Overview

The Helix Authentication Service (HAS) is designed to enable certain Perforce products to integrate with your organization's Identity Provider (IdP).

HAS supports:

Two protocols: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
- HAS can work with one IdP per protocol. For example, you might want to use OpenID Connect with Azure Active Directory, and SAML with Google Workspace.
Security-Enhanced Linux (SELinux) enabled in enforcing mode

The officially supported Example Identity Provider configurations include AuthO, Azur Active Directory, Okta (identity management), OneLogin, and Google Workspace for SAML. In addition, we have positive results with our initial testing with Shibboleth for SAML and Ping Identity. We expect that HAS can also work with Cisco Duo Security and probably any standard IdP.

Two guides for complete solution

First Guide		Second Guide
This Guide focuses on configuring HAS with your IdP.		You will then use a different Guide to make your Perforce product work with HAS and your IdP, such as the Administrator's Guide for Helix Authentication Extension in https://github.com/perforce/helix-authentication-extension/tree/master/docs Helix ALM License Server Admin Guide Hansoft System Administrator Guide

First Guide

Second Guide

This Guide focuses on configuring HAS with your IdP.

You will then use a different Guide to make your Perforce product work with HAS and your IdP, such as the

Administrator's Guide for Helix Authentication Extension in https://github.com/perforce/helix-authentication-extension/tree/master/docs
Helix ALM License Server Admin Guide
Hansoft System Administrator Guide

Important security consideration

Warning

The IdP authentication precedes and is separate from the Helix Core "ticket" and the ALM License Server login reponse. Therefore, when the user logs out of Helix Core, the user is not necessarily logged out from the IdP's perspective.

Logging out of a Helix Core or Helix ALM client does not invoke a logout with the IdP. Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials.

Supported client applications and minimal versions

For Helix Core, see "Requirements" > "Perforce clients" under https://github.com/perforce/helix-authentication-extension/blob/master/README.md#perforce-clients

For Helix ALM or Surround SCM, see "Supported Clients" under Integrating with identity providers in the Helix ALM License Server Admin Guide.

For Hansoft, see Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.

Authentication flow

The process for authenticating a user depends on the Perforce product.

For Helix Core

See the "Overview" of the Administrator's Guide for Helix Authentication Extension under https://github.com/perforce.

For Helix ALM

See the "single sign-on flow" under Integrating the Helix ALM License Server with identity providers in the Helix ALM License Server Admin Guide.

For Hansoft

See the See the "single sign-on flow" under Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.

Load balancing

If you are using load balancing in front of HAS, configure your load balancer to:

preserve session cookies so the login sequence can succeed
use session affinity (sticky sessions) so that all requests from the client go to the same HAS instance