ARTIFACTORY: Integrate Artifactory with crowd sso

Jayanth Suresh
2022-11-14 10:16

This article will guide you to configure Artifactory 7.x with crowd as SSO.
There are two options to configure Crowd SSO, the same domain for both Artifactory and Crowd servers and using a subdomain prefix. In this article, we will discuss using the same domain for both Artifactory and Crowd servers.

Use the same domain for both Artifactory and Crowd servers. E.g. production.ci.jfrog.com – this will probably need to be accompanied by a load balancer or a reverse proxy (Nginx sample configuration below) which will pass the requests to their respective servers by addressing the appropriate URL context such as production.ci.jfrog.com/artifactory and production.ci.jfrog.com/crowd. The Crowd cookie created for this will contain the specific domain you will address. Per the example explained this will generate the crowd.token_key=production.ci.jfrog.com cookie and therefore be shared by the browser for both systems' URLs.

 

Configurations at Artifactory

User-added image

Configurations at Crowd

User-added image

User-added image
User-added image

 

Relevant users and groups configuration at crowd level has to be configured by crowd application admin like below.

User-added image
 

User-added image

Sample Configuration of nginx to use the same domain for both Artifactory and Crowd servers

server {
        listen          443 ssl;
        server_name     production.ci.jfrog.com;
        location /crowd {
          proxy_pass https://crowd-server.com;
          .........................
    }
    location /ui {
    proxy_read_timeout  2400s;
    proxy_pass_header   Server;
    proxy_cookie_path   ~*^/.* /;
    proxy_buffer_size 128k;
    proxy_buffers 40 128k;
    proxy_busy_buffers_size 128k;
    proxy_pass          https://artifactory-server.com;
    proxy_set_header    X-JFrog-Override-Base-Url $http_x_forwarded_proto://$host:$server_port;
    proxy_set_header    X-Forwarded-Port  $server_port;
    proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
    proxy_set_header    Host              $http_host;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    .....................
    }

After the above configuration, if we access https://production.ci.jfrog.com/crow we will see the login page of crowd application, once login to crowd application and hit the https://production.ci.jfrog.com/ui URL in the next tag then the Artifactory application will log in automatically, as crowd.token_key will be shared with both URLs in the browser.