Note
From Artifactory version 7.83.1, the ability to create multiple configurations for SAML SSO providers is gradually being rolled out to Cloud only.
Before creating multiple SAML configurations, JFRog recommends deleting the old configuration and reconfiguring it with a different setting name other than Default.
Login to the system with administrator privileges.
In the Administration module, go to Authentication | SAML SSO.
To add a new provider configuration, click Add Settings.
Provide a name for the specific SAML SSO configuration in Display Name. Create a name that will help you identify between multiple SAML settings. This name should be used to configure the Single Sign-On URL on the Identity provider.
Provide the SAML Login URL and SAML Logout URL.
SAML Logout URL
To simultaneously logout from your SAML provider and the JFrog Platform, you need to correctly set your provider's logout URL SAML Logout URL field. Setting this incorrectly will keep your users logged in with the SAML provider even after logging out from the system.
Provide the service provider name (Platform name in SAML federation)
If you enable Using Encrypted Assertion, when set, an X.509 public certificate will be created by Artifactory. You will need to download the X.509 certificate that contains the public key and provide it to your identity provider (IDP).
The public key can use either the DSA or RSA algorithms. The Platform uses this key to verify SAML response origin and integrity. Make sure to match the embedded public key in the X.509 certificate with the private key used to sign the SAML response.
Select if t refresh the X.509 certificate that contains the public key. If you refresh the certificate, this will affect all SAML provider configurations which are enabled for encrypted assertions. You will need to download the updated X.509 certificate that contains the public key and provide it to your identity provider (IDP).
Enable or disable Allow Created Users Access to Profile Page. If enabled users will be able to access their profile without having to provide a password.
Enable or disable Auto Create Artifactory Users (Using SAML login). If enabled, new users will persist in the database.
Custom URL base
For your SAML SSO settings to work, make sure you have your Custom Base URL configured.
Signed and encrypted Assertions
Make sure your SAML IdP (Identity Provider) provides a signed login Assertion. This is mandatory for the Assertion verification by the Platform.
Signed Logout is currently not supported by the Platform.
SAML SSO Setting | Description |
---|---|
Enable SAML Integration | When selected, SAML integration is enabled and users may be authenticated via a SAML server. |
SAML Login URL | The SAML login URL. |
SAML Logout URL | The SAML logout URL. |
SAML Service Provider Name | The SAML service provider name. This should be a URI that is also known as the entityID, providerID, or entity identity. |
Use Encrypted Assertion | When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response. |
SAML Certificate | The X.509 certificate that contains the public key. |
Auto Associate Groups | When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response. Note that the user’s association with the returned groups is not persistent. It is only valid for the current login session in the browser (i.e. this will not work for logins using the SAML user id and API Key). Also, the association will not be reflected in the UIs Groups settings page. Instead, you can see this by enabling this SAML logger in your
|
Group Attribute | The group attribute in the SAML login XML response. Note that the system will search for a case-sensitive match to an existing group. |
Email Attribute | If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response. |
Username Attribute | The username attribute used to configure the SSO URL for the identity provider. |
Auto Create Artifactory Users | When set, the system will automatically create new users for those who have logged in using SAML, and assign them to the default groups. |
Allow Created Users Access To Profile Page | When selected, users created after authenticating using SAML, will be able to access their profile. This means they are able to generate their API Key. If Auto Create Artifactory Users is enabled, once logging into the system, users can set their password for future use. |
Auto Redirect Login Link to SAML Login | When checked, clicking on the login link will direct the users to the configured SAML login URL. |