ARTIFACTORY: How the realm updation works while using SCIM & SAML in JFrog Artifactory

ARTIFACTORY: How the realm updation works while using SCIM & SAML in JFrog Artifactory
AuthorFullName__c
Aanchal Thakur
articleNumber
000006359
FirstPublishedDate
2025-02-27T11:01:26Z
lastModifiedDate
2025-07-22
VersionNumber
2
Organizations using JFrog Artifactory often provision users through SCIM (System for Cross-domain Identity Management) while utilizing SAML (Security Assertion Markup Language) for authentication. In such a hybrid setup, users may notice changes to their realm information in the Users section of Artifactory. This article explains why a user's realm may change from SCIM to SAML when both methods are configured.

Realm Change Process

1. Provisioning via SCIM:
Users are initially provisioned in Artifactory with attributes defined under the SCIM protocol. At this stage, their realm is set to SCIM.

2. Login via SAML:
When the same user logs in using SAML SSO, Artifactory sends an authentication request to the Identity Provider (IdP) such as Okta. Once the IdP verifies the user and sends back a signed response, the user’s realm is updated to SAML.

3. Expected Behavior:
This realm transition is expected behaviour within Artifactory. SCIM manages user provisioning, while SAML handles authentication. As a result, once a user logs in via SAML, Artifactory recognizes them under the SAML realm instead of SCIM.

Impact of Realm Change

One common question is whether a user will be disabled or deactivated after the realm changes from SCIM to SAML. The answer is NO - this transition does not affect the user's account status or their ability to access Artifactory.

Example Scenario
Below is a screenshot showing four users initially configured under SCIM (Screenshot-1). However, upon logging in via SAML, the realm for the fourth user changed from SCIM to SAML (Screenshot-2).

(Screenshot-1):
User-added image 

(Screenshot-2):
User-added image 


Conclusion

When JFrog Artifactory is configured to use both SCIM for user provisioning and SAML for authentication, a transition in the user realm from SCIM to SAML upon SAML login is expected.

  • SCIM is responsible for user attributes and provisioning.

  • SAML handles authentication.
  • The realm transition simply indicates that SAML authentication has taken precedence at the time of login.
  • Users remain managed and functional within Artifactory.