Configure Identity Mappings

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

Perform the following steps to add identity mappings for an existing OIDC integration.

Note

From Artifactory version 7.94 you can create identity mappings associated with a specific project. A Project Admin can now create identity mappings.

  1. Select All Projects, or from the Projects list, select the project for which to view identity mappings.

  2. Select the Administration module, and then select General Management| Manage Integrations.

    Navigate to Administration Module | General | Manage Integrations , if you use the classic navigation. Classic navigation is available for JFrog self-hosted customers with version 7.90 or previous only.

    The Integrations page appears.

  3. On the row of the relevant OIDC integration, click the + menu on the row and select Add Identity Mapping for an existing integration.

    oidc-integrations-02.png

    The OpenID Connect Integration window appears.

  4. In the OpenID Connect Integration window, in the Identity Mappings area, select the Global or Project tab, depending on the level of the identity mapping that you want to create.

    im-create-new-01.png
  5. In the Identity Mappings window, fill in the mapping details.

    identity-mapping-02.png

    The following table describes the fields: 

    Item

    Description

    Requirement

    Name

    Name of the identity mapping.

    Mandatory

    Priority

    Identify the order (priority) according to which the identity mappings are evaluated. Provides the priority of importance for an identity mapping.

    Mandatory

    Description

    The description of the identity mapping. The description preferably should identify the original repository and mapped identity.

    Optional

    Claims JSON

    Specify a JSON file containing any claims to be verified for this mapping to evaluate as true. Uses the following syntax:

    • iss: Set to  https://token.actions.githubusercontent.com to verify that the claims were produced by Github.

    • Enterprise: Set optional claims restrictions for the enterprise name to which the repository belongs.

    • Repository: Specify the Github repository name.

    • Other claims: Can set to environment, actor, runner_environment, sub, repository_owner, repository_visibility, workflow, etc.

    Example: {"repository":"<repository_name>, "enterprise":"<your_github_enterprise_name>"}

    The configured JSON claim defines the security for the generated token.

    Mandatory

    Token Scope

    The token scope can be:

    • Group, User, or Admin scoped token with a specific group/user

    • Group Mapping with a dynamic mapping

    • Roles when within a project scope

    Mandatory

    Service

    The JFrog services for which access is allowed. Can be all services or a specific service.

    Mandatory

    Expiration Time

    The number of minutes after which the token expires (defined in minutes). Limited to 24 hours, that is, 1440 minutes.

    Optional

  6. Enter the Priority of the identity mapping.

    The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority.

    We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup.

    The project priority takes precedence over the global priority.

  7. Enter the Description of the identity mapping.

  8. Enter the Claims JSON from the OpenID provider for the identity mapping.

    For more information about claims JSON in GitHub Actions, refer to the GitHub Actions Documentation. We strongly encourage you to define JSON claims in the identity mapping for security purposes. If you don't add claims anyone that knows the service account to target can get access.

    The following is an example JSON Claims.

    {
      "iss": "https://token.actions.githubusercontent.com",
      "repository": "octo-org/octo-repo"
    }
    
  9. When in the Global scope:

    1. Select the Token Scope.

      The following scopes are available.

      • Admin

      • User

      • Group

    2. Enter the User Name.

      The username appears in the JFrog Platform logs when the external service authenticates with this identity mapping.

  10. When in the Project scope, the Project Role is defined as the Project Admin.

    Select the Role that identifies the permissions that will be associated with the project-scoped token.

    You can select one or more roles. You can select from the project roles that you have defined for a specific project.

  11. Select the Services for which the mapping applies.

    Select All to apply the mapping to all services.

  12. Set the Expiration Time for the token in minutes.

    The default value is 1.

  13. When finished, click Save.

    The new identity mapping appears in the list of identity mappings, according to whether it is a global or project mapping.

  14. To edit or delete an identity mapping, click the ... menu at the end of the row.