HTTP 401 Unauthorized Error:

ARTIFACTORY: Resolving SAML Authentication Errors
Products
Frog_Artifactory
Content Type
User_Guide
AuthorFullName__c
Yoav Harel
articleNumber
000006452
FirstPublishedDate
2025-05-22T06:36:04Z
lastModifiedDate
2025-05-21
VersionNumber
7
This error mostly occurs due a mismatch between the IDP Identifier to the “SAML Service Provider Name” configured in the SAML setting in Artifactory.
 
 User-added image 
This time, we should examine the SAMLResponse, as the error is on the Artifactory side. To locate the SAMLResponse (without extra debug logger) by opening the browser dev-console, navigate to the Network tab, and re-try the login. Once the login failed, the SAMLResponse can be found by searching for the SAML setting (azure-ad in that case), and copying the SAMLResponse from the Payload of the request.

User-added image 

User-added image 

Decrypt the SAMLReponse using the same technique shown above, to compare between the value of Issuer to the value of “SAML Service Provider Name”, as they should be an exact match. As can be seen below the “SAML Service Provider Name” is missing the slash (/) at the end causing the SAML login to fail.

User-added image 

 User-added image 


Conclusion
  
Troubleshooting common SAML login issues in Artifactory often involves identifying configuration mismatches between Artifactory and the Identity Provider (IDP). 

Key issues include Artifactory's base_url (used as the "Identifier" in the SAML Request) not matching the IDP Application Identifier (Entity ID, Client ID), the Reply URL (AssertionConsumerServiceURL) in the SAML Request not matching the Reply URL(s) configured in the IDP application, and an HTTP 401 Unauthorized Error frequently caused by a mismatch between the IDP's Issuer (found in the SAML Response) and the "SAML Service Provider Name" set in Artifactory's SAML configuration. 

Effective debugging relies heavily on capturing the SAML messages: the SAMLRequest can be found as a query parameter in the browser URL upon IDP-side failure, while the SAMLResponse is captured from the browser's developer console Network tab after the IDP redirect, often within the payload of the request corresponding to your SAML setting name. 
By decrypting these base64-encoded messages to XML format using online tools or commands like echo <SAMLRequest> | base64 -d | xmllint --format -, you can inspect critical elements such as the <saml:Issuer> tag (for the Identifier in the SAML Request and the Issuer in the SAML Response) and the AssertionConsumerServiceURL. Resolution requires ensuring an exact match between the values found in the decrypted SAML messages and the corresponding settings in both the IDP application and Artifactory's SAML configuration.