JFrog

    Cloud customer?
    Start for Free>
    Upgrade in MyJFrog >
    What's New in Cloud >





    2022世界杯赛程安排


    Skip to end of metadata
    Go to start of metadata

    Overview

    The Single Sign-on (SSO) add-on allows you to reuse existing HTTP-based SSO infrastructures with the JFrog Platform Unit (JPD), such as the SSO modules offered by Apache HTTPd.

    You can have JPD authentication work with commonly available SSO solutions, such as native NTLM, Kerberos etc.

    SSO works by letting JPD know what trusted information it should look for in the HTTP request, assuming this request has already been authenticated by the SSO infrastructure that sits in front of Artifactory.

    WebUI Changes implemented in Artifactory 7.38.x and above

    Security is now calledAuthentication Providers. All the relevant text and images on this page have been updated to reflect this change.

    Page Contents


    Configuring HTTP SSO in JPD

    1. From theAdministrationmodule, selectAuthentication Providers| HTTP SSO.
    2. Select theArtifactory is Proxied by a Secure HTTP Servercheck box to indicate that Artifactory is running behind a secure HTTP server that forwards trusted requests to it.

    3. Add the variable to look for trusted authentication information. The default is to look for a REMOTE_USER header or the request variable, which is set by Apache's AJP and JK connectors.
      You can choose to use any request attribute (as defined by the Servlet specification) by providing a different variable name.

      Adding Your Own SSO Integration

      You can write a simple servlet filter to integrate with custom security systems and set a request attribute on the request to be trusted by the SSO add-on.

    4. SelectAllow Created Users Access to Profile Pagecheck box to instruct Artifactory to treat externally authenticated users as temporary users, so that Artifactory does not create them in its security database.
      In this case, permissions for such users are based on the permissions given to auto-join groups.

    5. Select the联系LDAP Groupscheck box to associate the user with groups returned in the LDAP login response.


    Field Name Description
    Artifactory is Proxied by a Secure HTTP Server
    		 When selected, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server.

    This is extremely useful if you want to use existing enterprise SSO integrations, such as the powerful authentication schemes provided by Apache (mod_auth_ldap, mod_auth_ntlm, mod_auth_kerb, etc.).

    When Artifactory is deployed as a webapp on Tomcat behind Apache:
    • If usingmod_proxy_ajp, make sure to settomcatAuthentication="false"on the AJP connector.
    • If using mod_jk, make sure to use theJkEnvVar REMOTE_USERdirective in Apache's configuration.

    Artifactory should be explicitly and exclusively bound to the reverse proxy co-located on the same machine if “Artifactory is Proxied by a secure HTTP server” is enabled.
    Remote User Request Variable
    		 The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER.
    Auto Create System Users

    When not checked, authenticated users are not automatically created in the system. Instead, for every request from a SSO user, the user is temporarily associated with default groups (if such groups are defined) and the permissions for these groups apply.

    Without auto user creation, you must manually create the user inside Artifactory to manage user permissions not attached to its default groups.
    		When selected, users created after authenticating using HTTP SSO, will be able toaccess your User profile. This means they are able to generate theirAPI Keyandset your passwordfor future use.
    Auto Associate LDAP Groups
    		 When selected,associate the user with groups returned in the LDAP login response. Note that the user's association with the returned groups is persistent ifAuto Create system user被选中。

    Custom URL base

    For your HTTP SSO settings to work, make sure you have yourCustom URL Baseconfigured.

    Integrating Apache and Tomcat

    When Artifactory is deployed as a webapp on Tomcat behind Apache:

    • If usingmod_proxy_ajp- Make sure to settomcatAuthentication="false"on the AJP connector.
    • If usingmod_jk- Make sure to use theJkEnvVar REMOTE_USERdirective in Apache's configuration.
    • If usingmod_proxy(requires mod_proxy_http, mod_headers and mod_rewrite - There are two known working methods that forward the header:
    RequestHeader set REMOTE_USER %{REMOTE_USER}e

    or

    RewriteEngine On RewriteCond %{REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e

    Setting Up a Reverse SSL Proxy for SSO

    You may set up a reverse SSL proxy on your webserver in order to run JPD supporting SSO.

    To do this, you need to have the rightcomponentsinstalled,modify your webserver configuration file, and thenconfigure Artifactoryfor SSO.

    When correctly set up,you should be able to login to Artifactory with your Windows credentials and stay logged in between sessions.

    For best security, Artifactory and the reverse proxy webserver must be co-located on the same machine. Artifactory shouldbe explicitly and exclusively bound totheProxy host.

    Components and Versions

    The following has been tested to work with Kerberos/NTLM SSO working with JPD using the following components.

    Modifying Your Webserver Configuration File

    Once you have the right components and versions installed, you need to add the following lines to your[HTTP_SERVER_HOME]/conf/httpd.conffile:

    httpd . conffile 
     ServerName yourhostname DocumentRoot "C:/IBM/Installation Manager/eclipse/plugins/org.apache.ant_1.8.3.v20120321-1730" ProxyPreserveHost on ProxyPass /artifactory http://yourhostname:9080/artifactory ProxyPassReverse /artifactory http://yourhostname:9080/artifactory   AuthName "Artifactory Realm" AuthType SSPI SSPIAuth On SSPIAuthoritative On require valid-user RewriteEngine On RewriteCond %{REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e

    Then you need to enable the following modules in yourhttpd . conffile:

    Modules to enable 
    LoadModule sspi_auth_module modules/mod_auth_sspi.so LoadModule headers_module modules/mod_headers.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so

    Using API Key with HTTP-SSO Users

    While HTTP-SSO provides access to the JPDI, it is also possible for HTTP-SSO users to generate anAPI Keythat can be used instead of a password for basic authentication or in a dedicatedREST API头, this is very useful when working with different clients, e.g. Docker, npm, maven, etc. or using Artifactory REST API.

    In order to allow HTTP-SSO users access to an API key you will need to make sure that the "Auto Create Artifactory Users" and "Allow Created Users Access To Profile Page" check boxes are checked. This means that SSO users are also saved in Artifactory database and can access theirUser Profilein order to generate, retrieve and revoke their API key.


    • No labels
    Copyright © 2023 JFrog Ltd.