The JFrog Platform currently supports the Web Browser SSO and Single Logout Profiles.
The Web Browser SSO Profile uses HTTP redirect binding to send the AuthnRequest from the service provider to the identity provider, and HTTP POST to send the authentication response from the identity provider to the service provider.
Similar to the previous profile, the Single Logout Profile uses HTTP redirect binding to send the LogoutRequest from the service provider to the identity provider and HTTP POST to send the logout response from the identity provider to the service provider.
If your IDP supports uploading service provider metadata, you can use the following metadata XML:
Artifactory SP metadata XML
<ns2:EntityDescriptor xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<SP_NAME_IN_FEDERATION>">
<ns2:SPSSODescriptor WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</ns2:NameIDFormat>
<ns2:AssertionConsumerService index="1" Location="<PLATFORM_URL>/artifactory/webapp/saml/loginResponse" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</ns2:SPSSODescriptor>
</ns2:EntityDescriptor>To use the service provider metadata:
Do not forget to update the following fields in the service provider metadata XML.
entityID: the Platform ID in the federation. Must match SAML Service Provider Name in the Platform's SAML configuration page.Location: the Platform home URLAfter SAML Setup
Using SAML, the Platform automatically redirects the request to IDP which Authenticates the user and after a successful login redirects back to the Platform.
If Anonymous User is enabled, the Platform doesn’t have to authenticate the user therefore it doesn’t redirect to the IDP. If the user still wants to sign in through SAML, they can do so by clicking the SSO login link in the login page.