Page Contents

Overview

There is a variety of providers you can use for SAML authentication. This page provides details on how to configure Microsoft Active Directory Federation Services (AD FS) as your SAML provider.

Configuration

To configure AD FS as your SAML provider, follow the steps below.

  1. In your Organization’s profile page, click Edit to edit the Organization’s profile and select the SAML Authentication tab.

  2. Check the Enable SAML Authentication checkbox.
    Enable SAML Authentication

  3. Add the single-sign-on login URL for your AD FS (IdP) server.
    By default, this is:
    https://<ADFS_SERVER>/adfs/ls/IdpInitiatedSignOn.aspx.
    We will use:
    https://jfrogdc.jfrog.com/adfs/ls/IdpInitiatedSignOn.aspx.
    ADFS Single-sign-on URL

  4. Open the AD FS Management Console and navigate to Trust Relationships | Relying Party Trusts in the panel on the left.
    ADFS Relying Party Trusts

  5. In the Actions window on the right side of the console, click Add Relying Party Trust and continue by clicking on Start.
    Adding a Relying Party Trust

  6. Select Enter data about the relying party manually and click Next.
    Entering relying party data manually

  7. Type in any Display name and click Next. For this walkthrough we will use "Bintray".
    Relying party display name

  8. Choose AD FS profile and click Next.
    AD FS profile

  9. Click Next under the optional step for configuring a certificate for token encryption.

  10. Choose Enable support for the SAML 2.0 WebSSO protocol, and in the URL field, fill in the SAML ACS URL provided to you on Bintray’s SAML Authentication page.
    SAML certificate field

    Enable support for SAML2

  11. In the Relying party trust identifier field, fill in your Service Provider’s URL. For our walkthrough we will use the URL created for our organization on Bintray, https://bintray/jfrogsupport. When done, click Add and then click Next.
    Relying party trust identifier

  12. Choose I do not want to configure multi-factor authentication settings…​ and click Next.
    No multi-factor authentication

  13. Choose the authorization rule you are interested in and click Next. We will choose Permit all users to access this relying party.
    Permit all users

  14. Review the settings you have configured and verify that the SAML Assertion Consumer Endpoints is set correctly (The SAML ACS URL you got from Bintray’s SAML Authentication page) and the SAML binding type is "POST". When ready, click Next.
    review settings

  15. Check Open the Edit Claim Rules dialog…​ and click Close.
    Open edit claim rules dialog

  16. In the Edit Claim Rules for <Name> dialog, click on Add Rule…​.
    Edit claim rules

  17. In the Claim rule template field, choose Transform an Incoming Claim and click Next.
    Claim rule template

  18. Enter a name in the Claim Rule Name field. We will choose "Claims Transform”. Set your Incoming claim type and Outgoing claim type. We will use “Windows Account Name” and "Name ID" respectively. You can leave the Outgoing name ID format as “Unspecified”. When done, click Finish.
    Claim rule settings

  19. Click on OK to confirm and apply the Claim Rules rule we have defined.
    Accept claim rule settings

  20. Go back to Bintray. Under your Organization’s SAML Authentication Configuration tab, set the SAML Service Provider Name field to match the URI we defined in our AD FS identifier URL: https://bintray.com/jfrogsupport. (In general, this can be any unique URI).
    SAML provider name

  21. For the SAML Certificate, you need to paste in the x509 SAML certificate that was generated in your AD FS server. In your AD FS management console navigate to Certificates and choose (double-click on) the Primary certificate used for the token signing.
    AD FS SAML certificate

  22. Go to the Details tab and click Copy to File.
    Copy the certificate

  23. Click Next and then choose Base-64 encoded X.509 (.CER). Click Next to continue.
    Set Base 64

  24. Save the certificate at a convenient location on your machine. In our walkthrough we have given it the name "bintray".
    Save the certificate

  25. Click on Save, Next and then Finish.

  26. Open the certificate file and paste its contents to the SAML Certificate field in Bintray.
    Paste the certificate

  27. Click on Update to complete setting up the integration.

  28. Sign out from your Bintray organization owner/admin user and navigate to your organization’s URL. For example, if your organization is called "jfrogsupport" then the URL would be https://bintray.com/jfrogsupport. Click on “Sign In” on the top right corner:
    Sign in to Bintray

  29. Bintray will prompt you to authenticate with SAML.
    Authenticate with SAML

  30. Click Authenticate with SAML and you will be redirected to your SAML IdP to sign in.

  31. After signing in and being successfully authenticated, you will be redirected to your Bintray organization page as a scoped user with the default member permissions.
    Bintray scoped user