Page tree
Skip to end of metadata
Go to start of metadata


The Single Sign-on (SSO) Add-on allows you to reuse exiting HTTP-based SSO infrastructures with Artifactory, such the SSO modules offered by Apache HTTPd.

You can have Artifactory's authentication work with commonly available SSO solutions, such as native NTLM or Kerberos. SSO works by letting Artifactory know what trusted information it should look for in the HTTP request, assuming this request has already been authenticated by the SSO infrastructure, which sits in front of Artifactory.

Page Contents


The Single Sign-On (SSO) Add-on is available in the Admin tab under Security | HTTP SSO

To enable SSO you must alert Artifactory that it is running behind a secure HTTP server that forwards trusted requests to it. 

Then you must tell Artifactory where the request is in order to look for trusted authentication information.

The default is to look for a REMOTE_USER header or the request variable, which is set by Apache's AJP and JK connectors.

You can choose to use any request attribute (as defined by the Servlet specification) by providing a different variable name.

Adding Your Own SSO Integration

You can write a simple servlet filter to integrate with custom security systems and set a request attribute on the request to be trusted by the SSO add-on.

Finally, you can instruct Artifactory to treat externally authenticated users as temporary users, so that Artifactory does not create them in its security database.

In this case, permissions for such users are based on the permissions given to auto-join groups.



Field NameDescription
Artifactory is Proxied by a Secure HTTP ServerWhen this checkbox is marked, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server.

This is extremely useful if you want to use exiting enterprise SSO integrations, such as the powerful authentication schemes provided by Apache (mod_auth_ldap, mod_auth_ntlm, mod_auth_kerb, etc.).

When Artifactory is deployed as a webapp on Tomcat behind Apache:
  • If using mod_proxy_ajp, make sure to set tomcatAuthentication="false" on the AJP connector.
  • If using mod_jk, make sure to use the "JkEnvVar REMOTE_USER" directive in Apache's config.
Remote User Request VariableThe name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER.
Auto Create Artifactory Users

When automatic user creation is unchecked, authenticated users are not automatically created inside Artifactory. Instead, for every request from a SSO user, the user is temporarily associated with default groups (if such groups are defined) and the permissions for these groups apply.

Without auto user creation, you must manually create the user inside Artifactory to manage user permissions not attached to its default groups.

Configuring Apache for SSO

For details on how to configure your webserver in order to run Artifactory with SSO, please refer to Setting Up a Reverse SSL Proxy for SSO.

Integrating Apache and Tomcat

When Artifactory is deployed as a webapp on Tomcat behind Apache:

  • If using mod_proxy_ajp - Make sure to set tomcatAuthentication="false" on the AJP connector.
  • If using mod_jk - Make sure to use the JkEnvVar REMOTE_USER directive in Apache's configuration.
  • If using mod_proxy (requires mod_proxy_http, mod_headers and mod_rewrite - There are two known working methods that forward the header:
RequestHeader set REMOTE_USER %{REMOTE_USER}e


RewriteEngine On
    RewriteCond %{REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set REMOTE_USER %{RU}e
  • No labels