SAML SSO Configuration With Keycloak

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

Follow the steps below to configure Artifactory with Keycloak as a SAML SSO authentication provider.

  1. In Keycloak, Enter the Administration Console

    Keycloak_1.png

  2. Select your realm from the drop-down menu or click Create Realm to create a new one

    Keycloak_2.png

  3. Go to Clients > Create client to Create a new client

    Keycloak_3.png

  4. Change the client type to SAML and select the custom base URL of the Artifactory instance (for example “https://yourcompanyname.jfrog.io “). Then, click Save to save the changes.

    Keycloak_4.png

  5. After creating the client, you will be directed to the client settings page. Ensure that Sign Assertions is enabled while Force POST Binding and Front Channel Logout are disabled.

  6. In Valid Redirect URIs, enter your JFrog host URL followed by a wildcard (for example “https://artifactory.jfrog.io/*” or “http://IP:PORT/*”). In Root URL and Home URL, enter this URL:

    <CUSTOM_URL>/ui/api/v1/auth/saml/loginResponse/<SAML_DISPLAY_NAME>

    Note

    Make sure to replace the placeholders in <angle brackets> with your own custom URL and SAML display name.

    Keycloak_5.png

  7. Navigate to Clients > Keys and switch the Client Signature Required toggle to Off.

    Keycloak_6.png

  8. Navigate to the Advanced tab, scroll down to Fine Grain SAML Endpoint Configuration and in both Logout Service POST Binding URL and Logout Service Redirect Binding URL as your JFrog host URL followed by “/ui/login” (For example: “https://artifactory.jfrog.io/ui/login”).

    Keycloak_7.png
    Keycloak_8.png

  9. Click Save to save the changes made to the client settings.

  10. Navigate to Realm Settings > Keys, and copy the RSA Generated certificate.

  11. On the JFrog Platform: Login to the JFrog Platform, navigate to the Administration > Authentication Provider and then select SAML SSO.

  12. Select the Enable SAML Integration checkbox, and click +Add SAML SSO Configuration. There, enter the following values:

    • In SAML Login URL, enter <KEYCLOAK_URL>/realms/<REALM>/protocol/saml

    • In SAML Login URL, enter <KEYCLOAK_URL>/realms/<REALM>/protocol/saml

    • In SAML Service Provider Name, enter <KEYCLOAK_URL>/realms/<REALM>

    • In SAML Certificate, enter the certificate you copied from Keycloak in step 10.

    Note

    Make sure to replace the placeholders in <angle brackets> with your own Keycloak URL and realm. For example: https://KeyCloackURL/realms/master/protocol/saml

  13. Click Save to create the configuration.

To configure the Keycloak integration with JFrog, you will need to configure a group mapper, an attribute that is used to associate the realm groups with Artifactory. To configure a basic group mapper

  1. In Keycloak: Navigate to Client scopes and click role_list (make sure the scope protocol is SAML)

  2. In the Client scope details menu, go to the Mappers tab and click Add Mapper > By Configuration, and select Group list from the table.

    Keycloak_10.png
    Keycloak_11.png

  3. Next, enter any name for the mapper, and the group attribute name. This attribute name will be used to associate the realm groups in Artifactory.

  4. Switch the Full group path toggle to Off and click Save.

    Keycloak_12.png

  5. In the JFrog Platform: Navigate to the SAML SSO configuration page (Administration > Authentication > SAML SSO) and edit your SAML configuration.

  6. Select the Auto Associate Groups checkbox

  7. In Group Attribute, enter the value you entered for Group Attribute Name in Keycloak in step 3.

  8. Click Save.