Overview
The Helix Authentication Service (HAS) is designed to enable certain Perforce products to integrate with your organization's Identity Provider (IdP).
HAS supports:
- Two protocols: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
- HAS can work with one IdP per protocol. For example, you might want to use OpenID Connect with Azure Active Directory, and SAML with Google Workspace.
- Security-Enhanced Linux (SELinux) enabled in enforcing mode
The officially supported Example Identity Provider configurations include AuthO, Azur Active Directory, Okta (identity management), OneLogin, and Google Workspace for SAML. In addition, we have positive results with our initial testing with Shibboleth for SAML and Ping Identity. We expect that HAS can also work with Cisco Duo Security and probably any standard IdP.
Two guides for complete solution
First Guide | Second Guide | |
---|---|---|
This Guide focuses on configuring HAS with your IdP. |
You will then use a different Guide to make your Perforce product work with HAS and your IdP, such as the
|
Important security consideration
The IdP authentication precedes and is separate from the Helix Core "ticket" and the ALM License Server login reponse. Therefore, when the user logs out of Helix Core, the user is not necessarily logged out from the IdP's perspective.
Logging out of a Helix Core or Helix ALM client does not invoke a logout with the IdP. Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials.
Supported client applications and minimal versions
For Helix Core, see "Requirements" > "Perforce clients" under https://github.com/perforce/helix-authentication-extension/blob/master/README.md#perforce-clients
For Helix ALM or Surround SCM, see "Supported Clients" under Integrating with identity providers in the Helix ALM License Server Admin Guide.
For Hansoft, see Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.
Authentication flow
The process for authenticating a user depends on the Perforce product.
For Helix Core
See the "Overview" of the Administrator's Guide for Helix Authentication Extension under https://github.com/perforce.
For Helix ALM
See the "single sign-on flow" under Integrating the Helix ALM License Server with identity providers in the Helix ALM License Server Admin Guide.
For Hansoft
See the See the "single sign-on flow" under Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.
Load balancing
If you are using load balancing in front of HAS, configure your load balancer to:
- preserve session cookies so the login sequence can succeed
- use session affinity (sticky sessions) so that all requests from the client go to the same HAS instance