How do I configure Artifactory SAML SSO with OneLogin?

This document describes how to configure your Artifactory SAML integration with OneLogin

1. In OneLOgin, click on 'APPS' => Find Applications => Artifactory 

2. Fill in the details:
Domain : Artifactory's root address (e.g. https://joshua.io/artifactory)

Parameters: 

  • Email => Value that SAML should pass as an email address 
  • NameID => Value that SAML should pass as a user ID
  • Groups (optional) => Value(s) that SAML should pass to Artifactory as groups that the user belongs to (e.g. AD/LDAP Group Membership List)

NOTE: If your SAML user is associated with a group in the SAML side, then you may pass the group attribute to Artifactory. If the SAML group attribute matches one of Artifactory's groups, then the SAML user will inherit the permissions that were given to the Artifactory group. Use following steps to setup the group association.
In OneLogin, click `USERS` => Select a user => See how the user is associated to a group (typically under MemberOf)

If you are using "Artifactory (with Groups) then it will be automatically created as Groups.

Otherwise, you may add one by choosing Credentials are "Configured by admin" => "Add parameter" => Fill in Field name and enable "Include in SAML assertion" => Select desired "Value"
User-added image
IF using the custom field, you may see the value of the field for each user at the App => Users => Edit
User-added image

  • Rules: Not required
  • SSO => use this information to configure Artifactory's SAML

3. Add users to the Onelogin application (Users => Applications => Click on plus to associate the user to the application

4. In Artifactory => Admin => SAML

SAML Login URL: "SAML 2.0 Endpoint (HTTP)" from Step 2 (SSO) (e.g. https://joshua-dev.onelogin.com/trust/saml2/http-post/sso/691507)

SAML Logout URL: "SLO Endpoint (HTTP)" from Step 2 (SSO) (e.g. https://joshua-dev.onelogin.com/trust/saml2/http-redirect/slo/691507)

SAML Service Provider Name: "Issuer URL" from Step 2 (SSO) (e.g. https://app.onelogin.com/saml/metadata/691507)

SAML Certificate: From Step 2 => X.509 Certificate => View Details => Copy and paste (e.g. 
-----BEGIN CERTIFICATE-----
MIIEFDCCAvygAwIBAgIUCYuVVLW8vrq+j45vdAsucMVEBk0wDQYJKoZIhvcNAQEF
BQAwVzELMAkGA1UEBhMCVVMxDzANBgNVBAoMBmpvc2h1YTEVMBMGA1UECwwMT25l
TG9naW4gSWRQMSAwHgYDVQQDDBdPbmVMb2dpbiBBY2NvdW50IDExMjE2NTAeFw0x
NzA4MTEwMzU2MjlaFw0yMjA4MTIwMzU2MjlaMFcxCzAJBgNVBAYTAlVTMQ8wDQYD
VQQKDAZqb3NodWExFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25l
TG9naW4gQWNjb3VudCAxMTIxNjUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCjbUL/3OaKDzhNzYuwP1dRqV7rYQU8mx2o85TPGpIHAyWVql5zY4HlPd7D
oR1fTUHqApO/IIaiBH+Ge88Cduta06r0kB5pEILA8mE1r0aY63ACCCyfMIGs9U4L
jReZ1wrI6XlrftLx8I9AWv1wjtFPr3vm1plzG+An6k+HWwJ4ybvKNYsl16805rim
X+T4sWjChepVgeDAys0hJy9LaN1RleWsfjNCg7MC4Kk+qIb8SgqIvJbMJ/oLpkAX
i/OtoEnZfgOTjcitteHDolc0GKllKqt25jtywfa99roksq+Bt6bDpkvCIE7gkYff
c/v+8kkQTUfYoBHOIY1FSZgLJjAJAgMBAAGjgdcwgdQwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUF/pDiJPakuBQI0N9lypqOTL/OiMwgZQGA1UdIwSBjDCBiYAUF/pD
iJPakuBQI0N9lypqOTL/OiOhW6RZMFcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZq
b3NodWExFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4g
QWNjb3VudCAxMTIxNjWCFAmLlVS1vL66vo+Ob3QLLnDFRAZNMA4GA1UdDwEB/wQE
AwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAd0R3agUbmEXyXIUNTT5MAnurFKCiXwBP
nqaQMbfqpF09nb+ebz4dkSXxN8AMbIDQMG2dTfjumPfvFw/4A6mqB3by8zcXubcw
WFtuUBWSFGrPCAktg8fr7nMKDQscsrL/7BOuQLmtqjAvvcoQ1kLS1PCH4QpGeSaw
IPC/+naVY8VZGD2j08RTq7jJcj8+4L1b0O1KLTPa77+lhoFpWW2GylhgV5mKD8KK
2DufBhcK9Mxt0E3UueuCcPisHzjp059fokzcft4AhIZvEC6ZyE8nHdY7YOEpir19
3+P4ffYA/TakUkaNXkFqBHf7Fi8SIDCD2dgTOXZwc1PncjxvIi6Hfg==
-----END CERTIFICATE-----
)

(Optional) Enable "Auto Associate Groups"
Group Attribute: Should match the attribute set at Step 3 (Groups)
User-added image

Email Attribute: Should match the attribute set at Setup 3 (Email)