Overview

The Single Sign-on (SSO) add-on lets you reuse exiting HTTP-based SSO infrastructures with Artifactory, such the SSO modules offerd by Apache HTTPd.
You can have Artifactory's authentication work with commonly available SSO solutions, such as native NTLM, Kerberos etc.
SSO works by letting Artifactory know what trusted information it should look for in the HTTP request, assuming this request has already been authenticated by the SSO infrastructure, which sits in front of Artifactory.

Usage

The Single Sign-on (SSO) add-on is available under Admin:Security:HTTP SSO.

To enable SSO you need to let Artifactory know that it is running behind a secure HTTP server that forwards trusted requests to it.

Next, you need to tell Artifactory where is the request to look for trusted authentication information.
The default is to look for the REMOTE_USER request variable, which is set by Apache's AJP and JK connectors.

You can choose to use any request attribute (as defined by the Servlet specification) by providing a different variable name.

Adding Your Own SSO Integration You can write a simple servlet filter to integrate with custom security systems and set a request attribute on the request to be trusted by the SSO add-on.

Finally, you can instruct Artifactory to treat externally authenticated users as temporary users, so that Artifactory dosen't create them in its security database. In this case, permissions for such users will be base on the permissions given to auto-join groups.

Integrating Apache and Tomcat

When Artifactory is deployed as a webapp on Tomcat behind Apache:
If using mod_proxy_ajp - Make sure to set tomcatAuthentication="false" on the AJP connector.
If using mod_jk - Make sure to use the JkEnvVar REMOTE_USER directive in Apache's configuration.