From 6c528b90daccdc5a08b3d9dba474c18bc280977e Mon Sep 17 00:00:00 2001 From: David Karlsson Date: Fri, 20 Mar 2026 10:41:01 +0000 Subject: [PATCH 1/3] Fix issue #24065: add SSO certificate expiration workarounds Assisted-By: docker-agent --- .../security/single-sign-on/FAQs/idp-faqs.md | 16 ++++++++++--- package-lock.json | 24 ------------------- 2 files changed, 13 insertions(+), 27 deletions(-) diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md index 66e99b874e43..5d9c3827d2b0 100644 --- a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md +++ b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md @@ -5,9 +5,9 @@ description: Frequently asked questions about Docker SSO and identity provider c keywords: identity providers, SSO IdP, SAML, Azure AD, Entra ID, certificate management tags: [FAQ] aliases: -- /single-sign-on/idp-faqs/ -- /faq/security/single-sign-on/idp-faqs/ -- /security/faqs/single-sign-on/idp-faqs/ + - /single-sign-on/idp-faqs/ + - /faq/security/single-sign-on/idp-faqs/ + - /security/faqs/single-sign-on/idp-faqs/ --- ## Can I use multiple identity providers with Docker SSO? @@ -29,6 +29,16 @@ To turn on SSO in Docker, you need the following from your IdP: If your certificate expires, contact your identity provider to retrieve a new X.509 certificate. Then update the certificate in the [SSO configuration settings](/manuals/enterprise/security/single-sign-on/manage.md#manage-sso-connections) in the Docker Admin Console. +### Workarounds if users are locked out + +If the certificate has already expired and users cannot access Docker Hub to update the certificate: + +- **Contact Docker Support**: Docker support can help you regain access to update the certificate. +- **Use username/password authentication**: If SSO enforcement is not turned on, users can sign in with their Docker username and password to access the Admin Console. +- **Maintain a break-glass account**: As a best practice, organizations should maintain a dedicated administrator account (sometimes called a "break-glass" or "guest user" account) that is not subject to SSO. This account can be used to access the Admin Console in emergency situations like certificate expiration. + +To prevent lockouts, monitor your certificate expiration dates and renew certificates before they expire. + ## What happens if my IdP goes down when SSO is turned on? If SSO is enforced, users can't access Docker Hub when your IdP is down. Users can still access Docker Hub images from the CLI using personal access tokens. diff --git a/package-lock.json b/package-lock.json index 196d8deedb8c..77344f8d6f8c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -564,9 +564,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -583,9 +580,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -602,9 +596,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -621,9 +612,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -1211,9 +1199,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1234,9 +1219,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1257,9 +1239,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1280,9 +1259,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ From 950b6453024dc1574641e1a42bb9adb15562df98 Mon Sep 17 00:00:00 2001 From: David Karlsson Date: Fri, 20 Mar 2026 11:21:53 +0000 Subject: [PATCH 2/3] Fix style violation: remove marketing-style list formatting Remove **Term**: Description format from workarounds list and use simple descriptive bullets instead, as per STYLE.md guidelines. Assisted-By: docker-agent --- .../enterprise/security/single-sign-on/FAQs/idp-faqs.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md index 5d9c3827d2b0..8a5fcc8b5de7 100644 --- a/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md +++ b/content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md @@ -33,9 +33,9 @@ If your certificate expires, contact your identity provider to retrieve a new X. If the certificate has already expired and users cannot access Docker Hub to update the certificate: -- **Contact Docker Support**: Docker support can help you regain access to update the certificate. -- **Use username/password authentication**: If SSO enforcement is not turned on, users can sign in with their Docker username and password to access the Admin Console. -- **Maintain a break-glass account**: As a best practice, organizations should maintain a dedicated administrator account (sometimes called a "break-glass" or "guest user" account) that is not subject to SSO. This account can be used to access the Admin Console in emergency situations like certificate expiration. +- Contact Docker Support to help you regain access to update the certificate +- Sign in with your Docker username and password to access the Admin Console (if SSO enforcement is not turned on) +- Maintain a dedicated administrator account (sometimes called a "break-glass" or "guest user" account) that is not subject to SSO for emergency access To prevent lockouts, monitor your certificate expiration dates and renew certificates before they expire. From 1bb657effcef5732ad66ebafbed1300aa6510ed4 Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Fri, 20 Mar 2026 13:24:05 +0100 Subject: [PATCH 3/3] Revert package-lock.json to main --- package-lock.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/package-lock.json b/package-lock.json index 77344f8d6f8c..196d8deedb8c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -564,6 +564,9 @@ "cpu": [ "arm64" ], + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -580,6 +583,9 @@ "cpu": [ "arm64" ], + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -596,6 +602,9 @@ "cpu": [ "x64" ], + "libc": [ + "glibc" + ], "license": "MIT", "optional": true, "os": [ @@ -612,6 +621,9 @@ "cpu": [ "x64" ], + "libc": [ + "musl" + ], "license": "MIT", "optional": true, "os": [ @@ -1199,6 +1211,9 @@ "cpu": [ "arm64" ], + "libc": [ + "glibc" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1219,6 +1234,9 @@ "cpu": [ "arm64" ], + "libc": [ + "musl" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1239,6 +1257,9 @@ "cpu": [ "x64" ], + "libc": [ + "glibc" + ], "license": "MPL-2.0", "optional": true, "os": [ @@ -1259,6 +1280,9 @@ "cpu": [ "x64" ], + "libc": [ + "musl" + ], "license": "MPL-2.0", "optional": true, "os": [