Note: this group sync is not persistent when configured with SAML only: https://www.jfrog.com/confluence/display/JFROG/SAML+SSO
1. On the ADFS management console, and using the tree browser on the left, navigate to "Claims Provider Trusts" → "Active Directory".
2. Choose "Edit Claim Rules”:
3. Select “Outbound LDAP Rule” and click Edit below. Add the following mapping for your Active Directory attributes:
“Token-Groups – Unqualified Names” → “Group”
Click OK to save.
4. In the tree browser on the left, Navigate to "Relying Party Trusts" and select your Artifactory relying party definition (as configured above). We will create another Transform Rule for the group claim.
5. Add another rule by clicking on the “Add Rule…” dialog again, choose “Transform an Incoming claim” and click next.
6. Choose a name for the transform rule. Set the “Incoming claim type” field to “Group” and “Outgoing claim type” to an attribute of your choosing, we will use the “Group” attribute (the attribute’s name is configurable in Artifactory). Click on Finish:
7. Go to your Artifactory UI, login as your "admin" user, navigate to the "SAML Integration" and adjust the set the chosen name for the group attribute. It will need to be set to “http://schemas.xmlsoap.org/claims/Group” (see screenshot above)
* Internal Artifactory groups are case sensitive and so are the groups arriving with the SAML assertion, so make sure your groups have the exact match. Also, LDAP groups imported to Artifactory would exist in lowercase only.
For example, I have created a group in Artifactory called ‘adfs-artifactory’ with admin permissions:
And then in Active Directory, I created a group with the same name and I added myself as a member.
Then, when I log into Artifactory via the UI with SAML, I now have admin permissions: