Information
Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration.
Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Enable and configure SAML integration in the UCP Admin Settings.
via UI:
In the UCP web console, navigate to 'Admin Settings' | 'Authentication & Authorization' and set 'SAML Enabled' to 'Yes' and properly configure the SAML settings.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{'username':'[ucp_username]','password':'[ucp_password]'}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H 'Authorization: Bearer $AUTHTOKEN' https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the 'ucp-config.toml' file. Set the 'samlEnabled' entry under the '[auth]' section to 'true'. Set the 'idpMetadataURL' and 'spHost' entries under the '[auth.saml]' to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file.
Execute the following commands to update UCP with the new configuration:
curl -sk -H 'Authorization: Bearer $AUTHTOKEN' --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Item Details
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-2(5), 800-53|IA-2(12), 800-53|IA-8(1), 800-53|IA-8(2), 800-53|IA-8(4), CAT|II, CCI|CCI-000765, CCI|CCI-000766, CCI|CCI-000767, CCI|CCI-000768, CCI|CCI-000770, CCI|CCI-001953, CCI|CCI-001954, CCI|CCI-002009, CCI|CCI-002010, CCI|CCI-002011, CCI|CCI-002014, Rule-ID|SV-235821r960972_rule, STIG-ID|DKER-EE-002180, STIG-Legacy|SV-104815, STIG-Legacy|V-95677, Vuln-ID|V-235821
Control ID: 8f7cac4d8be3e917a036f3b6679db1557c93f113ce4b1740ce1dcdca7cb83722