Overview

The Helix Authentication Service (HAS) is designed to enable certain Perforce products to integrate with your organization's Identity Provider (IdP).

HAS supports:

The officially supported Example Identity Provider configurations include AuthO, Azur Active Directory, Okta (identity management), OneLogin, and Google Workspace for SAML. In addition, we have positive results with our initial testing with Shibboleth for SAML and Ping Identity. We expect that HAS can also work with Cisco Duo Security and probably any standard IdP.

Two guides for complete solution

First Guide   Second Guide
This Guide focuses on configuring HAS with your IdP.

You will then use a different Guide to make your Perforce product work with HAS and your IdP, such as the

Important security consideration

Warning

The IdP authentication precedes and is separate from the Helix Core "ticket" and the ALM License Server login reponse. Therefore, when the user logs out of Helix Core, the user is not necessarily logged out from the IdP's perspective.

Logging out of a Helix Core or Helix ALM client does not invoke a logout with the IdP. Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials.

Supported client applications and minimal versions

For Helix Core, see "Requirements" > "Perforce clients" under https://github.com/perforce/helix-authentication-extension/blob/master/README.md#perforce-clients

For Helix ALM or Surround SCM, see "Supported Clients" under Integrating with identity providers in the Helix ALM License Server Admin Guide.

For Hansoft, see Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.

Authentication flow

The process for authenticating a user depends on the Perforce product.

For Helix Core

See the "Overview" of the Administrator's Guide for Helix Authentication Extension under https://github.com/perforce.

For Helix ALM

See the "single sign-on flow" under Integrating the Helix ALM License Server with identity providers in the Helix ALM License Server Admin Guide.

For Hansoft

See the See the "single sign-on flow" under Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.

Load balancing

If you are using load balancing in front of HAS, configure your load balancer to:

  • preserve session cookies so the login sequence can succeed
  • use session affinity (sticky sessions) so that all requests from the client go to the same HAS instance