How do I configure Artifactory SAML SSO with PingFederate?

In order to integrate your PingFederate (IDP) with Artifactory (SP) using SAML SSO, please perform the following steps:

  1. Log into PingFederate UI.

  2. Under "SP Connections" click on "Create New".

  3. In the "Connection Type" page under "Connection Template" select "Browser SSO Profiles" and choose the "SAML 2.0" Protocol. Click Next.

  4. In the "Connection Options" page, select the "Browser SSO" checkbox and click Next.

  5. Skip the "Import Metadata" step by clicking Next.

  6. In the "General Info" page, in the "Partner's Entity ID (Connection ID)" textbox, fill in a desired name that describes your SP (Artifactory) instance. Please note that the "Entity ID" that you have provided will later be used on Artifactory's SAML SSO settings under "SAML Service Provider Name" textbox and must be exactly the same.

  7. In the "Connection Name" textbox, fill in a name that will best describe the Artifactory instance to the IDP admin. Click Next.

  8. In the "Browser SSO" page, click on "Configure Browser SSO".

  9. In the "SAML Profiles" page select the "SP Initiated SSO" checkbox ONLY. Click Next.

  10. You can skip the "Assertion Time" page by clicking Next or alternately fill in different parameters for defining the time frames for the assertion validity.

  11. In the "Assertion Creation" page, click on "Configure Assertion Creation".

  12. In the "Identity Mapping" page, choose "Standard" and click Next.

  13. In the "Attribute Contract" page, under the "Subject Name Format" dropdown box, choose "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" and click Next.

  14. In the "Authentication Source Mapping" page, click on "Map New Adapter Instance".

  15. In the "Adapter Instance" page, under the "Adapter Instance" dropdown box, choose the desired adapter (we assume that you have already configured your adapter instances when initially setting up your PingFederate instance). Click Next.

  16. In the "Assertion Mapping" page, under the "Adapter Contract" section, choose "Use only the Adapter Contract values in the SAML assertion" and click Next.

  17. In the "Attribute Contract Fulfillment" page, under the "Attribute Contract" section, choose under "Source" dropdown box "Adapter" and in the "Value" dropdown box choose "username". Click Next.

  18. In the "Issuance Criteria" page, skip it by clicking Next.

  19. In the "Summary" page click Done.

  20. In the "Authentication Source Mapping" page, Click Next.

  21. In the "Summary" page click Done.

  22. In the "Assertion Creation" page, click Next.

  23. In the "Protocol Settings" page, click on "Configure Protocol Settings".

  24. In the "Assertion Consumer Service URL" page, choose the "default" checkbox and fill in the "Index" textbox the value "0". In the "Binding" dropdown box choose "POST". In the "Endpoint URL" textbox fill in "https://{ARTIFACTORY_URL}/webapp/saml/loginResponse" and click the "Add" button. Click Next.
    (Example of {ARTIFACTORY_URL}: or https://yourcompany.local:8443/artifactory )

  25. In the "Allowable SAML Bindings" page, select ONLY the "POST" and "Redirect" checkboxes. Click Next.

  26. In the "Signature Policy" page, select the "Always sign the SAML assertion" checkbox. Click Next.

  27. In the "Encryption Policy" page, choose "None" and click Next.

  28. In the "Summary" page click Done.

  29. In the "Protocol Settings" page click Next.

  30. In the "Summary" page click Done.

  31. In the "Browser SSO" page click Next.

  32. In the "Credentials" page click "Configure Credentials".

  33. In the "Digital Signature Settings" page, under "Signing Certificate" dropdown box, select the desired certificate with "RSA SHA256" (we assume that you have already have one configured when you initially configured your PingFederate instance, otherwise create a new one by clicking the "Manage Certificates"). Click Next.

  34. In the "Summary" page, click Done.

  35. In the "Credentials" page, click Next.

  36. In the "Activation & Summary" page, under "Connection Status" choose "Active" and click "Save".

  37. In the main page of PingFederate, under the "SP Connections" click on "Manage All SP".

  38. In the "Manage Connections page" under "Connection Name" find the connection name that you have configured for your Artifactory instance and click on "Export Metadata". Click Next. Click "Export" and save the "metadata.xml" file. click Done. click Cancel.

The next steps will describe how to configure your Artifactory instance to integrate with your IDP using SAML SSO.

  1. Log in to Artifactory UI as "admin" user.

  2. Navigate to the "Admin" tab and then to "Security" → "SAML Integration".

  3. Click on the "Enable SAML Integration" checkbox.

  4. In the "SAML Login URL" textbox fill in: "https://{PINGFEDERATE_URL}:{PORT}/idp/SSO.saml2".

  5. In the "SAML Logout URL" textbox fill in: "https://{PINGFEDERATE_URL}:{PORT}/idp/SSO.saml2".

  6. In the "SAML Service Provider Name" textbox, fill in the "Entity ID" that you have configured in your IDP in the SP connection.

  7. In the "SAML Certificate" textbox, fill in the x509 certificate that is provided with the "metadata.xml" file that you have exported from your PingFederate instance.

  8. Click "Save"

  9. Log out from Artifactory and click "Log In". Click on "SSO Login".