an organization, or **Remove user**, if you're a company.
+4. Follow the on-screen instructions to remove the user.
 
 ## Manage provisioning
 
-Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) [Just-in-Time](/manuals/security/for-admins/provisioning/just-in-time.md) guides.
+Users are provisioned with Just-in-Time (JIT) provisioning by default. If you enable SCIM, you can disable JIT. For more information, see the [Provisioning overview](/manuals/security/for-admins/provisioning/_index.md) guide.
 
 ## What's next?
 

diff --git a/layouts/shortcodes/admin-sso-management-connections.md b/layouts/shortcodes/admin-sso-management-connections.md
@@ -2,7 +2,7 @@
 {{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }}
 
 {{ if eq (.Get "product") "admin" }}
-  {{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
+  {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
   {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**. Note that when an organization is part of a company, you must select the company and configure SSO for that organization at the company level. Each organization can have its own SSO configuration and domain, but it must be configured at the company level." }}
 {{ end }}
 
@@ -11,7 +11,7 @@
 1. Sign in to {{ $product_link }}.
 2. {{ $sso_navigation }}
 3. In the SSO connections table, select the **Action** icon.
-4. Select **Edit connection** to edit your connection.
+4. Select **Edit connection**.
 5. Follow the on-screen instructions to edit the connection.
 
 ### Delete a connection
@@ -24,4 +24,4 @@
 
 ### Deleting SSO
 
-When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. Users must authenticate with their Docker ID and password or create a password reset if they don't have one.
+When you disable SSO, you can delete the connection to remove the configuration settings and the added domains. Once you delete this connection, it can't be undone. If an SSO connection is deleted, Docker users must authenticate with their Docker ID and password.
diff --git a/layouts/shortcodes/admin-sso-management-orgs.md b/layouts/shortcodes/admin-sso-management-orgs.md
@@ -1,7 +1,7 @@
 {{ $product_link := "[Docker Hub](https://hub.docker.com)" }}
 {{ $sso_navigation := "Select **Organizations**, your company, and then **Settings**." }}
 {{ if eq (.Get "product") "admin" }}
-  {{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
+  {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
   {{ $sso_navigation = "Select your company in the left navigation drop-down menu, and then select **SSO and SCIM**." }}
 {{ end }}
 
@@ -13,7 +13,7 @@
 4. Select **Next** to navigate to the section where connected organizations are listed.
 5. In the **Organizations** drop-down, select the organization to add to the connection.
 6. Select **Next** to confirm or change the default organization and team provisioning.
-7. Review the **Connection Summary** and select **Save**.
+7. Review the **Connection Summary** and select **Update connection**.
 
 ### Remove an organization
 
@@ -23,4 +23,4 @@
 4. Select **Next** to navigate to the section where connected organizations are listed.
 5. In the **Organizations** drop-down, select **Remove** to remove the connection.
 6. Select **Next** to confirm or change the default organization and team provisioning.
-7. Review the **Connection Summary** and select **Save**.
+7. Review the **Connection Summary** and select **Update connection**.
diff --git a/layouts/shortcodes/admin-sso-management-users.md b/layouts/shortcodes/admin-sso-management-users.md
diff --git a/layouts/shortcodes/admin-sso-management.md b/layouts/shortcodes/admin-sso-management.md
@@ -2,7 +2,7 @@
 {{ $sso_navigation := `Navigate to the SSO settings page for your organization. Select **Organizations**, your organization, **Settings**, and then **Security**.` }}
 
 {{ if eq (.Get "product") "admin" }}
-  {{ $product_link = "the [Admin Console](https://admin.docker.com)" }}
+  {{ $product_link = "the [Admin Console](https://app.docker.com/admin)" }}
   {{ $sso_navigation = "Select your organization or company in the left navigation drop-down menu, and then select **SSO and SCIM**." }}
 {{ end }}
 
@@ -15,8 +15,8 @@
 5. In the **Domain** drop-down, select the **x** icon next to the domain that you want to remove.
 6. Select **Next** to confirm or change the connected organization(s).
 7. Select **Next** to confirm or change the default organization and team provisioning selections.
-8. Review the **Connection Summary** and select **Save**.
+8. Review the **Connection Summary** and select **Update connection**.
 
-> **Note**
+> [!Note]
 >
 > If you want to re-add the domain, a new TXT record value is assigned. You must then complete the verification steps with the new TXT record value.