Configure HTTP SSO in JPD

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

  1. From the Administration module, select Authentication Providers | HTTP SSO.

    http_sso.png

  2. Select the Artifactory is Proxied by a Secure HTTP Server check box to indicate that Artifactory is running behind a secure HTTP server that forwards trusted requests to it.

  3. Add the variable to look for trusted authentication information. The default is to look for a REMOTE_USER header or the request variable, which is set by Apache's AJP and JK connectors.

    You can choose to use any request attribute (as defined by the Servlet specification) by providing a different variable name.

    Tip

    Adding Your Own SSO Integration

    You can write a simple servlet filter to integrate with custom security systems and set a request attribute on the request to be trusted by the SSO add-on.

  4. SelectAllow Created Users Access to Profile Pagecheck box to instruct Artifactory to treat externally authenticated users as temporary users, so that Artifactory does not create them in its security database.

    In this case, permissions for such users are based on the permissions given to auto-join groups.

  5. Select the Associate LDAP Groups check box to associate the user with groups returned in the LDAP login response.

Field Name

Description

Artifactory is Proxied by a Secure HTTP Server

When selected, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server.

This is extremely useful if you want to use existing enterprise SSO integrations, such as the powerful authentication schemes provided by Apache (mod_auth_ldap, mod_auth_ntlm, mod_auth_kerb, etc.).

When Artifactory is deployed as a webapp on Tomcat behind Apache:

  • If using mod_proxy_ajp, make sure to set tomcatAuthentication="false" on the AJP connector.

  • If using mod_jk, make sure to use the JkEnvVar REMOTE_USER directive in Apache's configuration.

Artifactory should be explicitly and exclusively bound to the reverse proxy co-located on the same machine if “Artifactory is Proxied by a secure HTTP server” is enabled.

Remote User Request Variable

The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER.

Auto Create System Users

When not checked, authenticated users are not automatically created in the system. Instead, for every request from an SSO user, the user is temporarily associated with default groups (if such groups are defined) and the permissions for these groups apply.

Without auto user creation, you must manually create the user inside Artifactory to manage user permissions not attached to its default groups.

Allow Created Users Access To Profile Page

When selected, users created after authenticating using HTTP SSO, will be able to access your User profile. This means they are able to generate their API Key and set your password for future use.

Auto Associate LDAP Groups

When selected, associate the user with groups returned in the LDAP login response. Note that the user's association with the returned groups is persistent if Auto Create system user is selected.

Custom URL base

For your HTTP SSO settings to work, make sure you have your Custom URL Base configured.