initial commit

Author: akristen

content/guides/admin-user-management/onboard.md

@@ -67,4 +67,4 @@ It also:
 - Ensures consistent access control policies.
 - Help you scale permissions as teams grow or change.
 
-For more information on how it works, see [Group mapping](/manuals/enterprise/security/provisioning/group-mapping.md).
+For more information on how it works, see [Group mapping](/provisioning/scim/group-mapping).

content/manuals/enterprise/security/provisioning/just-in-time.md

@@ -3,7 +3,7 @@ description: Learn how Just-in-Time provisioning works with your SSO connection.
 keywords: user provisioning, just-in-time provisioning, JIT, autoprovision, Docker Admin, admin, security
 title: Just-in-Time provisioning
 linkTitle: Just-in-Time
-weight: 10
+weight: 20
 aliases:
  - /security/for-admins/provisioning/just-in-time/
 ---
@@ -85,5 +85,5 @@ Users are provisioned with JIT by default. If you enable SCIM, you can disable J
 ## Next steps
 
 - Configure [SCIM provisioning](/manuals/enterprise/security/provisioning/scim.md) for advanced user management.
-- Set up [group mapping](/manuals/enterprise/security/provisioning/group-mapping.md) to automatically assign users to teams.
+- Set up [group mapping](/manuals/enterprise/security/provisioning/scim/group-mapping.md) to automatically assign users to teams.
 - Review [Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).

content/manuals/enterprise/security/provisioning/scim/_index.md

@@ -0,0 +1,58 @@
+---
+title: SCIM overview
+linkTitle: SCIM
+description: Learn how System for Cross-domain Identity Management works and how to set it up.
+keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
+aliases:
+  - /security/for-admins/scim/
+  - /docker-hub/scim/
+  - /security/for-admins/provisioning/scim/
+---
+
+{{< summary-bar feature_name="SSO" >}}
+
+Automate user management for your Docker organization using System for
+Cross-domain Identity Management (SCIM). SCIM automatically provisions and
+de-provisions users, synchronizes team memberships, and keeps your Docker
+organization in sync with your identity provider.
+
+This page shows you how to automate user provisioning and de-provisioning for
+Docker using SCIM.
+
+## Prerequisites
+
+Before you begin, you must have:
+
+- SSO configured for your organization
+- Administrator access to Docker Home and your identity provider
+
+## How SCIM works
+
+SCIM automates user provisioning and de-provisioning for Docker through your
+identity provider. After you enable SCIM, any user assigned to your
+Docker application in your identity provider is automatically provisioned and
+added to your Docker organization. When a user is removed from the Docker
+application in your identity provider, SCIM deactivates and removes them from
+your Docker organization.
+
+In addition to provisioning and removal, SCIM also syncs profile updates like
+name changes made in your identity provider. You can use SCIM alongside Docker's
+default Just-in-Time (JIT) provisioning or on its own with JIT disabled.
+
+SCIM automates:
+
+- Creating users
+- Updating user profiles
+- Removing and deactivating users
+- Re-activating users
+- Group mapping
+
+> [!NOTE]
+>
+> SCIM only manages users provisioned through your identity provider after
+> SCIM is enabled. It cannot remove users who were manually added to your Docker
+> organization before SCIM was set up.
+>
+> To remove those users, delete them manually from your Docker organization.
+> For more information, see
+> [Manage organization members](/manuals/admin/organization/members.md).

…e/security/provisioning/group-mapping.md …urity/provisioning/scim/group-mapping.mdcontent/manuals/enterprise/security/provisioning/group-mapping.md renamed to content/manuals/enterprise/security/provisioning/scim/group-mapping.md content/manuals/enterprise/security/provisioning/group-mapping.md renamed to content/manuals/enterprise/security/provisioning/scim/group-mapping.md

@@ -7,8 +7,8 @@ aliases:
 - /admin/organization/security-settings/group-mapping/
 - /docker-hub/group-mapping/
 - /security/for-admins/group-mapping/
-- /security/for-admins/provisioning/group-mapping/
-weight: 30
+- /security/for-admins/provisioning/scim/group-mapping/
+weight: 20
 ---
 
 {{< summary-bar feature_name="SSO" >}}

content/manuals/enterprise/security/provisioning/scim/migrate-scim.md

@@ -0,0 +1,176 @@
+---
+title: Migrate JIT to SCIM
+linkTitle: Migrate
+description: Learn how to migrate from just-in-time (JIT) to SCIM.
+weight: 30
+---
+
+## Migrate existing JIT users to SCIM
+
+If you already have users provisioned through Just-in-Time (JIT) and want to
+enable full SCIM lifecycle management, you need to migrate them. Users
+originally created by JIT cannot be automatically de-provisioned through SCIM,
+even after SCIM is enabled.
+
+### Why migrate
+
+Organizations using JIT provisioning may encounter limitations with user
+lifecycle management, particularly around de-provisioning. Migrating to SCIM
+provides:
+
+- Automatic user de-provisioning when users leave your organization. This is
+  the primary benefit for large organizations that need full automation.
+- Continuous synchronization of user attributes
+- Centralized user management through your identity provider
+- Enhanced security through automated access control
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This migration is most critical for larger organizations that require fully
+automated user de-provisioning when employees leave the company.
+
+### Prerequisites for migration
+
+Before migrating, ensure you have:
+
+- SCIM configured and tested in your organization
+- A maintenance window for the migration
+
+> [!WARNING]
+>
+> This migration temporarily disrupts user access. Plan to perform this
+> migration during a low-usage window and communicate the timeline to affected
+> users.
+
+### Prepare for migration
+
+#### Transfer ownership
+
+Before removing users, ensure that any repositories, teams, or organization
+resources they own are transferred to another administrator or service account.
+When a user is removed from the organization, any resources they own may
+become inaccessible.
+
+1. Review repositories, organization resources, and team ownership for affected
+   users.
+2. Transfer ownership to another administrator.
+
+> [!WARNING]
+>
+> If ownership is not transferred, repositories owned by removed users may
+> become inaccessible when the user is removed. Ensure all critical resources
+> are transferred before proceeding.
+
+#### Verify identity provider configuration
+
+1. Confirm all JIT-provisioned users are assigned to the Docker application in
+   your identity provider.
+2. Verify identity provider group to Docker team mappings are configured and
+   tested.
+
+Users not assigned to the Docker application in your identity provider are not
+re-created by SCIM after removal.
+
+#### Export user records
+
+Export a list of JIT-provisioned users from Docker Admin Console:
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your
+   organization.
+2. Select **Admin Console**, then **Members**.
+3. Select **Export members** to download the member list as CSV for backup and
+   reference.
+
+Keep this CSV list of JIT-provisioned users as a rollback reference if needed.
+
+### Complete the migration
+
+#### Disable JIT provisioning
+
+> [!IMPORTANT]
+>
+> Before disabling JIT, ensure SCIM is fully configured and tested in your
+> organization. Do not disable JIT until you have verified SCIM is working
+> correctly.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **SSO and SCIM**.
+3. In the SSO connections table, select the **Actions** menu for your connection.
+4. Select **Disable JIT provisioning**.
+5. Select **Disable** to confirm.
+
+Disabling JIT prevents new users from being automatically added through SSO
+during the migration.
+
+#### Remove JIT-origin users
+
+> [!IMPORTANT]
+>
+> Users originally created through JIT provisioning cannot be automatically
+> de-provisioned by SCIM, even after SCIM is enabled. To enable full lifecycle
+> management including automatic de-provisioning through your identity provider,
+> you must manually remove these users so SCIM can re-create them with proper
+> lifecycle management capabilities.
+
+This step is most critical for large organizations that require fully automated
+user de-provisioning when employees leave the company.
+
+1. Sign in to [Docker Home](https://app.docker.com) and select your organization.
+2. Select **Admin Console**, then **Members**.
+3. Identify and remove JIT-provisioned users in manageable batches.
+4. Monitor for any errors during removal.
+
+> [!TIP]
+>
+> To efficiently identify JIT users, compare the member list exported before
+> SCIM was enabled with the current member list. Users who existed before SCIM
+> was enabled were likely provisioned via JIT.
+
+#### Verify SCIM re-provisioning
+
+After removing JIT users, SCIM automatically re-creates user accounts:
+
+1. In your identity provider system log, confirm "create app user" events for
+   Docker.
+2. In Docker Admin Console, confirm users reappear with SCIM provisioning.
+3. Verify users are added to the correct teams via group mapping.
+
+#### Validate user access
+
+Perform post-migration validation:
+
+1. Select a subset of migrated users to test sign-in and access.
+2. Verify team membership matches identity provider group assignments.
+3. Confirm repository access is restored.
+4. Test that de-provisioning works correctly by removing a test user from your
+   identity provider.
+
+Keep audit exports and logs for compliance purposes.
+
+### Migration results
+
+After completing the migration:
+
+- All users in your organization are SCIM-provisioned
+- User de-provisioning works reliably through your identity provider
+- No new JIT users are created
+- Consistent identity lifecycle management is maintained
+
+### Troubleshoot migration issues
+
+If a user fails to reappear after removal:
+
+1. Check that the user is assigned to the Docker application in your identity
+   provider.
+2. Verify SCIM is enabled in both Docker and your identity provider.
+3. Trigger a manual SCIM sync in your identity provider.
+4. Check provisioning logs in your identity provider for errors.
+
+For more troubleshooting guidance, see
+[Troubleshoot provisioning](/manuals/enterprise/troubleshoot/troubleshoot-provisioning.md).