Using SAML as Identity Provider in Automated Flows

Valeriy Petrov
2019-06-13 11:19

Description:

Artifactory supports several authentication protocols, including LDAP and SAML to allow using your organizational directory service or identity provider (IdP). Doing so lets you manage your users and groups using your directory service and leaves only the permissions management to Artifactory. If your Artifactory server was configured to work with SAML for example, when a user logs in to the Artifactory UI via a web browser, he is redirected to provide his username and password with the SAML provider. While using SAML for the authentication part, Artifactory also receives from the SAML provider a list of groups associated with the user as well. This allows Artifactory to grant all of the user’s permissions, rather they are user-based or group-based. The user’s groups which were fetched from SAML, are saved for the entire login session.

For Automation: 

All of the above relies on having an active user which is redirected to a SAML login page and provides his password. But what happens when the user is not actively involved in the authentication? For example, what if we need to grant access to Artifactory for “non-users” entities like a CI/CD server job, scripted clients, or even when using JFrog clients like the JFrog CLI? In such cases, it is often better to use Access Tokens instead of a user with Basic auth, either because we want to use transient user, or because we do not want to provide SAML credentials in our automation scripts and various clients. 

The problem:

Unlike with LDAP, there are no group imports from SAML. Instead during the login session, Artifactory creates a mapping between users groups (internal Artifactory groups, as well as groups defined in your SAML provider). In the scenario where the authenticating is done using an Access token or API Key, there’s no way to perform redirection to SAML. Since we could not get the authentication response from the SAML without passing credentials, we will not be able to get a response containing the user’s groups and map them to users groups in Artifactory, as we can from an LDAP service.

Possible Solutions: 

  1. One possible solution is to use admin credentials to create a member-of-groups scope token. When generating an Access token for a SAML user (or a transient user which does not exist in Artifactory), you can explicitly specify internal group names, for example, "scope=member-of-groups:group a,group b". Such a token will be granted with access according to the permissions specified for the listed groups, “group a” and “group b” from the example.

 

Create token example API:

 

$ curl -uadmin:password -XPOST "http://localhost:8081/artifactory/api/security/token" -d "username=ci-job" -d "scope=member-of-groups:"group a","group b""{ "scope" : "member-of-groups:"group a","group b" api:*", "access_token" : "eyJ2ZXIiOiIyIi...", "expires_in" : 3600, "token_type" : "Bearer"}

 

  1. Another possible solution is to assign and manage permissions on a user-level in Artifactory. Having a user assigned with desired permissions does not require to retrieve the permissions assigned to a group(s) he is a member of.