Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Configurations
  2. System Configuration
  3. Artifactory YAML Configuration

Security Configurations in Artifactory YAML

Security configuration settings including authentication, access control, and encryption in the Artifactory YAML configuration file.

General (anonymous access
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
anonAccessEnabled: true   #When set, anonymous access will be enabled for the set of permissions assigned to the default "anonymous user"
anonAccessToBuildInfosDisabled: false   #Deprecated from Artifactory version 6.6 #This setting gives you more control over anonymous access, and allows you to prevent anonymous users from accessing the Build module where all information related to builds is found, even when anonymous access is enabled.
userLockPolicy
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
userLockPolicy:   #User lock policy configuration
  enabled: false   #When set, the lock policy will be enabled
  loginAttempts: 5   #Lock user after exceeding max failed login attempts
passwordSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
  passwordSettings:   #Password settings
    encryptionPolicy: REQUIRED | SUPPORTED | UNSUPPORTED   #Determines the password requirements from users identified to Artifactory from a remote client such as Maven. The options are: (1) Supported (default): Users can authenticate using secure encrypted passwords or clear-text passwords. (2) Required: Users must authenticate using secure encrypted passwords. Clear-text authentication fails. (3) Unsupported: Only clear-text passwords can be used for authentication
    expirationPolicy:   #Password expiration policy
      enabled: false   #When checked, password expiration policy is enabled
      passwordMaxAge: 60   #The time interval in which users will be obligated to change their password
      notifyByEmail: true   #When set, users receive an email notification a few days before their password expires
ldapSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
  ldapSettings:   #LDAP server(s) settings
    ldap1:   #The unique ID of the LDAP setting
      emailAttribute: email1   #An attribute that can be used to map a user's email to a user created automatically by Artifactory
      ldapPoisoningProtection: true   #When set to true (recommended), Artifactory will protect against LDAP poisoning by filtering out users exposed to vulnerability
      ldapUrl: ldap://myserver:myport/dc=sampledomain,dc=com   #Location of the LDAP server in the following format: ldap://myserver:myport/dc=sampledomain,dc=com. The URL should include the base DN used to search for and/or authenticate users
      search:
        managerDn: manager1   #The full DN of a user with permissions that allow querying the LDAP server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf
        managerPassword: managerpass1   #The password of the user binding to the LDAP server when using "search" authentication
        searchBase: searchbase1   #The Context name in which to search relative to the base DN in the LDAP URL. Multiple search bases may be specified separated by a pipe ( | ). This is parameter is optional
        searchFilter: searchfilter1   #A filter expression used to search for the user DN that is used in LDAP authentication. Possible examples are: uid={0}) - this would search for a username match on the uid attribute. Authentication using LDAP is performed from the DN found if successful
        searchSubTree: true   #When set, enables deep search through the sub-tree of the LDAP URL + Search Base
      userDnPattern: userppatt1  #A DN pattern used to log users directly in to the LDAP database. This pattern is used to create a DN string for "direct" user authentication, and is relative to the base DN in the LDAP URL. For example: uid={0},ou=People
      allowUserToAccessProfile: false   #When set, users created after logging in using LDAP will be able to access their profile page in Artifactory
      autoCreateUser: true   #When set, Artifactory will automatically create new users for those who have logged in using LDAP, and assign them to the default groups
      enabled: true   #When set, these settings are enabled
      pagingSupportEnabled: true # When set,enables paging support.
ldapGroupSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
 ldapGroupSettings:  #LDAP group(s) settings
   name1:   #The unique ID of the LDAP group setting
     descriptionAttribute: desc1   #An attribute on the group entry which denoting the group description. Used when importing groups
     enabledLdap: enabled1   #The LDAP setting (from the ldapSettings section) you want to use for group retrieval
     filter: filter1   #The LDAP filter used to search for group entries. Used when importing groups
     groupBaseDn: groupbase1   #A search base for group entry DNs, relative to the DN on the LDAP server's URL (and not relative to the LDAP Setting's "searchBase"). Used when importing groups
     groupMemberAttribute: uniqueMember   #A multi-value attribute on the group entry containing user DNs or IDs of the group members (e.g., uniqueMember,member)
     groupNameAttribute: groupName   #Attribute on the group entry denoting the group name. Used when importing groups
     strategy: STATIC | DYNAMIC | HIERARCHY  #Group synchronization strategy
     subTree: false
crowdSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
crowdSettings:   #Crowd / JIRA users management configuration
  enable: false
  applicationName: myApp   #The application name configured for Artifactory in Crowd / JIRA
  password: password   #The application password configured for Artifactory in Crowd / JIRA
  serverUrl: http://someurl.com   #The full URL of the server to use
  sessionValidationInterval: 5  #The time window, in minutes, in which the session does not need to be revalidated
  enableIntegration: false   #Set this checkbox to enable security integration with Atlassian Crowd or JIRA
  noAutoUserCreation: false  #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies
  useDefaultProxy: false   #If set and a default proxy definition exists, it is used to pass through to the Crowd / JIRA Server
  allowUserToAccessProfile : false
  customCookieTokenKey: ""
  directAuthentication : false
  overrideAllGroupsUponLogin : false
samlSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
samlSettings:   #SAML SSO settings
  enableIntegration: false   #When set, SAML integration is enabled and users may be authenticated via a SAML server
  certificate: certificate   #The X.509 certificate that contains the public key. The certificate must contain the public key to allow Artifactory to verify sign-in requests
  emailAttribute:   #If noAutoUserCreation is set to false or an internal user exists, Artifactory will set the user's email to the value in this attribute that is returned by the SAML login XML response.
  groupAttribute:   #The group attribute in the SAML login XML response
  loginUrl: http://someurl.com/login   #The identity provider login URL (when you try to login, the service provider redirects to this URL)
  logoutUrl: http://someurl.com/logout  #The identity provider logout URL (when you try to logout, the service provider redirects to this URL)
  nameIdAttribute: #The attribute that will be used as the username parameter in SAML SSO.
  noAutoUserCreation: true   #When set, for every request from a SAML user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups apply. Without automatic user creation, you must manually create the user inside Artifactory to manage user permissions not attached to their default groups. When not set, authenticated users are automatically created in Artifactory.
  serviceProviderName: serviceProvider   #The Artifactory name in the SAML federation
  allowUserToAccessProfile: false   #Auto created users will have access to their profile page and will be able to perform actions such as generate API key
  autoRedirect: false   #When set, clicking on the login link will direct users to the configured SAML login URL
  syncGroups: false   #When set, in addition to the groups the user is already associated with, he will also be associated with the groups returned in the SAML login response. Note that the user's association with the returned groups is not persistent. It is only valid for the current login session.
  verifyAudienceRestriction: True #From Artifactory 7.7, this is set by default, and cannot be disabled. When set, an additional verification step will be added opposite the SAML server to validate SAML SSO authentication requests. The verifyAudienceRestriction attribute for SAML SSO is set by default in the JFrog Platform for new Artifactory installations. When upgrading from a previous Artifactory release, this parameter is disabled only if SAML was already configured.
oauthSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
oauthSettings:   #OAuth SSO settings
  enableIntegration: false   #If set to true, authentication with an OAuth provider is enabled and Artifactory will display all OAuth providers configured. If not set, authentication is by Artifactory user/password
  persistUsers: false   #When set, Artifactory will create an Artifactory user account for any new user logging in to Artifactory for the first time
  allowUserToAccessProfile: false 
  oauthProvidersSettings: 
    github-oauth: 
      id: id   #The Unique ID of the OAuth Provider setting
      enabled: false   #When set, the OAuth SSO provider setting is enabled
      apiUrl: https://api.github.com/user   #The URL used for API access, if needed to get user data (e.g. https://api.github.com/user)
      authUrl: https://github.com/login/oauth/authorize   #The URL used for the initial authentication step (e.g.  https://github.com/login/oauth/authorize)
      basicUrl: https://github.com/   #The URL used to acquire a token via basic auth (e.g. https://github.com/)
      providerType: github 
      secret: secret  #The OAuth2 shared secret, given by the provider
      tokenUrl: http://someurl.com/token   #The URL used to acquire a token from the provider
httpSsoSettings
security:   #Security configuration (LDAP, SAML, Password Policy, ...)
httpSsoSettings:   #HTTP SSO configuration
  httpSsoProxied: false   #When set, Artifactory trusts incoming requests and reuses the remote user originally set on the request by the SSO of the HTTP server
  remoteUserRequestVariable: remoter   #The name of the HTTP request variable to use for extracting the user identity. Default is: REMOTE_USER
  allowUserToAccessProfile: false   #When set, users created after authenticating using HTTP SSO, will be able to access their profile. This means they are able to generate their API Key and set their password for future use
  noAutoUserCreation: false  #When set to true, authenticated users will not be automatically created inside Artifactory. Instead, for every request from a Crowd / JIRA user, the user is temporarily associated with default groups (if such groups are defined), and the permissions for these groups applies
  syncLdapGroups: false

Updated 5 days ago