Perform the following steps to add identity mappings for an existing OIDC integration.
Note
From Artifactory version 7.94 you can create identity mappings associated with a specific project. A Project Admin can now create identity mappings.
Select All Projects, or from the Projects list, select the project for which to view identity mappings.
Select the Administration module, and then select General Management| Manage Integrations.
Navigate to Administration Module | General | Manage Integrations , if you use the classic navigation. Classic navigation is available for JFrog self-hosted customers with version 7.90 or previous only.
The Integrations page appears.
On the row of the relevant OIDC integration, click the + menu on the row and select Add Identity Mapping for an existing integration.
The OpenID Connect Integration window appears.
In the OpenID Connect Integration window, in the Identity Mappings area, select the Global or Project tab, depending on the level of the identity mapping that you want to create.
In the Identity Mappings window, fill in the mapping details.
The following table describes the fields:
Item
Description
Requirement
Name
Name of the identity mapping.
Mandatory
Priority
Identify the order (priority) according to which the identity mappings are evaluated. Provides the priority of importance for an identity mapping.
Mandatory
Description
The description of the identity mapping. The description preferably should identify the original repository and mapped identity.
Optional
Claims JSON
Specify a JSON file containing any claims to be verified for this mapping to evaluate as true. Uses the following syntax:
iss: Set to
https://token.actions.githubusercontent.com
to verify that the claims were produced by Github.Enterprise: Set optional claims restrictions for the enterprise name to which the repository belongs.
Repository: Specify the Github repository name.
Other claims: Can set to
environment
,actor
,runner_environment
,sub
,repository_owner
,repository_visibility
,workflow
, etc.
Example:
{"repository":"<repository_name>, "enterprise":"<your_github_enterprise_name>"}
The configured JSON claim defines the security for the generated token.
Mandatory
Token Scope
The token scope can be:
Group, User, or Admin scoped token with a specific group/user
Group Mapping with a dynamic mapping
Roles when within a project scope
Mandatory
Service
The JFrog services for which access is allowed. Can be all services or a specific service.
Mandatory
Expiration Time
The number of minutes after which the token expires (defined in minutes). Limited to 24 hours, that is, 1440 minutes.
Optional
Enter the Priority of the identity mapping.
The priority should be a number. The higher priority is set for the lower number. If you do not enter a value, the identity mapping is assigned the lowest priority.
We recommend that you assign the highest priority (1) to the strongest permission gate. Set the lowest priority to the weakest permission for a logical and effective access control setup.
The project priority takes precedence over the global priority.
Enter the Description of the identity mapping.
Enter the Claims JSON from the OpenID provider for the identity mapping.
For more information about claims JSON in GitHub Actions, refer to the GitHub Actions Documentation. We strongly encourage you to define JSON claims in the identity mapping for security purposes. If you don't add claims anyone that knows the service account to target can get access.
The following is an example JSON Claims.
{ "iss": "https://token.actions.githubusercontent.com", "repository": "octo-org/octo-repo" }
When in the Global scope:
Select the Token Scope.
The following scopes are available.
Admin
User
Group
Enter the User Name.
The username appears in the JFrog Platform logs when the external service authenticates with this identity mapping.
When in the Project scope, the Project Role is defined as the Project Admin.
Select the Role that identifies the permissions that will be associated with the project-scoped token.
You can select one or more roles. You can select from the project roles that you have defined for a specific project.
Select the Services for which the mapping applies.
Select All to apply the mapping to all services.
Set the Expiration Time for the token in minutes.
The default value is 1.
When finished, click Save.
The new identity mapping appears in the list of identity mappings, according to whether it is a global or project mapping.
To edit or delete an identity mapping, click the ... menu at the end of the row.