Skip to content

Fix issue #24065: add SSO certificate expiration workarounds #24446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dvdksn wants to merge 3 commits into from
Closed

Fix issue #24065: add SSO certificate expiration workarounds #24446

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6c528b9
Fix issue #24065: add SSO certificate expiration workarounds
dvdksn Mar 20, 2026
950b645
Fix style violation: remove marketing-style list formatting
dvdksn Mar 20, 2026
1bb657e
Revert package-lock.json to main
dvdksn Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions content/manuals/enterprise/security/single-sign-on/FAQs/idp-faqs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ description: Frequently asked questions about Docker SSO and identity provider c
keywords: identity providers, SSO IdP, SAML, Azure AD, Entra ID, certificate management
tags: [FAQ]
aliases:
- /single-sign-on/idp-faqs/
- /faq/security/single-sign-on/idp-faqs/
- /security/faqs/single-sign-on/idp-faqs/
- /single-sign-on/idp-faqs/
- /faq/security/single-sign-on/idp-faqs/
- /security/faqs/single-sign-on/idp-faqs/
---

## Can I use multiple identity providers with Docker SSO?
Expand All @@ -29,6 +29,16 @@ To turn on SSO in Docker, you need the following from your IdP:

If your certificate expires, contact your identity provider to retrieve a new X.509 certificate. Then update the certificate in the [SSO configuration settings](/manuals/enterprise/security/single-sign-on/manage.md#manage-sso-connections) in the Docker Admin Console.

### Workarounds if users are locked out
Copy link
Copy Markdown
Contributor

@docker-agent docker-agent bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent heading hierarchy

The subsection 'Workarounds if users are locked out' uses a level-3 heading (###) which is inconsistent with the FAQ page structure. All other content uses level-2 headings (##) for each FAQ question.

This makes the new section appear subordinate when it's actually a distinct set of workarounds that deserve equal visibility. Consider making this a level-2 heading like the other FAQs.


If the certificate has already expired and users cannot access Docker Hub to update the certificate:

- **Contact Docker Support**: Docker support can help you regain access to update the certificate.
- **Use username/password authentication**: If SSO enforcement is not turned on, users can sign in with their Docker username and password to access the Admin Console.
- **Maintain a break-glass account**: As a best practice, organizations should maintain a dedicated administrator account (sometimes called a "break-glass" or "guest user" account) that is not subject to SSO. This account can be used to access the Admin Console in emergency situations like certificate expiration.

To prevent lockouts, monitor your certificate expiration dates and renew certificates before they expire.

## What happens if my IdP goes down when SSO is turned on?

If SSO is enforced, users can't access Docker Hub when your IdP is down. Users can still access Docker Hub images from the CLI using personal access tokens.
Expand Down
24 changes: 0 additions & 24 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading