SAML (Security Assertion Markup Language) is an XML standard that allows you to exchange user authentication and authorization information between web domains.
JFrog’s Artifactory offers a SAML-based Single Sign-On service allowing federated Artifactory partners (identity providers) full control over the authorization process.
Using SAML, Artifactory acts as service provider which receives users authentication information from external identity providers.
In such case Artifactory is no longer responsible to authenticate the user although it still has to redirect the login request to the identity provider and verify the integrity of the identity provider’s response.
SSO is not supported by command line tools
Note that SSO is not supported by any command line tools such as NPM. If you wish to use SSO from the command line, please consider using LDAP or Active Directory.
Artifactory’s SAML configuration
To use SAML-based SSO in Artifactory:
- Login as administrator to Artifactory
- Click on the admin tab
- Click on “SAML Integration” in the “Security” menu
- Enable the SAML integration by checking the SAML Integration checkbox
- Enable or disable the “Auto create Artifactory users” (Using SAML login) which allows to persist new users in the database
- Provide the Identity provider http login redirect URL
- Provide the identity provider http logout redirect URL
NOTE! that in order to simultaneously logout from IDP and Artifactory, the IDP’s logout URL must be provided, setting any other URL in the “SAML Logout field”, will logout from Artifactory but not from the identity provider
- Provide the service provider name (Artifactory name in SAML federation)
- Provide X.509 certificate that contains the public key. The public key can use either the DSA or RSA algorithms. Artifactory uses this key to verify SAML response origination and integrity. It is important to match the embedded public key in the X.509 certificate with the private key used to sign the SAML response.
Understanding Artifactory's SAML-based SSO Login Process
The user attempts to reach a hosted Artifactory, Home Page.
Artifactory generates a SAML authentication request.
The SAML request is encoded and embedded into the identity provider URL.
Artifactory sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the identity provider.
The identity provider decodes the SAML message and authenticates the user. Authentication process could be by asking for valid login credentials or by checking for valid session cookies.
The identity provider generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the identity provider’s private DSA/RSA keys.
The identity provider encodes the SAML response and returns that information to the user's browser. The identity provider redirects back to Artifactory with signed response.
Artifactory’s ACS verifies the SAML response using the partner's public key. If the response is successfully verified, ACS redirects the user to the destination URL.
The user has been redirected to the destination URL and is logged in to Artifactory.
Artifactory’s SAML-based SSO login process.
Understanding the Artifactory's SAML-based SSO Logout Process
- The user attempts to reach a hosted Artifactory, logout link.
- Artifactory logs-out the client and generates a SAML logout request.
- Artifactory redirects to the identity provider with the encoded SAML logout request.
- The identity provider decodes the SAML message and logs out the user.
- The user is redirected to the configured URL in the identity provider.
Artifactory’s SAML-based SSO logout process.
Artifactory Profiles and Bindings
Artifactory currently supports the Web Browser SSO and Single Logout Profiles.
The Web Browser SSO Profile uses http redirect binding to send the AuthnRequest from the service provider to the identity provider and http POST to send the authentication response from the identity provider to the service provider.
Similar to the previous profile, the Single Logout Profile uses http redirect binding to send the LogoutRequest from the service provider to the identity provider and http POST to send the logout response from the identity provider to the service provider.
If your IDP supports uploading service provider metadata, you can use the following metadata XML:
NOTE! that to use the service provider metadata:
Do not forget to update the following fields in the service provider metadata XML:
- entityID - Artifactory’s ID in the federation
- Location - Artifactory's home URL
After SAML Setup
Using SAML, Artifactory automatically redirects the request to IDP which Authenticates the user and after a successful login redirects back to Artifactory. If "Anonymous User" is enabled, Artifactory doesn’t have to authenticate the user therefore it doesn’t redirect to the IDP. If the user still wants to sign in through SAML, they can do so by clicking the "SSO login" link in the login page.
In case of IDP failover or bad configuration, Artifactory allows you to bypass SAML login by using Artifactory login page: http://<ARTIFACTORY_URL>/webapp/login.html