Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-27049

SAML SSO users not mapped to groups



    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: 7.37.14
    • Fix Version/s: None
    • Component/s: SAML SSO
    • Labels:


      We are trying to map users to groups upon logging in through SAML SSO. It looks like the users are mapped to the groups (the user can see Repositories only a user part of a certain group can see), but we cannot pull images as the user have "no such permission":


      After logging into podman we do a podman pull:


      podman pull REPOSITORY.HOSTNAME/FOLDER/IMAGE:latest --tls-verify=false



      These images are being pulled from remote repositories.

      We get the following error:


      [.r.ArtifactoryResponseBase:144] [http-nio-8081-exec-1] - Sending HTTP error code 403: Download request for repo:path 'REDACTED-remote-cache:REDACTED-FOLDER/REDACTED-IMAGE/latest/list.manifest.json' is forbidden for user: 'company-rw-user'.



      We are using Keycloak from where we we have the users mapped to their respective groups. In Artifactory, we sat up groups so that the groups have the same names in both Keycloak and in Artifactory.


      Keycloak user:

      • company-rw-user

      Keycloak group:

      • company-rw

      Artifactory group:

      • company-rw

      The group (company-rw) have the following permissions: Read, Annotate, Deploy/Cache)

       We added the following to our logback.xml:


      <logger name="org.artifactory.addon.sso.saml">
       <level value="debug"/>

      We could then verify that the groups are correctly tied to our user:

      [http-nio-8081-exec-2] - Decoded login response: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://REDACTED-HOSTNAME/ui/api/v1/auth/saml/loginResponse" ID="REDACTEDID" IssueInstant="REFACTED"<saml:Issuer>https://REFACTED/auth/realms/mycompanyrealm</saml:Issuer><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><dsig:Reference URI="redacted"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www....
      [DEBUG][0;39m [21bbe5dd58318c63] [o.a.a.s.s.SamlHandlerImpl:153 ] [http-nio-8081-exec-2] - handleLoginResponse with id: null
      [DEBUG][0;39m [21bbe5dd58318c63] [o.a.a.s.s.SamlHandlerImpl:177 ] [http-nio-8081-exec-2] - resolved number of SAML groups: '1'
      [DEBUG][0;39m [21bbe5dd58318c63] [o.a.a.s.s.SamlHandlerImpl:183 ] [http-nio-8081-exec-2] - resolved SAML email: 'company-rw-user@mycompany.net'
      [DEBUG][0;39m [21bbe5dd58318c63] [o.a.a.s.s.SamlHandlerImpl:187 ] [http-nio-8081-exec-2] - resolved SAML user: 'company-rw-user'
      [WARN ][0;39m [21bbe5dd58318c63] [.o.SingleSignOnServiceImpl:118] [http-nio-8081-exec-2] - Couldn't verify token. Reason parse
      [DEBUG][0;39m [10f9b881512a3b0a] [o.a.a.s.s.SamlHandlerImpl:525 ] [http-nio-8081-exec-8] - XML login request '<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://HOSTNAME/artifactory/webapp/saml/loginResponse" ID="redacted" IsPassive="false" IssueInstant="redacted" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="artifactory-test" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">artifactory-test</saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/></saml2p:AuthnRequest>' with ID redcated
      [DEBUG][0;39m [183531039a7d1112] [o.a.a.s.s.SamlHandlerImpl:233 ] [ttp-nio-8081-exec-10] - Sending SAML logout request

      Even though it looks like the SAML group was resolved, we still cannot pull images. However, when we manually add the user to the respective group (company-rw-user to company-rw) through the UI, its works so that we can pull images just fine. So something seems off with the way users are tied to SAML groups.


      Reproducement steps:
      1) Setup keycloak as illustrated in the attached screenshots
      2) Setup SAML settings as illustrated in the attached screenshots
      3) Setup HTTP Docker subdomains as illustrated in the attached screenshots
      4) Create a group and a user in Keycloak (make the user a member of the group)
      5) Create a group in Artifactory with permissions "r","n","w"
      6) Add a repository that the group will have permissions: "r","n","w"
      7) Login to podman: `podman login REPOSITORY.HOSTNAME/FOLDER/IMAGE:latest --tls-verify=false`
      8) Pull image: `podman pull REPOSITORY.HOSTNAME/FOLDER/IMAGE:latest --tls-verify=false`

      What are we doing wrong here? Seems like the SAML flow is working, users are clearly mapped to our groups as per the resolved SAML login response shown above. It's a pretty big showstepper if we manually have to assign users to their groups within every user login, thus the high priority bump.




              chunkymonky Hansen
              0 Vote for this issue
              2 Start watching this issue