SAML SSO Configuration

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

  1. Login to the system with administrator privileges.

  2. In the Administration module, go to Authentication Providers | SAML SSO.

  3. To add a new provider configuration, click Add Settings.

  4. Provide a name for the specific SAML SSO configuration in Display Name. Create a name that will help you identify between multiple SAML settings. This name should be used to configure the Single Sign-On URL on the Identity provider.

  5. Provide the SAML Login URL and SAML Logout URL.

    SAML Logout URL

    To simultaneously logout from your SAML provider and the JFrog Platform, you need to correctly set your provider's logout URL SAML Logout URL field. Setting this incorrectly will keep your users logged in with the SAML provider even after logging out from the system.

  6. Provide the service provider name (Platform name in SAML federation)

  7. If you enable Using Encrypted Assertion, when set, an X.509 public certificate will be created by Artifactory. You will need to download the X.509 certificate that contains the public key and provide it to your identity provider (IDP).

    The public key can use either the DSA or RSA algorithms. The Platform uses this key to verify SAML response origin and integrity. Make sure to match the embedded public key in the X.509 certificate with the private key used to sign the SAML response.

    Select if t refresh the X.509 certificate that contains the public key. If you refresh the certificate, this will affect all SAML provider configurations which are enabled for encrypted assertions. You will need to download the updated X.509 certificate that contains the public key and provide it to your identity provider (IDP).

  8. Enable or disable Allow Created Users Access to Profile Page. If enabled users will be able to access their profile without having to provide a password.

  9. Enable or disable Auto Create Artifactory Users (Using SAML login). If enabled, new users will persist in the database.

Custom URL base

For your SAML SSO settings to work, make sure you have your Custom Base URL configured.

Signed and encrypted Assertions

Make sure your SAML IdP (Identity Provider) provides a signed login Assertion. This is mandatory for the Assertion verification by the Platform.

Signed Logout is currently not supported by the Platform.

saml-sso-multiple-selection.png

SAML SSO Setting

Description

Enable SAML Integration

When selected, SAML integration is enabled and users may be authenticated via a SAML server.

SAML Login URL

The SAML login URL.

SAML Logout URL

The SAML logout URL.

SAML Service Provider Name

The SAML service provider name. This should be a URI that is also known as the entityID, providerID, or entity identity.

SAML v2 specification

Use Encrypted Assertion

When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response.

SAML Certificate

The X.509 certificate that contains the public key.

Auto Associate Groups

When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response.

Note that the user’s association with the returned groups is not persistent. It is only valid for the current login session in the browser (i.e. this will not work for logins using the SAML user id and API Key).

Also, the association will not be reflected in the UIs Groups settings page. Instead, you can see this by enabling this SAML logger in your $ARTIFACTORY_HOME/var/etc/artifactory/logback.xml file as follows:

<logger name="org.artifactory.addon.sso.saml">

<level value="debug"/>

</logger>

Group Attribute

The group attribute in the SAML login XML response. Note that the system will search for a case-sensitive match to an existing group.

Email Attribute

If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response.

Username Attribute

The username attribute used to configure the SSO URL for the identity provider.

Auto Create Artifactory Users

When set, the system will automatically create new users for those who have logged in using SAML, and assign them to the default groups.

Allow Created Users Access To Profile Page

When selected, users created after authenticating using SAML, will be able to access their profile. This means they are able to generate their API Key.

If Auto Create Artifactory Users is enabled, once logging into the system, users can set their password for future use.

Auto Redirect Login Link to SAML Login

When checked, clicking on the login link will direct the users to the configured SAML login URL.