As outlined in our documentation under the Breaking Change for SAML SSO, starting from Artifactory 7.98.7, the base_url must be configured in Artifactory to prevent a 500 error. The reason for this is that Artifactory is using the base_url as the “Identifier” in the SAML Request. One of the errors that may happen even if the base_url is configured, is a mismatch between the “Identifier” in the SAML Request to IDP Application identifier. In this scenario, when trying to login via SAML (even if it worked previously) the IDP may fail due to Identifier mismatch. Example of the error on the IDPs side.
To validate if this is indeed the issue, we can use the SAMLRequest query param as seen in the URLs of the above screenshots, and decrypt it SAMLRequest to XML format. To decrypt it properly, we need to ensure we are copying only the SAMLREQUEST, and NOT including the RelayState
It can be done either by using an online service (e.g. Base64 Decode + Inflate) or using the below command:
echo <SAMLRequest> | base64 -d | xmllint --format -
* Requires base64 and xmllint to be installed In the decrypted SAMLRequest, we can see the Identifier which is the base_url, and compare it to the IDP APP Identifier.Azure example:
Keycloack example:
To fix the login, we should modify either the Artifactory base_url (Valid only for self-hosted installation) or IDP APP Identifier.