How do I configure Artifactory SAML SSO with Azure AD?

<Step 1: Configure SAML SSO on Azure Active Directory Premium>

 

1. Go to portal.azure.com

 

2. New => Create a resource => Identity => Azure Active Directory

 

 

 

3. A new window will open (Add directory). Fill in the required information.

 

 

3.5 (Optional)

These are is optional but recommended, so you can make the user name more recognizable.


 

 

4. Activate Azure Active Directory Premium (WHY? See this link)

 

5.To configure an application, sign into the Azure management portal using your Azure Active Directory administrator account, and browse to the Azure Active Directory > Enterprise application select New application

 

 

6. Select the non-gallery application and give a name

 

 

 

7. Click on Configure Single Sign-on

 

 

8. Choose SSO method. In this example, we will choose SAML-based Sign -on

 

 

9. Configure Single Sign-on (example shown below) and click configure

   Add Entity ID from the Configure artifactory documentation

 

a. Enter IDENTIFIER (also known as EntityID). This is a unique ID that is used to identify the Service Provider. Please ensure that this value matches what is entered at SAML Service Provider Name for Artifactory's SAML SSO Configuration for

b. Enter REPLY URL (also known as Assertion Consumer Service). This should be an URL: <ARTIFACTORY_URL>/webapp/saml/loginResponse

 

10. Copy down the following information from the Azure's "Configure Single Sign-On" screen (see a sample screenshot below):

 

 

  • SINGLE SIGN-ON SERVICE URL

  • SINGLE SIGN-OUT SERVICE URL

  • SAML ENTITY ID

  • Signing certificate (text of the downloaded certificate file)

 

11. Go back to the Single-Sign on page and Enter SAML Entity ID copied in the previous step

12. Save the Configuration

13. Assign each user an access. Or, allow access to users by using the following steps.

     Go Back to Enterprise applications – All applications => Application(your app) => Self-service

 

 

Click Self serivce

a .Click "YES" on "ALLOW USERS TO REQUEST ACESS" . If Yes is selected, users will be allowed to self-assign access to this application in the access panel.

b. Select Group to which they should be assigned

14. Ensure that the user or user group has Access by checking "Users and Group*

 

Please visit this Azure documentation page for more details.

 

<Step 2: Configure SAML SSO on Artifactory>

1. Login to Artifactory as an administrator

2. Go to Admin => Security => SAMxL SSO

3. Use Artifactory User Guide to Configure SAML SSO using information gathered in step 9 and step 10 of <Configure SAML SSO on Azure Active Directory Premium>

 

  • SAML Login URL : The identity provider login URL (when you try to login, the service provider redirects to this URL). This entry should be the same as SINGLE SIGN-OUT SERVICE URL in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>

  • SAML Logout URL :The identity provider logout URL (when you try to logout, the service provider redirects to this URL). This entry should be the same as SINGLE SIGN-OUT SERVICE URL in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>

  • SAML Service Provider Name:
    The Artifactory name in the SAML federation. This entry should be the same as ENTITY ID  in Step 9 of <Configure SAML SSO on Azure Active Directory Premium>

  • SAML Certificate: The certificate for SAML Authentication. (NOTE! The certificate must contain the public key to allow Artifactory to verify sign-in requests.). This entry should be the same as text format of the downloaded certificate in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>

 

4. Save

5. Logout from Artifactory (you may need to close the browser)

 

<Step 3: Test SAML SSO>

 

1. Go to your Artifactory

 

2. Click on SSO Login

 

3. Enter Azure user authentication information, and you will be redirected to Artifactory.

 

 

<Sample SAML Request for SSO>  

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse" ID="f3a712d4-dc34-4940-9fca-f8851d04d6cb" IsPassive="false" IssueInstant="2016-01-13T01:20:27.385Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://supportusw.artifactoryonline.com/supportusw" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://supportusw.artifactoryonline.com/supportusw</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /> </saml2p:AuthnRequest>

 

<Sample SAML Response for SSO>  

<samlp:Response ID="_1d1646fd-ad00-4283-aa69-32f0f63ef880" Version="2.0" IssueInstant="2016-01-13T01:22:31.301Z" Destination="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse" InResponseTo="f3a712d4-dc34-4940-9fca-f8851d04d6cb" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/3fc2df3a-58b3-42e1-be53-5dc757bafc99/</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8" IssueInstant="2016-01-13T01:22:31.285Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" > <Issuer>https://sts.windows.net/3fc2df3a-58b3-42e1-be53-5dc757bafc99/</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>ywUwsvmhJ4rHUXjVKNHrU85ZF1zaiK5/kNwpicvIbhY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>fEuZ6p36MvDnmbJFFjrHJsoulE6pjQv6Tm6NggL3JK/pPxxP+fKap0T9YUWWed8hRYx22PPWqNbQcFMAWWO/W3/qefJdgurn+5FwzJhLMoILXuDriBOP/TewkgLBjNa37Ikc/8M6WZCq4ea7AfEbjiYURhY3cQg9P1lW2Npn6BK4tnLrAQhJfOj4K08nXU9p7E8jtgfJ1G3hKH2nKmEqJjFyogYifpM/MUpTaJK40cya9uezYTDr8CzhPHhV8cerVLXgIbDDLiKH2ja4kgBvQWlFPn7MJjppI1CZozNF2Dt5Cfk9iB9QQ0prWEyn8rstbg3nN14COQ69Puei6ZsLxw==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC8DCCAdigAwIBAgIQcbTsHtQC0LVHXTWBgHLp/TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xNjAxMTMwMDEwNTJaFw0xODAxMTMwMDEwNTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTsXwy+b9oluybq1qlYkHQdTlZUY2IBTLYrScoFcumi/ZQSToXhpV+iOwnAbt6ezHagcDi6xNIP8PNbYfHtY9WFZ7au3MMTqVT8v7oM6EaTK75EIgemw3v+l0HNGuvN02p6q9gCPK6rFGylAtssi55/QyRXPG4sPq6ubsnIj157cHfNRll0Z6lf9jzbz0IBALBmKEpEHvWXUFWJqhFVbfoxFfASxtw7hDdJqvgFjb/xL06tJm9SVhpd0u2o3XVk94F8LbgtTmeJxjoBFLlS2DnAvQUbTNMt58enYGmn1u0HmM3ysSbrJ5/gKjlVH6JFjUNIBszWp/Zv1+MCgii5lwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP6FwejXgGJ2buwH/M1kgiM7t+X08MNkAls5QEps/BsWIJS5YWUqqy0JOEsdW6gXJK2QAypUcKVlDRCVMTujgW13e7mMY/PbAZYLsInWM/G252zriZNSwsOAhhE6WAQyC+yjnI2Gpg7AMsNvIIZxs4VtieiFVRphMSURIrwb5G3dzyqzPbvmAFIsKOoJBVvEjm8p9BT1+f4/kHEWDddxRbOHHTA0SZfO5dJM8qiDAALK9dacG0xSX5Sj+FWLQA/9V+7Qlsjd5emIytXuJRftmyBz1fOgtXq5GhZ6mOJhJ117n7zjy5wZhdfq7I931ztkXvI/iplGyKfGZiw9d6xI8A</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">joshuadhan_outlook.com#EXT#@nonb2cjoshua.onmicrosoft.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="f3a712d4-dc34-4940-9fca-f8851d04d6cb" NotOnOrAfter="2016-01-13T01:27:31.285Z" Recipient="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2016-01-13T01:17:31.191Z" NotOnOrAfter="2016-01-13T02:17:31.191Z" > <AudienceRestriction> <Audience>https://supportusw.artifactoryonline.com/supportusw</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"> <AttributeValue>3fc2df3a-58b3-42e1-be53-5dc757bafc99</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"> <AttributeValue>eb74b7d6-d1ec-4bb6-9ee8-1d48ac5ad6b5</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"> <AttributeValue>Joshua Han</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"> <AttributeValue>live.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>Joshua</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>Han</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>youremail@company.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>youremail@company.com</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2016-01-13T01:22:30.000Z" SessionIndex="_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8" > <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>