Overview
SAML (Security Assertion Markup Language) is an XML standard that allows you to exchange user authentication and authorization information between web domains.
The JFrog Platform offers a SAML-based Single Sign-On service allowing federated JFrog partners (identity providers) full control over the authorization process.
Using SAML, the JFrog Platform acts as service provider which receives users' authentication information from external identity providers. In this case, JFrog is no longer responsible for authentication of the user although it still has to redirect the login request to the identity provider and verify the integrity of the identity provider’s response.
Security Best Practice
When enabling SAML SSO, it is recommended to disable internal users.
WebUI Changes implemented in Artifactory 7.38.x and above
Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.
JFrog Cloud New Interface (Beta)
On the taskbar, click
(Platform Configurations), and select User Authentication > SAML SSO. To learn more, click here.
JFrog Subscription Levels
CLOUD (SaaS)ENTERPRISE ENTERPRISE+ | SELF-HOSTEDPROPRO X ENTERPRISE X ENTERPRISE+ |
SAML SSO Configuration
WebUI Changes implemented in Artifactory 7.38.x and above
Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.
To use SAML-based SSO:
Login to the system with administrator privileges.
In the Administration module, go to Authentication Providers | SAML SSO.
JFrog Cloud New Interface (Beta)
On the taskbar, click
(Platform Configurations), and select User Authentication > SAML SSO. To learn more, click here. Enable the SAML integration by checking the Enable SAML Integration checkbox.
Enable or disable Auto Create Artifactory Users (Using SAML login). If enabled, new users will persist in the database.
Enable or disable Allow Created Users Access to Profile Page. If enabled users will be able to access their profile without having to provide a password.
Provide the SAML Login URL and SAML Logout URL.
SAML Logout URL
To simultaneously logout from your SAML provider and the JFrog Platform, you need to correctly set your provider's logout URL SAML Logout URL field. Setting this incorrectly will keep your users logged in with the SAML provider even after logging out from the system.
Provide the service provider name (Platform name in SAML federation)
Provide the X.509 certificate that contains the public key. The public key can use either the DSA or RSA algorithms. The Platform uses this key to verify SAML response origin and integrity. Make sure to match the embedded public key in the X.509 certificate with the private key used to sign the SAML response.
Custom URL base
For your SAML SSO settings to work, make sure you have your Custom Base URL configured.
Signed and encrypted Assertions
Make sure your SAML IdP (Identity Provider) provides a signed login Assertion. This is mandatory for the Assertion verification by the Platform.
Signed Logout is currently not supported by the Platform.
Enable SAML Integration | When selected, SAML integration is enabled and users may be authenticated via a SAML server. |
SAML Login URL | The SAML login URL. |
SAML Logout URL | The SAML logout URL. |
SAML Service Provider Name | The SAML service provider name. This should be a URI that is also known as the entityID, providerID, or entity identity. SAML v2 specification |
Use Encrypted Assertion | When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response. |
SAML Certificate | The X.509 certificate that contains the public key. |
Auto Associate Groups | When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response. Note that the user’s association with the returned groups is not persistent. It is only valid for the current login session in the browser (i.e. this will not work for logins using the SAML user id and API Key). Also, the association will not be reflected in the UIs Groups settings page. Instead, you can see this by enabling this SAML logger in your
|
Group Attribute | The group attribute in the SAML login XML response. Note that the system will search for a case-sensitive match to an existing group. |
Email Attribute | If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response. |
Auto Create Artifactory Users | When set, the system will automatically create new users for those who have logged in using SAML, and assign them to the default groups. |
| When selected, users created after authenticating using SAML, will be able to access their profile. This means they are able to generate their API Key. If Auto Create Artifactory Users is enabled, once logging into the system, users can set their password for future use. | |
Auto Redirect Login Link to SAML Login | When checked, clicking on the login link will direct the users to the configured SAML login URL. |
Verify Audience Restriction | A verification step has been set up opposite the SAML server to validate SAML SSO authentication requests. The verifyAudienceRestriction attribute for SAML SSO is set by default in the JFrog Platform for new Artifactory installations. When upgrading from a previous Artifactory release, this parameter is disabled only if SAML was already configured. |
SAML SSO Configuration with Okta
WebUI Changes implemented in Artifactory 7.38.x and above
Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.
To use SAML SSO with Okta:
- Log in to Okta with administrator privileges.
- In the Administration module, select Add Application | Create New App | SAML 2.0.
- Enter the App name: <desired_app_name>, and click Next.
- In the SAML Settings enter the following:
Single Sign-On URL for Artifactory 6.X version.
https://${ARTIFACTORY_URL}/webapp/saml/loginResponseExamplehttps://yourcompany.jfrog.io/yourcompany/webapp/saml/loginResponse
Single Sign-On URL for Artifactory 7.X version.
https://${ARTIFACTORY_URL}/ui/api/v1/auth/saml/loginResponseExamplehttps://yourcompany.jfrog.io/ui/api/v1/auth/saml/loginResponse
Audience URI (SP Entity ID).
https://${ARTIFACTORY_URL}Examplehttps://yourcompany.jfrog.io/yourcompany
- Name ID Format: Unspecified
- Application username: Okta username
You can log into Artifactory with Okta by using the username of a user's email address (i.e. "admin" from "admin@company.com"). Choose Custom instead of Okta username and add String.substringBefore(user.email, "@") into the Custom Rule.
- Click Next and then click Finish.
A SAML 2.0 frame is displayed under the Settings frame. - Click View Setup Instructions.
- Copy the data from the text boxes and paste them in Artifactory's SAML SSO settings.
To use SAML SSO with Artifactory:
- Log into Artifactory with administrator privileges.
From Administration | Authentication Providers | SAML Integration define the fields in below.
Okta Artifactory Identity Provider Single Sign-On URL SAML Login URL https://<Account_Name>.okta.com SAML Logout URL Identity Provider Issuer SAML Service Provider Name X.509 Certificate SAML Certificate - Click Save.
- Logout from Artifactory and go to the Login page.
- Click SSO Login.
Okta users need to be assigned with permissions for Artifactory. For more information see Group Sync (for Artifactory versions 5.3.0 and above.
SAML-Based SSO Login Process
The user attempts to reach a hosted JFrog Platform, Home Page.
The Platform generates a SAML authentication request.
The SAML request is encoded and embedded into the identity provider URL.
The Platform sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the identity provider.
The identity provider decodes the SAML message and authenticates the user. The authentication process can proceed by asking for valid login credentials or by checking for valid session cookies.
The identity provider generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the identity provider’s private DSA/RSA keys.
The identity provider encodes the SAML response and returns that information to the user's browser. The identity provider redirects back to the Platform with the signed response.
The Platform’s ACS verifies the SAML response using the partner's public key. If the response is successfully verified, the ACS redirects the user to the destination URL.
The user has been redirected to the destination URL and is logged in to the Platform.
SAML-Based SSO Logout Process
- The user attempts to reach a hosted JFrog Platform logout link.
- The Platform logs the client out and generates a SAML logout request.
- The Platform redirects to the identity provider with the encoded SAML logout request.
- The identity provider decodes the SAML message and logs the user out.
- The user is redirected to the configured URL in the identity provider.
Profiles and Bindings
The JFrog Platform currently supports the Web Browser SSO and Single Logout Profiles.
The Web Browser SSO Profile uses HTTP redirect binding to send the AuthnRequest from the service provider to the identity provider, and HTTP POST to send the authentication response from the identity provider to the service provider.
Similar to the previous profile, the Single Logout Profile uses HTTP redirect binding to send the LogoutRequest from the service provider to the identity provider and HTTP POST to send the logout response from the identity provider to the service provider.
If your IDP supports uploading service provider metadata, you can use the following metadata XML:
<ns2:EntityDescriptor xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<SP_NAME_IN_FEDERATION>"> <ns2:SPSSODescriptor WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <ns2:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</ns2:NameIDFormat> <ns2:AssertionConsumerService index="1" Location="<PLATFORM_URL>/artifactory/webapp/saml/loginResponse" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> </ns2:SPSSODescriptor> </ns2:EntityDescriptor>
To use the service provider metadata:
Do not forget to update the following fields in the service provider metadata XML.
entityID: the Platform ID in the federation. Must match SAML Service Provider Name in the Platform's SAML configuration page.Location: the Platform home URLAfter SAML Setup
Using SAML, the Platform automatically redirects the request to IDP which Authenticates the user and after a successful login redirects back to the Platform.
If Anonymous User is enabled, the Platform doesn’t have to authenticate the user therefore it doesn’t redirect to the IDP. If the user still wants to sign in through SAML, they can do so by clicking the SSO login link in the login page.
Login Failure
In case of IDP failover or bad configuration, the JFrog Platform allows you to bypass SAML login by using the JFrog Platform login page:
http://<SERVER_HOSTNAME>:8082/ui/login
This URL can be used by internal users who need to log in directly to the JFrog Platform.
Using API Key with SAML Users
While SAML provides access to the JFrog Platform UI, it is also possible for SAML users to generate an API Key that can be used instead of a password for basic authentication or in a dedicated REST API header, this is very useful when working with different clients, e.g. Docker, npm, Maven, etc. or using REST API.
In order to allow SAML users access to an API key you will need to make sure that the Auto Create Artifactory Users and Allow Created Users Access To Profile Page check boxes are checked. This means that SAML users are also saved in the Platform database and can access their User Profile in order to generate, retrieve and revoke their API key.
