Artifactory: SAML SSO group matching not working

Question

We are using ADFS to allow users to log into Artifactory and basically it works fine. Problem is, that the group memberships aren't recognized. Can anyone tell me what the problem is?

Using Artifactory Pro 5.4.4 ADFS 3.0

XML used to transfer the information to Artifactory (I included the mail attribute as well which works fine)

<Attribute Name="memberOf">
 <AttributeValue>CN=some_group_the_user_is_in,OU=...</AttributeValue>
 <AttributeValue>CN=my_artifactory_group,OU=..</AttributeValue>
 <AttributeValue>CN=some_other_group,OU=...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
  <AttributeValue>x@y.com</AttributeValue>
</Attribute>

I do not have direct access to the ADFS and I really have no experience with it. The responsible person says he cannot filter the groups to show just the one important in Artifactory, so there is a list of groups and one or two might be used in Artifactory and he also cannot change the attribute name.

SAML Settings in Artifactory are: Group Attribute: "memberOf" Email Attribute: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Else SAML works fine. The users are "just" missing their groups - which in the end makes the whole thing quite useless because each new user has to be assigned by hand which obviously isn't really practical with almost 200 users

Can anyone help?

This might be related to the following Artifactory issue - https://www.jfrog.com/jira/browse/RTFACT-14262 — Dror Bereznitsky, Sep 27 '17 at 11:14
As far as I've understood that issue this only happens if the case doesn't match. I renamed the Active Directory Group to be all lowercase, so it should actually match up, even with that case sensitivity problem. Or did I read it wrong..? — user7997330, Sep 28 '17 at 11:49
You are correct. If this is not the case than it might be a configuration issue. Can you add a debug logger for org.artifactory.addon.sso.saml and share the relevant debug information? — Dror Bereznitsky, Oct 02 '17 at 11:27
I'm sorry - I tried to find some information about it, but I am failing at it. I don't really know how to add that logger - and I know that there is some kind of saml plugin available (or was) that you could use, but I'm not using that. I am using only Artifactory configuration. Could you help me out how to better log what's going on? — user7997330, Oct 05 '17 at 10:43
See the answer and the comments below. It seems that in addition to using SAML groups in general you have a specific enhancement request. On your specific group name length limitation you might want to open a feature request with JFrog. What do you think @DrorBereznitsky? — Gabriel Kohen, Oct 18 '18 at 12:40

score 1 · Accepted Answer · answered Oct 03 '18 at 19:19

Ran into the same thing and it took me a while to troubleshoot it. First of all, you have the SAML settings set up correctly. What you need to do is to create the group in artifactory with the exact ID as the one specified in your SAML. In your case you will have to create:

CN=some_group_the_user_is_in,OU=...
CN=my_artifactory_group,OU=..
CN=some_other_group,OU=...

I assume these are not the real names of your groups but I copied them verbatim from your question.

Then you'd need to give your groups the proper permissions to be able to browse the proper repositories. Word of caution, the SAML group association allows the users to browse Artifactory according to their permission. It does not allow them to use that association to access artifactory using a generated token as you would if you want to run a build from a developer machine rather than user the Artifactory password. The latter missing feature was promised to be delivered in Q4 2018 by their support. Here is the JIRA issue related to the missing feature.

This works for me! .. though all of my Artifactory groups are nested and have more than the allowed 64 characters in length - so I'm basically still stuck with it not working unfortunately — user7997330, Oct 17 '18 at 11:36
If it works for you for you and others will benefit from it, please mark the question as answered. — Gabriel Kohen, Oct 18 '18 at 12:38

score 0 · Answer 2 · answered Jun 16 '21 at 10:38

I also ran into this by setting this up on an Artifactory instance.

As already mentioned the SAML SSO synchronizes the groups of a user only on the ui interface and only in the background. This means a user is not added to the group he is assigned to in the identity provider.

JFrog provided now an SCIM feature which is only available to the Enterprise edition (as of 2021-06-16) of their JFrog Platform. This feature works like SAML SSO but also synchronizes the groups of an user so it can also be used via API which means during build time of an developer machine.

Artifactory: SAML SSO group matching not working

2 Answers2

Linked