SAML is commonly supported by enterprise authentication systems. SAML-based single sign-on (SSO) gives you access to MKE through a SAML 2.0-compliant identity provider.
The identity providers MKE supports are Okta and ADFS.
There are values your identity provider needs for successful integration with MKE, as follows. These values can vary between identity providers. Consult your identity provider documentation for instructions on providing these values as part of their integration process.
Okta integration requires these values:
/enzi/v0/saml/acs
. For example,
https://111.111.111.111/enzi/v0/saml/acs
./enzi/v0/saml/metadata
. For example,
https://111.111.111.111/enzi/v0/saml/metadata
.${f:substringBefore(user.email, "@")}
specifies the username
portion of the email address.fullname
, Value: user.displayName
.member-of
, Filter: (user
defined) for associate group membership. The group name is
returned with the assertion. Name: is-admin
, Filter: (user
defined) for identifying if the user is an admin.ADFS integration requires the following steps:
/enzi/v0/saml/metadata
. For example,
https://111.111.111.111/enzi/v0/saml/metadata
.c:[Type == "http://schemas.xmlsoap.org/claims/CommonName"] => issue(Type = "fullname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
To enable SAML authentication:
You can download a client bundle to access MKE. A client bundle is a group of certificates downloadable directly from MKE web interface that enables command line as well as API access to MKE. It lets you authorize a remote Docker engine to access specific user accounts managed in Docker Enterprise, absorbing all associated RBAC controls in the process. You can now execute docker swarm commands from your remote machine that take effect on the remote cluster. You can download the client bundle in the Admin Settings under My Profile.
Warning
Users who have been previously authorized using a Client Bundle will continue to be able to access MKE regardless of the newly configured SAML access controls. To ensure that access from the client bundle is synced with the identity provider, we recommend the following steps. Otherwise, a previously-authorized user could get access to MKE through their existing client bundle.