Artifactory: SAML SSO group matching not working
We are using ADFS to allow users to log into Artifactory and basically it works fine. Problem is, that the group memberships aren't recognized. Can anyone tell me what the problem is?
Using Artifactory Pro 5.4.4 ADFS 3.0
XML used to transfer the information to Artifactory (I included the mail attribute as well which works fine)
<Attribute Name="memberOf">
<AttributeValue>CN=some_group_the_user_is_in,OU=...</AttributeValue>
<AttributeValue>CN=my_artifactory_group,OU=..</AttributeValue>
<AttributeValue>CN=some_other_group,OU=...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>x@y.com</AttributeValue>
</Attribute>
I do not have direct access to the ADFS and I really have no experience with it. The responsible person says he cannot filter the groups to show just the one important in Artifactory, so there is a list of groups and one or two might be used in Artifactory and he also cannot change the attribute name.
SAML Settings in Artifactory are: Group Attribute: "memberOf" Email Attribute: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
Else SAML works fine. The users are "just" missing their groups - which in the end makes the whole thing quite useless because each new user has to be assigned by hand which obviously isn't really practical with almost 200 users
Can anyone help?
Ran into the same thing and it took me a while to troubleshoot it. First of all, you have the SAML settings set up correctly. What you need to do is to create the group in artifactory with the exact ID as the one specified in your SAML. In your case you will have to create:
CN=some_group_the_user_is_in,OU=...CN=my_artifactory_group,OU=..CN=some_other_group,OU=...
I assume these are not the real names of your groups but I copied them verbatim from your question.
Then you'd need to give your groups the proper permissions to be able to browse the proper repositories. Word of caution, the SAML group association allows the users to browse Artifactory according to their permission. It does not allow them to use that association to access artifactory using a generated token as you would if you want to run a build from a developer machine rather than user the Artifactory password. The latter missing feature was promised to be delivered in Q4 2018 by their support. Here is the JIRA issue related to the missing feature.
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?