ARTIFACTORY: How to integrate Artifactory with Azure OpenID?

ARTIFACTORY: How to integrate Artifactory with Azure OpenID?
Products
Frog_Artifactory
Content Type
Integrations
AuthorFullName__c
Vasily Shkavera, Reddappa G
articleNumber
000005143
ft:sourceType
Salesforce
FirstPublishedDate
2021-09-19T08:46:57Z
lastModifiedDate
2021-09-19
VersionNumber
10
OAuth SSO is an authentication method in Artifactory that enables users to log in through external identity providers. By configuring OAuth SSO, authentication requests can be delegated to these providers, streamlining access management.
Azure Entra ID can be integrated with Artifactory using OAuth SSO, leveraging OpenID as the authentication provider. This article will guide you through the integration process of Azure Entra ID with the JFrog Platform. Additionally, JFrog supports PKCE (Proof Key for Code Exchange) as part of the OAuth 2.0 Authorization Code flow for enhanced security.

In the Microsoft Azure Portal:

 1. Navigate to Azure Active Directory → App registrations → Create a new registration (Single Page Application).
 
 2. Select the appropriate Supported account types.
 
 3. Configure the Redirect URL based on your deployment type:
  • For self-hosted installations:
     http://<server_host>/artifactory/api/oauth2/loginResponse
     Example: http://mycompany.artifactory.com/artifactory/api/oauth2/loginResponse
     
  • For cloud deployments:
     https://<server_name>.jfrog.io/artifactory/api/oauth2/loginResponse
     Example: https://mycompany.jfrog.io/artifactory/api/oauth2/loginResponse

 4. Note: You can modify the Redirect URL later under the Authentication section of the registered App.

 5. Generate a Client Secret:

  • Navigate to Certificates & Secrets in the registered App.
  • Create a new Client Secret and save/copy its value.
  • This secret will be required later when configuring Artifactory.

 

In Artifactory/JFrog Platform:

 
    1. Log in with a user with admin privileges, navigate to the Admin tab → Security → OAuth SSO → Create New Provider
    2. Select the Provider Type: OpenID
    3. Enter the ClientID, Auth URL, and Token URL provided by endpoints of the registered app in Azure Portal. Enter the Secret created in step 4 of the previous section

      User-added image 
      4. For the API URL, enter the following URL:
      https://graph.microsoft.com/oidc/userinfo
      5. Save and enable OAuth SSO

     

    Troubleshooting:


    When attempting to log in using the newly established OAuth SSO, the following error may occur:
    Error handling OAuth2 login: No email was found on the OAuth response
    The aforementioned error is thrown because by default, Artifactory is looking for a "preferred_username" or "email" property in the returned JSON response to use as an internal username. In some cases, none of these are returned, this is dependent on the Azure AD/OICD settings.
    To overcome this, a new Artifactory system property was introduced in version 7.4.0, which allows to explicitly specify the field Artifactory would use as the username identifier from the Open ID response. This can be accomplished by adding the artifactory.oauth.user.info.identifier property to the $ARTIFACTORY_HOME/etc/artifactory/artifactory.system.properties file, with the value being the desired field, for example:

    artifactory.oauth.user.info.identifier=upn


    On the Azure Portal side further add the Token Configuration in the Azure Application as shown in the below screenshot:


    User-added image 
    User-added image 
    * A restart of Artifactory is required for the above to take effect

    OAuth with Proof Key of Code Exchange (PKCE) enabled

     

    1. If the OAuth Authentication flow requires PKCE, then we need “OAuth 2.0 Implicit Grant flow”. Therefore while registering the application (Azure Active Directory → App registrations → Create new registration) under Redirect URI we need to choose a single-page application(SPA).
    2. For Artifactory to work with Azure OAuth with PKCE work with Artifactory the next system property should be added: 
      artifactory.oauth.token.request.origin.header=true

       

    Automation:


    From version 5.8, Artifactory provides a flexible way to configure an existing Artifactory instance using a simple YAML configuration file that allows importing any external identity provider settings. 
    Please find more information on the Artifactory YAML Configuration confluence page.
    Below is an example of an OpenID configuration YAML file:

    security:
  oauthSettings:
    enableIntegration: true
    persistUsers: false 
    allowUserToAccessProfile: false
    oauthProvidersSettings:
    openid-oauth:      #Provider name in JDP
    id: <Client-ID>  #The Unique ID/Client ID/Application ID of the OAuth Provider
    enabled: false   #When set, the OAuth SSO provider setting is enabled
    apiUrl: https://graph.microsoft.com/oidc/userinfo   #The URL used for API access
    authUrl: https://login.microsoftonline.co0m/<Tenant-ID>/oauth2/v2.0/authorize  
#The URL used for the initial authentication step
    basicUrl:
    providerType: openId
    secret: secret  #The OAuth2 shared secret, given by the provider
    tokenUrl: https://login.microsoftonline.com/<Tenant-ID>/oauth2/v2.0/token  
#The URL used to acquire a token from the provider