How do I configure Artifactory SAML SSO with ADFS?

Please use our Wiki - SAML SSO Integration to configure your Artifactory to use ADFS Single-sign-on(SSO).. In addition, you may refer to the Sample Walk-Through that we created to configure ADFS 3.0 with Artifactory. Please note that you may have some differences if you are using ADFS 2.0.

Artifactory version 5.3.0 and above support groups' sync between Artifactory's groups and groups originating in the forwarded assertion from ADFS. A common use case is also sync your LDAP groups and permissions in Artifactory, the needed prerequisite is imported LDAP Groups.

Please note: LDAP groups are imported to Artifactory in lowercase format only. As a workaround, you should adjust the group's collation to minuscule names in order for the SAML and Artifactory (internal or imported) groups sync to function. This requirement exists since the SAML assertion can contain mixed collation and Artifactory will conform to it.

 

SAMPLE WALK-THROUGH

1.     Open the ADFS Management Console.

2.     In the tree browser on the left, Navigate to "Trust Relationships" → "Relying Party Trusts".

3.     Click on "Add Relying Party Trust" (Under the "Actions" window on the right side of the console).

4.     In the "Add relying Party Trust Wizard" dialog, click "Start".

5.     Select "Enter data about the relying party manually" and click "Next".

6.     Choose any "Display name" and click "Next".

7.     Choose "ADFS profile" and click "Next".

8.     Click "Next".

9.     Choose "Enable support for the SAML 2.0 WebSSO protocol" and in the URL textbox fill in: "https://{ARTIFACTORY_URL}/webapp/saml/loginResponse" and click "Next".

(Example of {ARTIFACTORY_URL}: https://yourcompany.jfrog.io/yourcompany or https://yourcompany.local:8443/artifactory )

10.   In the "Relying party trust identifier" textbox fill in: "https://{ARTIFACTORY_URL}" and click "Add", click "Next".

11.   Choose "I do not want to configure multi-factor authentication settings..." and click "Next".

12.   Choose "Permit all users to access this relying party" and click "Next".

13.   Click "Next".

14.   Choose "Open the Edit Claim Rules dialog..." and click "Close".

15.   In the "Edit Claim Rules for Name" dialog, click on "Add Rule..."

16.   In the "Claim rule template" dropbox, choose "Send LDAP attributes as claims" and click "Next".

17.   Fill in any "Claim rules name" and in the "Attribute store" dropbox choose "Active Directory".

18.   In the "Mapping of LDAP attributes..." section, in the "LDAP attribute" choose "SAM-Account-Name" or "Email Address". In the "Outgoing claim type" dropbox choose "Name ID" and click "Finish".

19. Click "OK".

20. Create a Transform Rule for the user claim, add another rule by clicking on the "Add Rule..." dialog again and this time choose "Transform an incoming claim" and click next.

21. Fill in any name and have the "Incoming claim type" field set to "E-Mail Address" and "Outgoing claim type" should have the "Name ID" attribute. Click on Finish.

  • You can change the  "Incoming claim type" attribute to "Windows Account Name" if you want your Artifactory user to appear correspondingly (instead of your email address).

Artifactory Side and Certificate allocation:

In your Artifactory UI, login as your "admin" user and navigate in the "Admin" tab to the "SAML Integration" section and perform the following steps:

1.     Check the "Enable SAML Integration checkbox.

2.     In the "SAML Login URL" textbox fill in: "https://{ADFS_SERVER_URL}/adfs/ls/IdpInitiatedSignOn.aspx"

3.     In the "SAML Logout URL" textbox fill in: "https://{ADFS_SERVER_URL}/adfs/ls?logout"

4.     In the "SAML Service Provider Name" textbox fill in: "https://{ARTIFACTORY_URL}"

5.     In the "SAML Certificate" textbox, paste in you x509 SAML certificate that was generated in your ADFS server (See screenshot below)

6.     Click "Save".

7.     Navigate to the "General" section under "Configuration" (left tree browser) and in the "Custom URL Base" textbox fill in: "https://{ARTIFACTORY_URL}" and click "Save".

8.     Logout Artifactory UI and then try to log in using "SSO Login".

Groups sync (Artifactory 5.3.0 and above)

1.  On the ADFS management console, and using the tree browser on the left, navigate to "Claims Provider Trusts" → "Active Directory".

2. Choose "Edit Claim Rules":

 

3. Select "Outbound LDAP Rule" and click Edit below. Add the following mapping for your Active Directory attributes:

 

"Token-Groups - Unqualified Names" → "Group"

 

Click OK to save.

 

 

3. In the tree browser on the left, Navigate to "Trust Relationships" → "Relying Party Trusts" and select your Artifactory relying party definition (as configured above). We will create a Transform Rule for the group claim.

 

4. Add another rule by clicking on the "Add Rule..." dialog again and this time choose "Transform an Incoming claim" and click next.

 

4. Choose any name for the transform rule. Fill in any name and have the "Incoming claim type" field set to "Group" and "Outgoing claim type" should have any attribute of your choosing, we will use "memberOf" attribute (the attribute's name is configurable on Artifactory). Click on Finish.:

 

 

5. Go to your Artifactory UI, login as your "admin" user and navigate in the "Admin" tab to the "SAML Integration" and adjust the set the chosen name for the attribute will be needed to be set equally on Artifactory

*  Internal Aritfactory groups are case sensitive and so are the groups arriving with the SAML assertion, make sure your groups have the exact match. Also, LDAP groups imported to Artifactory would exist in lowercase only.