SAML integration must be enabled in Docker Enterprise.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-95677	DKER-EE-002180	SV-104815r1_rule		Medium

Description
Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration. Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405

Description

Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration. Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2019-09-13

Details

Check Text ( C-94505r1_chk )
Verify that SAML integration is enabled and properly configured in the UCP Admin Settings. via UI: In the UCP web console, navigate to "Admin Settings" \| "Authentication & Authorization" and verify "SAML Enabled" is set to "Yes" and that it is properly configured. If SAML authentication is not enabled, this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login \| jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml Verify that the "samlEnabled" entry under the "[auth]" section is set to "true". If the "samlEnabled" entry under the "[auth]" section is not set to "true", then this is a finding.

Check Text ( C-94505r1_chk )

Verify that SAML integration is enabled and properly configured in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "SAML Enabled" is set to "Yes" and that it is properly configured. If SAML authentication is not enabled, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Verify that the "samlEnabled" entry under the "[auth]" section is set to "true".

If the "samlEnabled" entry under the "[auth]" section is not set to "true", then this is a finding.

Fix Text (F-101343r1_fix)
Enable and configure SAML integration in the UCP Admin Settings. via UI: In the UCP web console, navigate to "Admin Settings" \| "Authentication & Authorization" and set "SAML Enabled" to "Yes" and properly configure the SAML settings. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login \| jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml Open the "ucp-config.toml" file. Set the "samlEnabled" entry under the "[auth]" section to "true". Set the "idpMetadataURL" and "spHost" entries under the "[auth.saml]" to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file. Execute the following commands to update UCP with the new configuration: curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Fix Text (F-101343r1_fix)

Enable and configure SAML integration in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set "SAML Enabled" to "Yes" and properly configure the SAML settings.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file. Set the "samlEnabled" entry under the "[auth]" section to "true". Set the "idpMetadataURL" and "spHost" entries under the "[auth.saml]" to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml