ARTIFACTORY: How To Configure Artifactory SAML SSO with Azure AD

Nitay Marciano
2023-01-22 11:06

Here’s what you will need to do in order to integrate your JFrog platform with Azure Active Directory using SAML SSO.

On Azure:

1. In the Azure portal, on the JFrog Artifactory application integration page, find the Manage section and select Single sign-on and then select SAML.
User-added image

2. On the "Set up Single Sign-On with SAML" page, click the Edit icon for Basic SAML Configuration to edit the settings:

User-added image

In theIdentifiertext box, enter your JFrog Platform URL:

$JFROG-URL/ui/login

For JFrog Cloud users that would be:

https://.jfrog.io/ui/login

In theReply URLtext box, enter the SAML URL for your JFrog Platform service:

$JFROG-URL/artifactory/webapp/saml/loginResponse

For JFrog Cloud users that would be:

https://.jfrog.io/artifactory/webapp/saml/loginResponse
In theSign-on URLtext box, enter the login URL for your JFrog Platform:
$JFROG-URL/ui/login
For JFrog Cloud users that would be:
https://.jfrog.io/ui/login
3. If needed, click the Edit icon to open the User Attributes & Claims dialog to add custom mappings to your SAML token attributes configuration. This will be needed on JFrog side, as can be seen later in this document.
User-added image

4. In the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, locate the Certificate (Base64) and Download it to your computer. You will need to insert the certificate on the JFrog Platform later.

User-added image

5. In the Set up JFrog Artifactory section, copy the appropriate URLs based on your requirement.

User-added image

On JFrog Platform:

With Azure Active Directory configured, we can now set up theSAML SSOon the JFrog Platform to work with it. In the Administration module, go to Security | SAML SSO, enable SAML integration, and enter the needed information as in the screenshot and the steps below:
User-added image
  • Enter theSAML LoginandLogout URLs that were provided to you in the Setup JFrog Artifactory section.
  • SAML Service Provider Name, enter what you have as the Identifier on the Azure side (which should be the base URL of your JFrog Platform service):
https://.jfrog.io/ui/login
  • Enter the Base64 certificate previously downloaded from the SAML Signing Certificate section.
  • Enter the user attributes for group and email (accessible from Azure side, step 3):
    • The Group Attribute in the SAML login XML response.
    • The Email Attribute is for when “Auto Create Artifactory Users” is enabled or an internal user exists, Artifactory will set the user's email to the value in this attribute that is returned by the SAML login XML response, as can be seen in the following image:

User-added image

  • Select other options as shown and click Save.

Notes Regarding the configuration:

  • Kindly note that the “SAML Logout URL” is responsible for what will happen once you log out as a SAML user. Therefore, in the above example, the user will be logged out of other Azure applications as well. Should you want to only log out of your JFrog Platform, replace the logout URL with: $JFROG-URL/ui/login/ (hence the difference in the two screenshots).
  • 自动创建Artifactory用户——当组,authenticated users are automatically created in Artifactory. When not set, for every request from an SSO user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups apply. Without automatic user creation, you must manually create the user inside Artifactory to manage user permissions not attached to their default groups.
  • Allow Created Users Access To Profile Page – Auto created users will have access to their profile page and will be able to perform actions such as generating an API key

Should you want more information, you can review Microsoft'stutorial, or the followingblog poston our website: