Managing Users with SCIM

Overview

JFrog provides Enterprise and Enterprise+ customers with the ability to manage user access to the Platform through the System for Cross-domain Identity Management (SCIM 2.0) protocol, which is designed to make managing user identities easier.

The SCIM protocol complements SSO (such as SAML), which allows to receive updates regarding users’ statuses. The JFrog Platform implements the parts of SCIM 2.0 required for creating, deleting, enabling, and disabling users. We have used Okta and Azure Active Directory (AD) to verify this capability.

Requirements

To implement the JFrog SCIM protocol, you will need the following:

JFrog Platform 7.17.0 (and above)
Enterprise or Enterprise+ license installed
Authentication tool (e.g., Okta, Azure AD) with provisioning mode enabled

User Names

User names are the unique identifiers for users in Access. User names are case insensitive.

Implemented Endpoints

The JFrog Platform implements the subset of SCIM 2.0 endpoints that are required to support the following scenarios.

Create user
Disable user/ Re-enable user
Get users

For more information, see Artifactory REST APIs.

JFrog Subscription Levels

CLOUD (SaaS)

_{ENTERPRISE ENTERPRISE+}

SELF-HOSTED

_{ENTERPRISE X ENTERPRISE+}

Page Contents

Getting Started

Generate an Admin Access Token

To implement SCIM with any authentication tool, you will need to generate an admin access token in the JFrog Platform, and then use that token in the authentication tool setup.

In the JFrog Platform, create an admin token by navigating to Admin | Identity and Access | Access Tokens.
Click +Generate Admin Token.
This displays the Generate Admin Token dialog.
In the Select Service field, select Artifactory.
In the Set token expiry field, select Never Expires.
Click Generate
Copy the generated token.
Security Note
The token can be revoked at any time via the same page. As with any other security token, it is recommended to revoke the token and recreate it occasionally for security reasons. The authentication tool configuration should be adjusted accordingly.
Go to the authentication tool you will be using with SCIM and follow the steps for that tool.

Supported Scenarios

The JFrog SCIM implementation currently supports the following scenarios.

Disabling and Re-Enabling Users Using SCIM

Using SCIM, you can disable and re-enable users in the JFrog Platform.

Go to the identity provider tool (Okta, Azure Active Directory, etc.), and select the relevant provisioning. If the SCIM option does not appear, refer to the relevant documentation for additional information (Okta, Azure).
In the Provisioning section, set the following details according to the tool. The steps below are examples of the tools you can use.

Okta

Go to the Provisioning tab.
Set the options Update User Attributes and the Deactivate Users to the To App settings.
Go to the Integration page.
Set the SCIM connector base URL to: https://<Artifactory_URL>/access/api/v1/scim/v2
In the Unique identifier field for users, enter userName.
In the Supported provisioning actions field, select the option Push Profile Updates.
From the Authentication Mode dropdown, select HTTP Header and then paste the admin token you created in the JFrog Platform (see Generate an Admin Access Token).

For more information, refer to the Okta tutorial how to configure the SCIM application.

Azure AD

Navigate to Provisioning | Getting started | Automatic.
Enter the Tenant URL: https://<Artifactory_URL>/access/api/v1/scim/v2
In the Secret Token field, enter the admin access token from your JFrog Platform.
Click Test Connection and wait for the message that confirms that the credentials are authorized to enable provisioning.
Click Save.
Turn on Provisioning Status, and click Save again.

For more information, refer to the Azure AD tutorial on how to configure the SCIM application.

The application's assignments will now be synchronized with the Access database per each disable/re-enable of a user.

Content

Space Tools