Groups sync (Artifactory 5.3.0 and above)

ARTIFACTORY: How do I configure Artifactory SAML SSO with ADFS 2022?

AuthorFullName__c
Loren Yeung
articleNumber
000001563
ft:sourceType
Salesforce
FirstPublishedDate
2016-10-06T13:35:56Z
lastModifiedDate
2021-09-13
VersionNumber
8

Note: this group sync is not persistent when configured with SAML only: https://www.jfrog.com/confluence/display/JFROG/SAML+SSO

1.  On the ADFS management console, and using the tree browser on the left, navigate to "Claims Provider Trusts" → "Active Directory".

2. Choose "Edit Claim Rules”:

User-added image


3. Select “Outbound LDAP Rule” and click Edit below. Add the following mapping for your Active Directory attributes:
“Token-Groups – Unqualified Names” → “Group”
 Click OK to save.

User-added image


4. In the tree browser on the left, Navigate to "Relying Party Trusts" and select your Artifactory relying party definition (as configured above). We will create another Transform Rule for the group claim.

5. Add another rule by clicking on the “Add Rule…” dialog again, choose “Transform an Incoming claim” and click next.

User-added image

6. Choose a name for the transform rule. Set the “Incoming claim type” field to “Group” and “Outgoing claim type” to an attribute of your choosing, we will use the “Group” attribute (the attribute’s name is configurable in Artifactory). Click on Finish:


User-added image

7. Go to your Artifactory UI, login as your "admin" user, navigate to the "SAML Integration" and adjust the set the chosen name for the group attribute. It will need to be set to “​​http://schemas.xmlsoap.org/claims/Group” (see screenshot above)
*  Internal Artifactory groups are case sensitive and so are the groups arriving with the SAML assertion, so make sure your groups have the exact match. Also, LDAP groups imported to Artifactory would exist in lowercase only.
For example, I have created a group in Artifactory called ‘adfs-artifactory’ with admin permissions:

User-added image


And then in Active Directory, I created a group with the same name and I added myself as a member.
 

User-added image


Then, when I log into Artifactory via the UI with SAML, I now have admin permissions:


User-added image