How do I configure Artifactory SAML SSO with Azure AD?

<Step 1: Configure SAML SSO on Azure Active Directory Premium>

1. Go to portal.azure.com

2. New => Security + Identity => Active Directory

3. New window will open (Add directory). Fill in the required information.

3.5 (Optional)

These are is optional but recommended, so you can make the user name more recognizable.

4. Activate Azure Active Directory Premium (WHY? See this link)

5. After the premium account is enabled, reload QuickStart () then click on “Add an Application” or, use the following steps:


To configure an application, sign into the Azure management portal using your Azure Active Directory administrator account, and browse to the Active Directory > [Directory] > Applications section, select Add, and then Add an application from the gallery. 

6. Choose Custom and give a name

7. Click on Configure Single Sign-on

8. Choose SSO method. In this example, we will choose Microsoft Azure AD Single Sign-On 

9. Configure Single Sign-on (example shown below)

a. Enter IDENTIFIER (also known as EntityID). This is a unique ID that is used to identify the Service Provider. Please ensure that this value matches what is entered at SAML Service Provider Name for Artifactory’s SAML SSO Configuration for 

b. Enter REPLY URL (also known as Assertion Consumer Service). This should be an URL: <ARTIFACTORY_URL>/webapp/saml/loginResponse

10. Copy down the following information from the Azure’s “Configure Single Sign-On” screen (see a sample screenshot below):

  • ISSUER URL
  • SINGLE SIGN-ON SERVICE URL
  • SINGLE SIGN-OUT SERVICE URL
  • Signing certificate (text of the downloaded certificate file)

11. Check the “Confirm that you have configured single sign-on…” box as shown in the screenshot above

12. Go to the next step to finish the setup

13. Assign each user an access. Or, allow access to users by using the following steps.

Click Save

a. Go to Configure

b. Click “YES” on “ALLOW SELF-SERVICE APPLICATION ACCESS” . If Yes is selected, users will be allowed to self-assign access to this application in the access panel.

14. Ensure that the user or user group has Access by checking “Users and Groups”

* Please visit this Azure documentation page for more details.

<Step 2: Configure SAML SSO on Artifactory>

1. Login to Artifactory as an administrator

2. Go to Admin => Security => SAML SSO

3. Use Artifactory User Guide to Configure SAML SSO using information gathered in step 9 and step 10 of <Configure SAML SSO on Azure Active Directory Premium>

  • SAML Login URL : The identity provider login URL (when you try to login, the service provider redirects to this URL). This entry should be the same as SINGLE SIGN-OUT SERVICE URL in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>

  • SAML Logout URL : The identity provider logout URL (when you try to logout, the service provider redirects to this URL). This entry should be the same as SINGLE SIGN-OUT SERVICE URL in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>
  • SAML Service Provider Name: The Artifactory name in the SAML federation. This entry should be the same as ISSUER URL in Step 9 of <Configure SAML SSO on Azure Active Directory Premium>
  • SAML Certificate: The certificate for SAML Authentication. (NOTE! The certificate must contain the public key to allow Artifactory to verify sign-in requests.). This entry should be the same as text format of the downloaded certificate in Step 10 of <Configure SAML SSO on Azure Active Directory Premium>

4. Save

5. Logout from Artifactory (you may need to close the browser)


<Step 3: Test SAML SSO>

1. Go to your Artifactory

2. Click on SSO Login

3. Enter Azure user authentication information, and you will be redirected to Artifactory. 

<Sample SAML Request for SSO>  

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"                     AssertionConsumerServiceURL="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse"                     ID="f3a712d4-dc34-4940-9fca-f8851d04d6cb"                     IsPassive="false"                     IssueInstant="2016-01-13T01:20:27.385Z"                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"                     ProviderName="https://supportusw.artifactoryonline.com/supportusw"                     Version="2.0"                     >    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://supportusw.artifactoryonline.com/supportusw</saml2:Issuer>    <saml2p:NameIDPolicy AllowCreate="true"                         Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                         /></saml2p:AuthnRequest>

  

<Sample SAML Response for SSO>  

<samlp:Response ID="_1d1646fd-ad00-4283-aa69-32f0f63ef880"                Version="2.0"                IssueInstant="2016-01-13T01:22:31.301Z"                Destination="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse"                InResponseTo="f3a712d4-dc34-4940-9fca-f8851d04d6cb"                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                >    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/3fc2df3a-58b3-42e1-be53-5dc757bafc99/</Issuer>    <samlp:Status>        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />    </samlp:Status>    <Assertion ID="_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8"               IssueInstant="2016-01-13T01:22:31.285Z"               Version="2.0"               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"               >        <Issuer>https://sts.windows.net/3fc2df3a-58b3-42e1-be53-5dc757bafc99/</Issuer>        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">            <ds:SignedInfo>                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />                <ds:Reference URI="#_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8">                    <ds:Transforms>                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                    </ds:Transforms>                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />                    <ds:DigestValue>ywUwsvmhJ4rHUXjVKNHrU85ZF1zaiK5/kNwpicvIbhY=</ds:DigestValue>                </ds:Reference>            </ds:SignedInfo>            <ds:SignatureValue>fEuZ6p36MvDnmbJFFjrHJsoulE6pjQv6Tm6NggL3JK/pPxxP+fKap0T9YUWWed8hRYx22PPWqNbQcFMAWWO/W3/qefJdgurn+5FwzJhLMoILXuDriBOP/TewkgLBjNa37Ikc/8M6WZCq4ea7AfEbjiYURhY3cQg9P1lW2Npn6BK4tnLrAQhJfOj4K08nXU9p7E8jtgfJ1G3hKH2nKmEqJjFyogYifpM/MUpTaJK40cya9uezYTDr8CzhPHhV8cerVLXgIbDDLiKH2ja4kgBvQWlFPn7MJjppI1CZozNF2Dt5Cfk9iB9QQ0prWEyn8rstbg3nN14COQ69Puei6ZsLxw==</ds:SignatureValue>            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">                <X509Data>                    <X509Certificate>MIIC8DCCAdigAwIBAgIQcbTsHtQC0LVHXTWBgHLp/TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0xNjAxMTMwMDEwNTJaFw0xODAxMTMwMDEwNTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTsXwy+b9oluybq1qlYkHQdTlZUY2IBTLYrScoFcumi/ZQSToXhpV+iOwnAbt6ezHagcDi6xNIP8PNbYfHtY9WFZ7au3MMTqVT8v7oM6EaTK75EIgemw3v+l0HNGuvN02p6q9gCPK6rFGylAtssi55/QyRXPG4sPq6ubsnIj157cHfNRll0Z6lf9jzbz0IBALBmKEpEHvWXUFWJqhFVbfoxFfASxtw7hDdJqvgFjb/xL06tJm9SVhpd0u2o3XVk94F8LbgtTmeJxjoBFLlS2DnAvQUbTNMt58enYGmn1u0HmM3ysSbrJ5/gKjlVH6JFjUNIBszWp/Zv1+MCgii5lwQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAP6FwejXgGJ2buwH/M1kgiM7t+X08MNkAls5QEps/BsWIJS5YWUqqy0JOEsdW6gXJK2QAypUcKVlDRCVMTujgW13e7mMY/PbAZYLsInWM/G252zriZNSwsOAhhE6WAQyC+yjnI2Gpg7AMsNvIIZxs4VtieiFVRphMSURIrwb5G3dzyqzPbvmAFIsKOoJBVvEjm8p9BT1+f4/kHEWDddxRbOHHTA0SZfO5dJM8qiDAALK9dacG0xSX5Sj+FWLQA/9V+7Qlsjd5emIytXuJRftmyBz1fOgtXq5GhZ6mOJhJ117n7zjy5wZhdfq7I931ztkXvI/iplGyKfGZiw9d6xI8A</X509Certificate>                </X509Data>            </KeyInfo>        </ds:Signature>        <Subject>            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">joshuadhan_outlook.com#EXT#@nonb2cjoshua.onmicrosoft.com</NameID>            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">                <SubjectConfirmationData InResponseTo="f3a712d4-dc34-4940-9fca-f8851d04d6cb"                                         NotOnOrAfter="2016-01-13T01:27:31.285Z"                                         Recipient="https://supportusw.artifactoryonline.com/supportusw/webapp/saml/loginResponse"                                         />            </SubjectConfirmation>        </Subject>        <Conditions NotBefore="2016-01-13T01:17:31.191Z"                    NotOnOrAfter="2016-01-13T02:17:31.191Z"                    >            <AudienceRestriction>                <Audience>https://supportusw.artifactoryonline.com/supportusw</Audience>            </AudienceRestriction>        </Conditions>        <AttributeStatement>            <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">                <AttributeValue>3fc2df3a-58b3-42e1-be53-5dc757bafc99</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">                <AttributeValue>eb74b7d6-d1ec-4bb6-9ee8-1d48ac5ad6b5</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">                <AttributeValue>Joshua Han</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">                <AttributeValue>live.com</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">                <AttributeValue>Joshua</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">                <AttributeValue>Han</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">                <AttributeValue>youremail@company.com</AttributeValue>            </Attribute>            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">                <AttributeValue>youremail@company.com</AttributeValue>            </Attribute>        </AttributeStatement>        <AuthnStatement AuthnInstant="2016-01-13T01:22:30.000Z"                        SessionIndex="_95ea96ab-39ca-4316-992a-e9e5a1ce0ef8"                        >            <AuthnContext>                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>            </AuthnContext>        </AuthnStatement>    </Assertion></samlp:Response>