SAML SSO Configuration

JFrog Platform Administration Documentation

  1. Login to the system with administrator privileges.

  2. In the Administration module, go to Authentication Providers | SAML SSO.

  3. Enable the SAML integration by checking the Enable SAML Integration checkbox.

  4. Enable or disable Auto Create Artifactory Users (Using SAML login). If enabled, new users will persist in the database.

  5. Enable or disable Allow Created Users Access to Profile Page. If enabled users will be able to access their profile without having to provide a password.

  6. Provide the SAML Login URL and SAML Logout URL.

    SAML Logout URL

    To simultaneously logout from your SAML provider and the JFrog Platform, you need to correctly set your provider's logout URL SAML Logout URL field. Setting this incorrectly will keep your users logged in with the SAML provider even after logging out from the system.

  7. Provide the service provider name (Platform name in SAML federation)

  8. Provide the X.509 certificate that contains the public key. The public key can use either the DSA or RSA algorithms. The Platform uses this key to verify SAML response origin and integrity. Make sure to match the embedded public key in the X.509 certificate with the private key used to sign the SAML response.

Custom URL base

For your SAML SSO settings to work, make sure you have your Custom Base URL configured.General System Settings

Signed and encrypted Assertions

Make sure your SAML IdP (Identity Provider) provides a signed login Assertion. This is mandatory for the Assertion verification by the Platform.

Signed Logout is currently not supported by the Platform.


SAML SSO Setting


Enable SAML Integration

When selected, SAML integration is enabled and users may be authenticated via a SAML server.


The SAML login URL.


The SAML logout URL.

SAML Service Provider Name

The SAML service provider name. This should be a URI that is also known as the entityID, providerID, or entity identity.

SAML v2 specification

Use Encrypted Assertion

When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response.

SAML Certificate

The X.509 certificate that contains the public key.

Auto Associate Groups

When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response.

Note that the user’s association with the returned groups is not persistent. It is only valid for the current login session in the browser (i.e. this will not work for logins using the SAML user id and API Key).

Also, the association will not be reflected in the UIs Groups settings page. Instead, you can see this by enabling this SAML logger in your $ARTIFACTORY_HOME/var/etc/artifactory/logback.xml file as follows:

<logger name="org.artifactory.addon.sso.saml">

<level value="debug"/>


Group Attribute

The group attribute in the SAML login XML response. Note that the system will search for a case-sensitive match to an existing group.

Email Attribute

If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response.

Auto Create Artifactory Users

When set, the system will automatically create new users for those who have logged in using SAML, and assign them to the default groups.

Allow Created Users Access To Profile Page

When selected, users created after authenticating using SAML, will be able to access their profile. This means they are able to generate their API Key.

If Auto Create Artifactory Users is enabled, once logging into the system, users can set their password for future use.

Auto Redirect Login Link to SAML Login

When checked, clicking on the login link will direct the users to the configured SAML login URL.

Verify Audience Restriction

A verification step has been set up opposite the SAML server to validate SAML SSO authentication requests. The verifyAudienceRestriction attribute for SAML SSO is set by default in the JFrog Platform for new Artifactory installations. When upgrading from a previous Artifactory release, this parameter is disabled only if SAML was already configured.