Access MyJFrog with Your SAML SSO

📘
This feature is supported on the Cloud (SaaS) platform with a Pro, Enterprise X, or Enterprise+ license.

This page describes how to configure Single Sign-On (SSO) with your organization's Identity Provider(IdP) for users of your subscription’s MyJFrog portal. SSO integration lets your users access MyJFrog with their existing corporate credentials, ensuring centralized security and improved user experience.

In addition, you can map departments, roles, or other attributes of your IdP user profile to JFrog roles and permissions. Users automatically receive the correct permissions in JFrog. SSO Integration eliminates extra login steps and enhances security.

After this integration:

When user accounts in your organization's domain access MyJFrog, they are automatically authenticated with their IdP credentials instead of a separate MyJFrog password.
Users automatically receive role-based permissions in MyJFrog based on user definitions in the IdP.
(Optional) When a user in your organization first accesses MyJFrog, a MyJFrog user is automatically created.

Scope: This procedure provisions SSO for users of your MyJFrog subscription administration portal. Your JFrog deployment may include users limited to individual JPD sites. Use other procedures to configure SSO for users of a JPD.

Process and Participants: If JFrog facilitates an integration session, plan roughly 30 minutes or less. Your organization's JFrog and SAML SSO admins must be present and online to configure the integration.

Gather Information and Plan SSO Behavior

For more efficient integration, prepare the following information and consider these implementation options before the meeting.

Item	Example	Notes
SAML domain(s)	`example.com`	Typically, your corporate email domain. In some cases JFrog may ask you to document ownership of your subscription domain(s).
IdP vendor	Okta, Microsoft Entra ID (Azure AD), Google Workspace, Ping, ADFS, other	Service definition user interface may differ for each vendor.
Number of JFrog subscriptions	2`	Your organization's MyJFrog portal can support several JFrog subscriptions.
Single or multi-domain?	"We want one SAML configuration for all our domains"	Business and security decision
Just-in-Time provisioning	Open - any employee in your IdP can access MyJFrog. On first access, a MyJFrog user is created with roles based on the employee's IdP group information. Closed - only existing MyJFrog users can access MyJFrog. Other employees must be invited.
Strict or Permissive Rollout	Strict SSO: Users can authenticate only via SSO. Existing MyJFrog passwords may be removed as part of strict enforcement. Permissive SSO: Existing MyJFrog users may use alternate login methods.	New MyJFrog users must use SSO, and cannot create a MyJFrog password.
IdP-initiated Login?	Users can launch MyJFrog from their IdP application dashboard.

In addition, decide how IdP group membership (or equivalent SAML attribute values) should map to core MyJFrog roles.

MyJFrog role	IdP group name (or SAML attribute value)
Admin
Technical Member
Finance Member

Configure the Integration

In SSO interaction, JFrog acts as a Service Provider (SP) or Application that requests authentication from your organization’s Identity Provider (IdP).

Your JFrog Admin accesses MyJFrog and generates identifying URLs and required certificates based on your subscription information.
Your organization’s IdP Admin uses these values to define MyJFrog as an application/SP.
The IdP Admin generates identifying URLs to complete the handshake with MyJFrog.
The MyJFrog Admin uses these identifiers to define the IdP in MyJFrog.
The MyJFrog Admin maps IdP user groups to MyJFrog roles to automatically grant user permissions.

To set up SSO access to MyJFrog:

MyJFrog Admin:

In MyJFrog, go to Settings > SAML Configuration and click Configure SAML.
In the Create SAML Configuration dialog, select a domain associated with one of your subscriptions. MyJFrog generates values for the following configuration fields:
- SP ID: Also known as the Service Provider Entity ID. This unique value identifies the MyJFrog service provider as the Issuer in SSO requests, and the Audience URI in responses.
- SP URL: Also known as the SSO URL or the Assertion Consumer Service (ACS) URL, this is the HTTPS endpoint exposed by MyJFrog to receive authentication responses from the IdP.
- (Optional) Bookmark URL: this URL allows users to launch MyJFrog from their IdP application dashboard. include a logo to identify the MyJFrog app in authentication interactions.
Close the Create SAML Configuration dialog.Copy and save these values, and share them with your organization’s IdP admin.

IdP Admin:

To complete SSO setup on your IdP platform:

Define the MyJFrog service provider app, with the SAML-2.0 sign-in method and the URIs provided by the MyJFrog admin.
Define SAML field mappings (also called attribute statements) that map basic identifying fields of the user profile in the IdP platform to corresponding user fields in MyJFrog. At minimum, you must map the base email attribute of the JFrog user profile to an IdP attribute. It is recommended to map other basic name fields.
Define additional attribute statements that map IdP profile values to JFrog user groups. These mappings automatically provision the user's permissions in MyJFrog.

To complete the SAML handshake, generate the following data and share it with the JFrog Admin. Typically these values are accessed from an SP onboarding page or via API:
- Sign-On URL - The URL exposed by your IdP to receive authentication requests from the MyJFrog SP.
- Issuer - Your IdP’s unique Entity ID. This is the Audience in SAML Requests and the Issuer in SAML responses.
- Signing Certificate - The Okta certificate used to validate the signed SAML response.
(Optional) Create a Bookmark app with the URL and logo graphic you received from the MyJFrog Admin.

MyJFrog Admin:

In MyJFrog, return to Settings > SAML Configuration.
Click Configure SAML and select the domain you selected in Step 2. Enter the values you received from the IdP admin as follows:
- In Add Single Sign-On URL paste the sign-on URL.
- In Add Identity Provider Entity ID paste the Issuer.
- In Add X.509 Certificate paste the signing certificate.
Enter the JFrog attributes used in the SAML handshake, as follows:
- Email Attribute Name is email.
- First Name Attribute Name is firstName.
- Last Name Attribute Name is lastName.
(Optional) To implement Just-in-Time provisioning, select Auto Create Users to automatically create user accounts if they do not yet exist in JFrog.
Map the role/permission information the IdP provides to MyJFrog roles.
In SAML Group Attribute enter the name of the user attribute the IdP populates with role information. This is the Name field of a group attribute statement.
Use the following fields to map returned values of the SAML Group Attribute to predefined user roles in JFrog.
- SAML Attribute Value - The value matched and returned by a Group Attribute Statement in the IdP.
- System Role - The MyJFrog role to give users with this SAML group attribute value.
  You can map several IdP values to a single MyJFrog user role, but there must be a mapping rule for each IdP value. This corresponds to the number of Group Attribute Statements defined in the IdP.
Click Save to store the SAML configuration. Logins by MyJFrog users with email addresses associated with the domain you specified are automatically redirected to the IdP.
To confirm successful configuration, browse to https://my.jfrog.com. Enter a valid email address in the SAML-enabled domain and click Sign in. You are redirected to the IdP, and can access MyJFrog after authentication by the IdP.
If your subscription includes multiple domains, repeat this procedure. Specify another domain in Step 1. Fields that are not domain specific are retained for uniformity across all domains.