人为因素：SAML SSO组匹配不起作用 [英] Artifactory: SAML SSO group matching not working

问题描述

我们正在使用ADFS允许用户登录Artifactory，并且基本上可以正常运行。问题是无法识别组成员身份。谁能告诉我问题出在哪里？

使用Artifactory Pro 5.4.4
ADFS 3.0

用于将信息传输到Artifactory的XML（我也包括mail属性，它也可以正常工作）

 < Attribute Name =  memberOf> 
< AttributeValue> CN = some_group_the_user_is_in，OU = ...< / AttributeValue> 
< AttributeValue> CN = my_artifactory_group，OU = ..< / AttributeValue> 
< AttributeValue> CN = some_other_group，OU = ...< / AttributeValue> 
< / Attribute> 
< Attribute Name = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress> 
< AttributeValue> x@y.com< / AttributeValue> 
< / Attribute> 
  

我没有ADFS的直接访问权限，但我确实没有使用它的经验。负责人说，他不能过滤组以仅显示Artifactory中的一个重要组，因此存在一组组，Artifactory中可能使用一个或两个组，并且他也不能更改属性名称。

Artifactory中的SAML设置为：
组属性： memberOf
电子邮件属性：

We are using ADFS to allow users to log into Artifactory and basically it works fine. Problem is, that the group memberships aren't recognized. Can anyone tell me what the problem is?

Using Artifactory Pro 5.4.4 ADFS 3.0

XML used to transfer the information to Artifactory (I included the mail attribute as well which works fine)

<Attribute Name="memberOf">
 <AttributeValue>CN=some_group_the_user_is_in,OU=...</AttributeValue>
 <AttributeValue>CN=my_artifactory_group,OU=..</AttributeValue>
 <AttributeValue>CN=some_other_group,OU=...</AttributeValue>
</Attribute>
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
  <AttributeValue>x@y.com</AttributeValue>
</Attribute>

I do not have direct access to the ADFS and I really have no experience with it. The responsible person says he cannot filter the groups to show just the one important in Artifactory, so there is a list of groups and one or two might be used in Artifactory and he also cannot change the attribute name.

SAML Settings in Artifactory are: Group Attribute: "memberOf" Email Attribute: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

Else SAML works fine. The users are "just" missing their groups - which in the end makes the whole thing quite useless because each new user has to be assigned by hand which obviously isn't really practical with almost 200 users

Can anyone help?

解决方案

Ran into the same thing and it took me a while to troubleshoot it. First of all, you have the SAML settings set up correctly. What you need to do is to create the group in artifactory with the exact ID as the one specified in your SAML. In your case you will have to create:

1. CN=some_group_the_user_is_in,OU=...
2. CN=my_artifactory_group,OU=..
3. CN=some_other_group,OU=...

I assume these are not the real names of your groups but I copied them verbatim from your question.

Then you'd need to give your groups the proper permissions to be able to browse the proper repositories. Word of caution, the SAML group association allows the users to browse Artifactory according to their permission. It does not allow them to use that association to access artifactory using a generated token as you would if you want to run a build from a developer machine rather than user the Artifactory password. The latter missing feature was promised to be delivered in Q4 2018 by their support. Here is the JIRA issue related to the missing feature.

这篇关于人为因素：SAML SSO组匹配不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！