How to map a SAML SSO user to a LDAP group?

You may map LDAP groups with SSO users through the use of Artifactory User Plugins. The full process for working with this plugin is as follows:

 

<Setup LDAP & LDAP Group>

Setup and enable Artifactory LDAP and LDAP Group using this Solution (requires Jfrog Support Portal login).

<Modify User Plugin>

  1. Download 'SynchornizeLDAPGroups' user plugin and place it under your $ARTIFACTORY_HOME/etc/plugins (or $CLUSTER_HOME/etc/plugins if you are using High Availability)
  2. Replace "il-users" with the name of your LDAP group that has been imported to Artifactory
  3. Inside "myrelms", add the following line to the plugin for debugging purposes only: log.debug "user " + username+" have the following groups "+ groups
  4. Add the following logging to the $ARTIFACTORY_HOME/etc/logback.xml : (no need for restart) 

     

    1

     

    2

    3

     

    <logger name="synchronizeLdapGroups">

     

        <level value="debug"/>

    </logger>

     

     

  5. After adding the user plugin run the plugin reload rest api or restart Artifactory.

 

 

<Verify the Sync using an EXAMPLE>

 

  1. In order to check that SSO user is getting the right groups as he/she has in the LDAP group, an existing user named 'shayy'. You can see that this user doesn't exist in Artifactory: 

  2. I've imported the LDAP group which I want the user to get its permissions. In this case, as in the plugin we used the 'il-users'. I've imported 2 groups that are part of the 'il-users'.

  3. Once I had those groups in Artifactory, I've created a SAML SSO config so I can authenticate with a user and sync the LDAP groups this user have. Meaning that once I will login using this SAML SSO user, the plugin will give it the groups that this user have on LDAP.
     
  4. Run the following rest command: curl -i -u shayy  http://localhost:8081/artifactory/api/system/ping
     
  5. Once doing so the user was created with its default permissions.
  6. If you go to the artifactory.log you will be able to see that actually, although the UI doesn't show it, the debug line we added will show you that the user is part of the groups as he have on his LDAP server. See ArtifactoryLogAfterSSO.png. This is due to the fact that the plugin will add the permissions per session and not as a constant groupsper user.
  7. In case you try to use this user with a permission that he have on the LDAP server, it will succeed as the plugin will attach those groups permission to this user.