0

We are having problems with the authentication via SAML. All users who have an Active Directory user can log into Artifactory - which is not what I want. I configured Artifactory to use two specific AD groups to allow users in, but we can't seem to get ADFS to filter those same groups

As far as I've understood Artifactory doesn't do anything with SAML authentication besides checking if ADFS says user is allowed or not allowed - is that correct?

Does anyone have experience with that kind of problem or an idea on how to solve this?

We are using Artifactory 5.2.0 at the moment

user7997330
  • 33
  • 7
  • Please have a look at this recently answered question: https://stackoverflow.com/questions/46439887/artifactory-saml-sso-group-matching-not-working/52634260#52634260 – Gabriel Kohen Oct 03 '18 at 19:23

1 Answers1

0

Never used Artifactory but assuming it's just a SAML SP ...

What is the format of the AD groups? What claim type? You may need a claims rule to transform the attribute to the required format.

ADFS can pass groups as Roles using "Token Groups - Unqualified Names".

Or you can set an access rule in ADFS so that access is denied if the user is not a member of a group.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Artifactory doesn't check group membership after ADFS says it's okay for the user to log on - as far as I've understood. So what I'd need is for the ADFS to filter the users. I just don't know how and our external partner who should do that doesn't know how either (I also don't have access to the ADFS so what I'd be looking for is some hints or even instructions to send to him if that would be possible) – user7997330 May 26 '17 at 04:03
  • https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs – rbrayb May 27 '17 at 05:05