Support for Nested Entra ID Groups

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

The JFrog Platform supports synchronization with Entra ID "Nested Groups".

From Artifactory 7.3, an improved Entra ID "Nested Groups" search is supported, providing performance improvements when working with LDAP.

Prerequisite

This feature requires that Entra ID run on Windows Server 2012 R2 version or later. There are no additional requirements for the Entra ID Windows Server side.

To enable the feature:

  • Set the Dynamic Strategy with a group setting definition

  • Set the msds-memberOfTransitive value for the membership attribute.

Mapping Strategy: Dynamic

Group Membership Attribute: msds-memberOfTransitive

Group Name Attribute: cn

Filter: (objectClass=group)

Microsoft provides a unique OID for rule chain matching as part of the search filter syntax, as a result when executing an LDAP Query to the Entra ID using this OID, the Entra ID will return a list of all the groups according to the user's main group membership.

Mapping Strategy: Static

Group Membership Attribute: member:1.2.840.113556.1.4.1941:

Group Name Attribute: cn

Filter: (objectClass=group)

The following displays the settings.

ldap_group_settings.png