How to map a SAML SSO user to a LDAP group?

You may map LDAP groups with SSO users through the use of Artifactory User Plugins. The full process for working with this plugin is as follows:


<Setup LDAP & LDAP Group>

Setup and enable Artifactory LDAP and LDAP Group using this Solution. Make a note of the LDAP Group setting’s name. You can only associate one group setting to the plugin.

<Modify User Plugin>

  1. Download SynchornizeLDAPGroups’ user plugin and place it under your $ARTIFACTORY_HOME/etc/plugins (or $CLUSTER_HOME/etc/plugins if you are using High Availability)
  2. Replace “il-users” with the name of your LDAP Group Setting Name that has been created at Artifactory
  3. Inside “authenticate”, add the following line to the plugin for debugging purposes only (See screenshot under step 4): log.debug “user ” + username+” have the following groups “+ groups
  4. Add the following logging to the $ARTIFACTORY_HOME/etc/logback.xml : (no need for restart) 

    1

    2

    3

    <logger name="synchronizeLdapGroups">

        <level value="debug"/>

    </logger>

    Below is an example of associating a LDAP group setting to the plugin:

     

  5. After adding the user plugin run the plugin reload rest api or restart Artifactory.


<Verify the Sync using an EXAMPLE>

  1. In order to check that SSO user is getting the right groups as he/she has in the LDAP group, an existing user named ‘shayy’. You can see that this user doesn’t exist in Artifactory:
  2. I’ve imported the LDAP group which I want the user to get its permissions. In this case, as in the plugin we used the ‘il-users’. I’ve imported 2 groups that are part of the ‘il-users’.
  3. Once I had those groups in Artifactory, I’ve created a SAML SSO config so I can authenticate with a user and sync the LDAP groups this user have. Meaning that once I will login using this SAML SSO user, the plugin will give it the groups that this user have on LDAP.
  4. Run the following rest command: curl -i -u shayy  http://localhost:8081/artifactory/api/system/ping
  5. Once doing so the user was created with its default permissions.
  6. If you go to the artifactory.log you will be able to see that actually, although the UI doesn’t show it, the debug line we added will show you that the user is part of the groups as he has on his LDAP server (see screenshot below). This is due to the fact that the plugin will add the permissions per session and not as a constant group per user.
  7. In case you try to use this user with a permission that he has on the LDAP server, it will succeed as the plugin will attach those groups permission to this user.