0

For your information I tried to search for the different links but I didn't find the right answer. The below link looks like the same problem but there is no proper answer for this

Artifactory: SAML SSO group matching not working

I am facing a problem with respect to artifactory group association with SAML. Tried to follow the process mentioned in the below link but it doesn't work. Any kind of help is much appreciated.

https://jfrog.com/knowledge-base/how-do-i-configure-artifactory-saml-sso-with-adfs/

Our goal is to create the same group in artifactory which is present in ADFS. So that we can give permissions to that repective group in artifactory. But the problem is people are able to login using their domain credentials where as if we provide the permissions to the group it doesn't work as expected.

If you need more clarity I am happy to explain more on this issue.

The ADFS side is handled by other team even they are not sure why it is not working. Is there any bug in artifactory? I have configured SAML with jenkins it works super fine.

Arbaz Mohammed
  • 1
  • 3

1 Answers1

0

I will try to elaborate about the process.

After a login request, the user and it's groups are available for Artifactory in the assertion response that is sent back to Artifactory by the SAML Identity Provider. The data should be available in the assertion XML response, as long as the Identity Provider configured to include it. For example, the Identify Provider can exclude the groups information and include user data (i.e. username, mail) only.

In order to ensure that Artifactory can assign the user to the SAML a group, you will need to do the following:

  1. Configure the ADFS to include the user groups attributes on login response. You have mentioned that this is handled by other team, but you can see how this can be done in the link that you have attached in your post.
  2. Create the relevant groups in Artifactory, or import them to Artifactory from another authentication provider (such as Artifactory LDAP integration group screen). It is mandatory that there relevant groups will be existed in Artifactory.
  3. Open the Artifactory Web-UI SAML configuration screen, mark the Auto Associate groups checkbox
  4. Edit the Group Attribute textfield, and put the SAML attribute name of the group declaration. The group attribute name that required is the one that is returned in the SAML assertion response.

In the assertion it should look like this:

<saml:AttributeStatement>          
    <saml:Attribute Name="memberof">
        <saml:AttributeValue>group1</saml:AttributeValue>
        <saml:AttributeValue>group2</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

In your case, you can either get the group association attribute name from the other team that managed your ADFS as you have mentioned, or just view the assertion in any kind of SAML tracer browser plugin (as long as the ADFS was configured to send the groups attributes)

Once you have the above configured, when a SAML user will log in into Artifactory, the user will automatically be associated to the group that returned by the SAML assertion response (as long as the group exists in Artifactory)

Note: the SAML groups association is not persisted and valid for the current login session only, therefore, if you will edit the user/group screen in the UI, will not that the user/group association, however, if you grant a permission for a specific resource to the group that you expect the user to be assigned to, you can see that the user who logged in is capable of using the granted permission.

Shay
  • 326
  • 2
  • 5