jfrog · redmoses · Jun 1, 2022 · Jun 1, 2022
diff --git a/config/samlConfig/README.md b/config/samlConfig/README.md
@@ -11,23 +11,37 @@ getSaml
 returned JSON string has the following fields:
 
 - `enableIntegration`: Whether SAML is enabled
+- `verifyAudienceRestriction`: A verification step has been set up opposite the SAML server to validate SAML SSO authentication requests
 - `loginUrl`: The SAML login URL
 - `logoutUrl`: The SAML logout URL
+- `certificate`: The SAML certificate as a base64 string
 - `serviceProviderName`: The SAML service provider name
 - `noAutoUserCreation`: Whether to automatically create users on SAML login
-- `certificate`: The SAML certificate as a base64 string
+- `allowUserToAccessProfile`: When selected, users created after authenticating using SAML, will be able to access their profile
+- `useEncryptedAssertion`: When set, an X.509 public certificate will be created by Artifactory. Download this certificate and upload it to your IDP and choose your own encryption algorithm. This process will let you encrypt the assertion section in your SAML response
+- `autoRedirect`: When set, clicking on the login link will direct the users to the configured SAML login URL
+- `syncGroups`: When set, in addition to the groups the user is already associated with, they will also be associated with the groups returned in the SAML login response
+- `groupAttribute`: The group attribute in the SAML login XML response
+- `emailAttribute`: If Auto Create Artifactory Users is enabled or an internal user exists, the system will set the user’s email to the value in this attribute that is returned by the SAML login XML response.
 
 For example:
 
 ```
 $ curl -u admin:password 'http://localhost:8081/artifactory/api/plugins/execute/getSaml'
 {
     "enableIntegration": true,
+    "verifyAudienceRestriction": true,
     "loginUrl": "http://mylogin",
     "logoutUrl": "http://mylogout",
+    "certificate": "my-certificate",    
     "serviceProviderName": "my-service-provider",
     "noAutoUserCreation": true,
-    "certificate": "my-certificate"
+    "allowUserToAccessProfile": false,
+    "useEncryptedAssertion": false,
+    "autoRedirect": false,
+    "syncGroups": true,
+    "groupAttribute": "groups",
+    "emailAttribute": "email"
 }
 ```
 

diff --git a/config/samlConfig/SamlConfigTest.groovy b/config/samlConfig/SamlConfigTest.groovy
@@ -19,7 +19,9 @@ class SamlConfigTest extends Specification {
             loginUrl: 'http://mylogin', logoutUrl: 'http://mylogout',
             serviceProviderName: 'my-service-provider',
             noAutoUserCreation: false,
-            certificate: 'my-certificate']
+            certificate: 'my-certificate',
+            groupAttribute: 'groups',
+            emailAttribute: 'email']
         conn = new URL("$baseurl/setSaml").openConnection()
         conn.doOutput = true
         conn.requestMethod = 'POST'
@@ -44,7 +46,9 @@ class SamlConfigTest extends Specification {
             loginUrl: 'http://mynewlogin', logoutUrl: 'http://mynewlogout',
             serviceProviderName: 'my-new-service-provider',
             noAutoUserCreation: true,
-            certificate: 'my-new-certificate']
+            certificate: 'my-new-certificate',
+            groupAttribute: 'groups',
+            emailAttribute: 'email']
         conn = new URL("$baseurl/setSaml").openConnection()
         conn.doOutput = true
         conn.requestMethod = 'POST'

diff --git a/config/samlConfig/samlConfig.groovy b/config/samlConfig/samlConfig.groovy
@@ -22,33 +22,62 @@ import org.artifactory.resource.ResourceStreamHandle
 def propList = ['enableIntegration': [
         Boolean.class, 'boolean',
         { c, v -> c.enableIntegration = v ?: false }
+    ], 'verifyAudienceRestriction': [
+        Boolean.class, 'boolean',
+        { c, v -> c.verifyAudienceRestriction = v ?: false }
     ], 'loginUrl': [
         CharSequence.class, 'string',
         { c, v -> c.loginUrl = v ?: null }
     ], 'logoutUrl': [
         CharSequence.class, 'string',
         { c, v -> c.logoutUrl = v ?: null }
+    ], 'certificate': [
+        CharSequence.class, 'string',
+        { c, v -> c.certificate = v ?: null }
     ], 'serviceProviderName': [
         CharSequence.class, 'string',
         { c, v -> c.serviceProviderName = v ?: null }
     ], 'noAutoUserCreation': [
         Boolean.class, 'boolean',
         { c, v -> c.noAutoUserCreation = v ?: false }
-    ], 'certificate': [
+    ], 'allowUserToAccessProfile': [
+        Boolean.class, 'boolean',
+        { c, v -> c.allowUserToAccessProfile = v ?: false }
+    ], 'useEncryptedAssertion': [
+        Boolean.class, 'boolean',
+        { c, v -> c.useEncryptedAssertion = v ?: false }
+    ], 'autoRedirect': [
+        Boolean.class, 'boolean',
+        { c, v -> c.autoRedirect = v ?: false }
+    ], 'syncGroups': [
+        Boolean.class, 'boolean',
+        { c, v -> c.syncGroups = v ?: false }
+    ], 'groupAttribute': [
+        CharSequence.class, 'string',
+        { c, v -> c.groupAttribute = v ?: null }
+    ], 'emailAttribute': [
         CharSequence.class, 'string',
-        { c, v -> c.certificate = v ?: null }]]
+        { c, v -> c.emailAttribute = v ?: null }
+    ]]
 
 executions {
     getSaml(version: '1.0', httpMethod: 'GET') { params ->
         def cfg = ctx.centralConfig.descriptor.security.samlSettings
         if (cfg == null) cfg = new SamlSettings()
         def json = [
             enableIntegration: cfg.isEnableIntegration() ?: false,
+            verifyAudienceRestriction: cfg.verifyAudienceRestriction ?: false,
             loginUrl: cfg.loginUrl ?: null,
             logoutUrl: cfg.logoutUrl ?: null,
+            certificate: cfg.certificate ?: null,
             serviceProviderName: cfg.serviceProviderName ?: null,
             noAutoUserCreation: cfg.noAutoUserCreation ?: false,
-            certificate: cfg.certificate ?: null]
+            allowUserToAccessProfile: cfg.allowUserToAccessProfile ?: false,
+            useEncryptedAssertion: cfg.useEncryptedAssertion ?: false,
+            autoRedirect: cfg.autoRedirect ?: false,
+            syncGroups: cfg.syncGroups ?: false,
+            groupAttribute: cfg.groupAttribute ?: null,
+            emailAttribute: cfg.emailAttribute ?: null]
         message = new JsonBuilder(json).toPrettyString()
         status = 200
     }