Detections
Analytics

DKER-EE-002180 - SAML integration must be enabled in Docker Enterprise.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration.

Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable and configure SAML integration in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to 'Admin Settings' | 'Authentication & Authorization' and set 'SAML Enabled' to 'Yes' and properly configure the SAML settings.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{'username':'[ucp_username]','password':'[ucp_password]'}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H 'Authorization: Bearer $AUTHTOKEN' https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the 'ucp-config.toml' file. Set the 'samlEnabled' entry under the '[auth]' section to 'true'. Set the 'idpMetadataURL' and 'spHost' entries under the '[auth.saml]' to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H 'Authorization: Bearer $AUTHTOKEN' --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(5), 800-53|IA-2(12), 800-53|IA-8(1), 800-53|IA-8(2), 800-53|IA-8(4), CAT|II, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, CCI|CCI-000770, CCI|CCI-001953, CCI|CCI-001954, CCI|CCI-002009, CCI|CCI-002010, CCI|CCI-002011, CCI|CCI-002014, Rule-ID|SV-235821r627590_rule, STIG-ID|DKER-EE-002180, STIG-Legacy|SV-104815, STIG-Legacy|V-95677, Vuln-ID|V-235821

Plugin: Unix

Control ID: 49361cc4a9e4762a94a36bb47a94997795647c1084cbfc9a44fa8e3b3cc13d98