ARTIFACTORY: How do I configure Artifactory SAML SSO with ADFS 2022?

Loren Yeung
2023-01-22 11:09

Please use ourWiki – SAML SSO Integrationto configure your Artifactory to use ADFS Single-sign-on(SSO).. In addition, you may refer to the Sample Walk-Through that we created to configure ADFS Management 10.0 with Artifactory.

Artifactory version 5.3.0 and above supports group sync between Artifactory's groups and groups originating in the forwarded assertion from ADFS. A common use case is also to sync your LDAP groups and permissions in Artifactory, the needed prerequisite is imported LDAP Groups.

Please note:LDAP groupsare imported to Artifactory in lowercase format only. As a workaround, you should adjust the group’s collation to minuscule names in order for the SAML and Artifactory (internal or imported) groups sync to function. This requirement exists since the SAML assertion can contain mixed collation and Artifactory will conform to it.

SAMPLE WALK-THROUGH

  1. Open the ADFS Management Console.
  2. In the tree browser on the left, Navigate to "Relying Party Trusts".
  3. Click on "Add Relying Party Trust" (Under the "Actions" window on the right side of the console).
  4. In the "Add Relying Party Trust Wizard" dialog, select “Claims aware”, then click "Start".
  5. Select "Enter data about the relying party manually" and click "Next".
  6. Choose any "Display name" and click "Next".
  7. You can skip over the certificate and click "Next".
  8. Choose "Enable support for the SAML 2.0 WebSSO protocol" and in the URL textbox fill in: "https://{PLATFORM_URL}/artifactory/webapp/saml/loginResponse" and click "Next".

(Example of {PLATFORM_URL}: https://yourcompany.jfrog.io/yourcompany or https://yourcompany.local:8443/artifactory )

User-added image

9. In the "Relying party trust identifier" textbox fill in: "https://{PLATFORM_URL}" and click "Add", click "Next".

User-added image

10. Choose "Permit everyone" and click "Next".
11. Click "Next".
12. Choose "Close".
13.在“编辑要求发行政策”对话框中,click on "Add Rule…"
14. In the "Claim rule template" dropbox, choose "Send LDAP attributes as claims" and click "Next".
15. Fill in any "Claim rules name" and in the "Attribute store" dropbox choose "Active Directory".
16. In the "Mapping of LDAP attributes…" section, in the "LDAP attribute" choose "SAM-Account-Name" or "Email Address". In the "Outgoing claim type" dropbox choose "Name ID" and click "Finish".

User-added image

17. Add another rule, this time choose “Transform an incoming claim” and click next.

User-added image

18. Fill in a name, and have the “Incoming claim type” field set to “E-Mail Address” and “Outgoing claim type” to “Name ID”. Click on Finish.

  • You can change the “Incoming claim type” attribute to “Windows Account Name” if you want your Artifactory user to appear correspondingly (instead of your email address).
User-added image

Artifactory Side and Certificate allocation:

In your Artifactory UI, login as your "admin" user and navigate in the "Admin" tab to the "SAML Integration" section and perform the following steps:

  1. Check the "Enable SAML Integration checkbox.
  2. In the "SAML Login URL" textbox fill in: "https://{ADFS_SERVER_URL}/adfs/ls/IdpInitiatedSignOn.aspx"
  3. In the "SAML Logout URL" textbox fill in: "https://{ADFS_SERVER_URL}/adfs/ls?logout"
  4. In the "SAML Service Provider Name" textbox fill in: "https://{PLATFORM_URL}"
  5. In the "SAML Certificate" textbox, paste in your x509 SAML certificate that was generated by your ADFS server (See screenshot below)
AD FS -> Service – Certificates -> Select token-signing certificate -> view certificate -> Details -> Copy to file -> export file format as base64 encoded cer.

User-added image

User-added image

User-added image

6. Click "Save" (group attribute can be set if using Artifactory >5.3.0 see below for more instructions).

7. Navigate to the "General" section (left tree browser) and in the "Custom URL Base" textbox fill in: "https://{PLATFORM_URL}" and click "Save".

8. Logout of Artifactory UI and then try to log in using "SSO Login".

Groups sync (Artifactory 5.3.0 and above)

Note: this group sync is not persistent when configured with SAML only: //www.si-fil.com/confluence/display/JFROG/SAML+SSO

1. On the ADFS management console, and using the tree browser on the left, navigate to "Claims Provider Trusts" → "Active Directory".

2. Choose "Edit Claim Rules”:

User-added image

3. Select “Outbound LDAP Rule” and click Edit below. Add the following mapping for your Active Directory attributes:
“Token-Groups – Unqualified Names” → “Group”
Click OK to save.

User-added image

4. In the tree browser on the left, Navigate to "Relying Party Trusts" and select your Artifactory relying party definition (as configured above). We will create another Transform Rule for the group claim.

5. Add another rule by clicking on the “Add Rule…” dialog again, choose “Transform an Incoming claim” and click next.

User-added image

6. Choose a name for the transform rule. Set the “Incoming claim type” field to “Group” and “Outgoing claim type” to an attribute of your choosing, we will use the “Group” attribute (the attribute’s name is configurable in Artifactory). Click on Finish:

User-added image

7. Go to your Artifactory UI, login as your "admin" user, navigate to the "SAML Integration" and adjust the set the chosen name for the group attribute. It will need to be set to “http://schemas.xmlsoap.org/claims/Group” (see screenshot above)
* Internal Artifactory groups are case sensitive and so are the groups arriving with the SAML assertion, so make sure your groups have the exact match. Also, LDAP groups imported to Artifactory would exist in lowercase only.
For example, I have created a group in Artifactory called ‘adfs-artifactory’ with admin permissions:

User-added image

And then in Active Directory, I created a group with the same name and I added myself as a member.

User-added image

Then, when I log into Artifactory via the UI with SAML, I now have admin permissions:

User-added image