Access MyJFrog with Your SAML SSO
Configure SAML SSO for your MyJFrog portal so users sign in with their corporate IdP credentials and automatically receive role-based permissions.
Note
This feature is supported on the SaaS platform with an Enterprise X or Enterprise+ subscription.
This page describes how to configure Single Sign-On (SSO) with your organization's Identity Provider (IdP) for users of your subscription’s MyJFrog portal. SSO integration lets your users access MyJFrog with their existing corporate credentials, ensuring centralized security and improved user experience.
In addition, you can map departments, roles, or other attributes of your IdP user profile to JFrog roles and permissions. Users automatically receive the correct permissions in JFrog. SSO integration eliminates extra login steps and enhances security.
After this integration:
- When user accounts in your organization's domain access MyJFrog, they are automatically authenticated with their IdP credentials instead of a separate MyJFrog password.
- Users automatically receive role-based permissions in MyJFrog based on user definitions in the IdP.
- (Optional) When a user in your organization first accesses MyJFrog, a MyJFrog user is automatically created.
Scope: This procedure provisions SSO for users of your MyJFrog subscription administration portal. Your JFrog Platform may include users limited to individual JFrog Platform Deployment sites. Use other procedures to configure SSO for users of a JFrog Platform Deployment.
Process and Participants: If JFrog facilitates an integration session, plan roughly 30 minutes or less. Your organization's JFrog and SAML SSO admins must be present and online to configure the integration.
Gather Information and Plan SSO Behavior
For more efficient integration, prepare the following information and consider these implementation options before the meeting.
| Item | Example | Notes |
|---|---|---|
| SAML domain(s) | example.com | Typically, your corporate email domain. In some cases JFrog may ask you to document ownership of your subscription domain(s). |
| IdP vendor | Okta, Microsoft Entra ID (Azure AD), Google Workspace, Ping, ADFS, other | Service definition user interface may differ for each vendor. |
| Number of JFrog subscriptions | 2 | Your organization's MyJFrog portal can support several JFrog subscriptions. |
| Single or multi-domain? | "We want one SAML configuration for all our domains" | Business and security decision |
| Just-in-Time provisioning | Open: any employee in your IdP can access MyJFrog. On first access, a MyJFrog user is created with roles based on the employee's IdP group information. Closed: only existing MyJFrog users can access MyJFrog. Other employees must be invited. | |
| Strict or Permissive Rollout | Strict SSO: Users can authenticate only via SSO. Existing MyJFrog passwords may be removed as part of strict enforcement. Permissive SSO: Existing MyJFrog users may use alternate login methods. | New MyJFrog users must use SSO, and cannot create a MyJFrog password. |
| IdP-initiated Login? | Users can launch MyJFrog from their IdP application dashboard. |
Plan User Attribute Mapping
During SAML Sign-On, JFrog must receive the following unique user account values from the IdP. Define the IdP user account attributes that map to these core JFrog user attributes.
| MyJFrog user attribute | IdP attribute |
|---|---|
| FirstName | |
| SecondName |
In addition, decide how IdP group membership (or equivalent SAML attribute values) should map to core MyJFrog roles. Expand this table as necessary to assign users to Global or Project roles you defined in JFrog.
| MyJFrog role | IdP group name (or SAML attribute value) |
|---|---|
| Admin | |
| Technical Member | |
| Finance Member |
Configure the SAML Integration
In SSO interaction, JFrog acts as a Service Provider (SP) or application that requests authentication from your organization’s Identity Provider (IdP).
Configuration Overview
- Your JFrog Admin accesses MyJFrog and generates identifying URLs and required certificates based on your subscription information.
- Your organization’s IdP Admin uses these values to define MyJFrog as an application or SP.
- The IdP Admin generates identifying URLs to complete the handshake with MyJFrog.
- The MyJFrog Admin uses these identifiers to define the IdP in MyJFrog.
- The MyJFrog Admin maps IdP user groups to MyJFrog roles to automatically grant user permissions.
To set up SSO access to MyJFrog:
MyJFrog Admin:
-
In MyJFrog, go to Settings > SAML Configuration and click Configure SAML.
The Create SAML Configuration dialog box opens. -
In the Organization Domain dropdown list, select a domain associated with one of your subscriptions. MyJFrog generates values for the following configuration fields:
- ACS URL: The Assertion Consumer Service (ACS) URL, also known as the Service Provider URL, is the HTTPS endpoint exposed by MyJFrog to receive authentication responses from the IdP.
- Entity ID: Also known as the Service Provider ID, this unique value identifies the MyJFrog service provider as the Issuer in SSO requests, and the Audience URI in responses.
- Bookmark URL: (Optional) To let users access MyJFrog from their application dashboard, the IdP can place this link to MyFrog on the dashboard. Share a JFrog logo bitmap with the IdP admin if this option is implemented.
Copy and save these values, and share them with your organization’s IdP admin.
IdP Admin:
-
Define the MyJFrog service provider application, with the SAML-2.0 sign-in method and the URIs provided by the MyJFrog admin. To complete the SAML handshake, generate the following data and share it with the JFrog Admin. Typically these values are accessed from an SP onboarding page or via API.
Parameter Description Single Sign-On URL The URL exposed by the IdP to receive authentication requests from the MyJFrog SP. Entity ID / Issuer Your IdP’s unique Entity ID. This is the Audience in SAML Requests and the Issuer in SAML responses. Signing Certificate The Okta certificate used to validate the signed SAML response. Single Logout URL (Optional) If the IdP uses a separate URL for logout, copy it as well. -
Define SAML field mappings (also called attribute statements) that map basic identifying fields of the user profile in the IdP platform to corresponding user fields in MyJFrog. At minimum, you must map the base
emailattribute of the JFrog user profile to an IdP attribute. It is recommended to map other basic name fields such asfirstNameandlastName. -
Define attribute statements that map IdP profile values to JFrog user groups. Typically this is a SAML Group Attribute statement. Values of this attribute are mapped to the user's permissions in MyJFrog.
-
Share the following information with the MyJFrog Admin:
- SAML handshake parameters and signing certificate.
- Attributes used to communicate basic, unique user identifiers:
email,firstName, andlastName. - The IdP Group Attribute or other attribute statements that return role-related information to JFrog.
MyJFrog Admin:
-
In MyJFrog, return to Settings > SAML Configuration.
Click Configure SAML and select the domain you selected in Step 2. Enter the values you received from the IdP admin as follows.Field Value to Enter Display Name A unique name for this SAML configuration. Single Sign-On URL The Sign-On URL value. Identity Provider Entity ID The Issuer value. Single Logout URL (Optional) If the IdP uses a separate URL for logout, paste it here. If this value is not provided, users may stay logged in to the IdP even after they log out of MyJFrog. -
Select the Configure SAML Security & Certificates option. In the X.509 Certificate dialog box, upload or paste the signing certificate.
(Optional) To secure assertion messages from JFrog to the IdP, select the Enable Service Provider Signing certificate option and click the icon to generate and download a certificate. Share this certificate with the IdP Admin.
-
Define mapping of basic user attributes, as follows.
Field Description Email Attribute Name The IdP user attribute that populates the JFrog emailattribute.First Name Attribute Name The IdP user attribute that populates the JFrog firstNameattribute.Last Name Attribute Name The IdP user attribute that populates the JFrog lastNameattribute. -
(Optional) To implement Just-in-Time provisioning, select Auto Create Users to automatically create user accounts if they do not yet exist in JFrog.
-
Map the role and permission information the IdP provides to MyJFrog roles.
In Group Attribute Name enter the name of IdP user attribute that holds role information. This is theNamefield of a SAML group attribute statement. Use the following fields to map returned values of this group attribute to predefined user roles in JFrog.
- Attribute Value: The value matched and returned by a Group Attribute Statement in the IdP.
- System Role: The MyJFrog role to give users with this attribute value.
You can map several IdP values to a single MyJFrog user role, but there must be a mapping rule for each IdP value. This corresponds to the number of Group Attribute Statements defined in the IdP.
-
Click Save to store and use the SAML configuration. Logins by MyJFrog users with email addresses associated with the domain you specified are automatically redirected to the IdP.
-
To confirm successful configuration, browse to the MyJFrog portal. Enter a valid email address in the SAML-enabled domain and click Sign in. You are redirected to the IdP, and can access MyJFrog after authentication by the IdP.
-
If your subscription includes multiple domains, repeat this procedure. Specify another domain in Step 2. Fields that are not domain specific are retained for uniformity across all domains.
Related Topics
Updated 23 days ago
