When configuring multiple authentication methods concurrently in Artifactory—such as SAML, LDAP, Crowd, or others—it's important to ensure consistent user identification across these providers to prevent the creation of duplicate user accounts.
In this article, we will review why duplicate user accounts may be created in Artifactory when using multiple authentication providers, and how to configure them properly to ensure consistent user identity.
Why do duplicate users occur?
Artifactory creates a new user if the username returned by an authentication provider does not match any existing user in its database. This means that if two different authentication methods return different usernames for the same individual (e.g., jdoe@example.com vs. jdoe), Artifactory will treat them as two separate users, resulting in duplicate accounts.
Best Practices for Preventing Duplicates
To avoid this, all authentication providers must return the same username value for each user. For example:
- If one provider returns jdoe, the others should also return jdoe (not jdoe@example.com, john.doe, etc.)
You can typically achieve this by aligning the user identifier returned by each provider:
- In SAML, configure your Identity Provider (IdP) to return the correct username (e.g., via the NameID or a custom attribute).
- In other providers (e.g., LDAP, Crowd), ensure the username field aligns accordingly.
Enhanced Flexibility in Artifactory 7.98.x and Above
Starting with Artifactory version 7.98.x, there's an enhanced capability for SAML-based authentication:
- You can specify a custom username attribute in the SAML configuration.
- The SAML assertion must include this attribute (e.g., username=jdoe).
- Artifactory will then extract and use this attribute as the user ID, instead of the default NameID.
This allows for more flexible integration with IdPs and simplifies alignment with other authentication systems.