Example Identity Provider configurations

This section:

  • provides details for several hosted identity providers, but is not an exhaustive list of supported identity providers
  • refers to variables that are described in OpenID Connect settings variables and SAML settings variables
    • for every occurrence of the SVC_BASE_URI variable in the instructions below, substitute the actual protocol, host, and port for the authentication service (for example, https://localhost:3000 for development environments). This address must match the URL that the identity provider is configured to recognize as the "SSO" or "callback" URL for the application.

Auth0

OpenID Connect

  1. From the admin dashboard, click the CREATE APPLICATION button.
  2. Enter a meaningful name for the application.
  3. Select the Regular Web Application button, then click Create.
  4. Open the Settings tab,
    1. Copy the Client ID and Client Secret values to the OIDC_CLIENT_ID and OIDC_CLIENT_SECRET settings in the service configuration
    2. For Allowed Callback URLs, add {SVC_BASE_URI}/oidc/callback
    3. For Allowed Logout URLs, add {SVC_BASE_URI}
    4. Scroll to the bottom of the Settings screen and click the Advanced Settings link.
    5. Find the Endpoints tab and select it.
  5. In a new browser tab,
    1. Open the OpenID Configuration value to get the raw configuration values.
    2. Find issuer and copy the value to OIDC_ISSUER_URI in the service config.

    3. Close the browser tab.
  6. At the bottom of the page, click the SAVE CHANGES button.

SAML 2.0

  1. From the admin dashboard, click the CREATE APPLICATION button.
  2. Enter a meaningful name for the application.
  3. Select the Regular Web Application button, then click Create.
  4. On the application Settings screen, add {SVC_BASE_URI}/saml/sso to the Allowed Callback URLs field.
  5. For Allowed Logout URLs add {SVC_BASE_URI}/saml/slo
  6. At the bottom of the page, click the SAVE CHANGES button.
  7. Click the Addons tab near the top of the application page.
  8. Click the SAML2 WEB APP button to enable SAML 2.0.
  9. Enter {SVC_BASE_URI}/saml/sso for the Application Callback URL
  10. Ensure the Settings block looks something like the following:
  11. {
    "signatureAlgorithm": "rsa-sha256",
    "digestAlgorithm": "sha256",
    "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    ],
    "logout": {
    "callback": "{SVC_BASE_URI}/saml/slo"
    }
    }
  12. Click the ENABLE button at the bottom of the page.
  13. On the Usage tab of the addon screen, copy the Identity Provider Login URL to the SAML_IDP_SSO_URL setting in the service configuration.
  14. To get the single logout URL, download the metadata and look for the SingleLogoutService element, copying the Location attribute value to SAML_IDP_SLO_URL in the config.

Azure Active Directory

OpenID Connect

  1. Visit the Microsoft Azure portal.
  2. Register a new application under Azure Active Directory.
  3. You can use a single app registration for both OIDC and SAML.
  4. For the redirect URI, enter {SVC_BASE_URI}/oidc/callback
  5. Copy the Application (client) ID to the OIDC_CLIENT_ID variable.
  6. Open the OpenID Connect metadata document URL in the browser.
    Click the Endpoints button from the app overview page.
  7. Copy the issuer URI and enter it as the OIDC_ISSUER_URI variable.
    If the issuer URI contains {tenantid}, replace it with the Directory (tenant) ID from the application overview page.
  8. Under Certificates & Secrets, click New client secret, copy the secret value to the OIDC_CLIENT_SECRET environment variable.
  9. Add a user account (such as guest) such that it has a defined email field.
    Note that "personal" accounts do not have the email field defined.
  10. Make sure the user email address matches the user in Active Directory.

SAML 2.0

  1. Visit the Microsoft Azure portal.
  2. Register a new application under Azure Active Directory.
  3. You can use a single app registration for both OIDC and SAML.
  4. Enter the auth service URL as the redirect URL.
  5. Copy the Application (client) ID to the SAML_SP_ENTITY_ID environment variable
  6. Open the API endpoints page.
    Click the Endpoints button from the app overview page
  7. Copy the SAML-P sign-on endpoint value to the SAML_IDP_SSO_URL environment variable.
  8. Copy the SAML-P sign-out endpoint value to the SAML_IDP_SLO_URL environment variable.
  9. Set the SAML_NAMEID_FORMAT environment variable to the value urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  10. Make sure the user email address matches the user in Active Directory.
  11. Configure the extension to use nameID as the name-identifier value.

SAML via Azure's Active Directory Gallery

These steps involve a template that might make configuration easier.

  1. Visit the Microsoft Azure portal.
  2. Select Azure Active Directory.
  3. Under Enterprise applications, click New Application.
  4. In the Add an application page, enter Perforce and select the Perforce Helix Core - Helix Authentication Service.
  5. Click the Add button.
  6. Wait for the application to be added.
  7. In Assign users and groups, add a user or a group.
  8. In the Single sign-on page, click SAML.
  9. In the Basic SAML Configuration section, configure the required fields:
    • For the Entity ID, enter the value from the SAML_SP_ENTITY_ID setting in the HAS service configuration.
    •  For the Reply URL, enter {SVC_BASE_URI}/saml/sso
    •  For the Sign on URL, enter {SVC_BASE_URI}
  10. Click the Save button.
  11. Click Single sign-on and navigate to SAML Signing Certificate area.
  12. Copy the value in the field for App Federation Metadata Url to the SAML_IDP_METADATA_URL variable.
  13. Make sure the user email address matches the user in Active Directory.
  14. Configure the extension to use nameID as the name-identifier value.

Okta

OpenID Connect

  1. On the Okta admin dashboard, click the Create a New application button, which is available in the "classic ui".
  2. Select Web as the Platform and OpenID Connect as the Sign on method.
  3. Provide a meaningful name on the next screen.
  4. For the Login redirect URIs, enter {SVC_BASE_URI}/oidc/callback
  5. For the Logout redirect URIs, enter {SVC_BASE_URI}
  6. On the next screen, find the Client ID and Client secret values and copy to the OIDC_CLIENT_ID and OIDC_CLIENT_SECRET service settings.
  7. From the Sign On tab, copy the Issuer value to OIDC_ISSUER_URI

If you are already logged into Okta, do one of the following:

  • assign that user to the application you just created
  • log out so you can log in again using the credentials for a user that is assigned to the application.

Otherwise you will immediately go to the login failed page, and the only indication of the cause is in the Okta system logs.

SAML 2.0

  1. On the Okta admin dashboard, click the Create a New application button, which is available in the "classic ui".
  2. Select Web as the Platform and SAML 2.0 as the Sign on method.
  3. Provide a meaningful name on the next screen.
  4. Click Save to go to the next screen.
  5. For the Single sign on URL, enter {SVC_BASE_URI}/saml/sso
  6. For the Audience URI, enter https://has.example.com
  7. Click the Show Advanced Settings link and check the Enable Single Logout checkbox.
  8. For the Single Logout URL, enter {SVC_BASE_URI}/saml/slo
  9. For the SP Issuer, enter https://has.example.com
  10. For Signature Certificate, select and upload the certs/server.crt file.
  11. Click the Next button to save the changes.
  12. There might be an additional screen to click through.
  13. From the Sign On tab, click the View Setup Instructions button and copy the values for IdP SSO and SLO URLs to the SAML_IDP_SSO_URL and SAML_IDP_SLO_URL settings in the environment.
  14. Configure the extension to use nameID as the name-identifier value.
  15. Configure the extension to use user as the user-identifier value.

If you are already logged into Okta, do one of the following:

  • assign that user to the application you just created
  • log out so you can log in again using the credentials for a user that is assigned to the application.

Otherwise you will immediately go to the login failed page, and the only indication of the cause is in the Okta system logs.

OneLogin

OpenID Connect

  1. From the admin dashboard, create a new app: search for "OIDC" and select OpenId Connect (OIDC) from the list.
  2. On the Configuration screen, enter {SVC_BASE_URI}/oidc/login for Login Url
  3. On the same screen, enter {SVC_BASE_URI}/oidc/callback for Redirect URI's
  4. Click the Save button.
  5. From the SSO tab, copy the Client ID value to the OIDC_CLIENT_ID environment variable.
  6. From the SSO tab, copy the Client Secret value to OIDC_CLIENT_SECRET (you might need to "show" the secret to enable the copy button).
  7. From the SSO tab, find the OpenID Provider Configuration Information link and open in a new tab.
  8. Find the issuer and copy the URL value to the OIDC_ISSUER_URI environment variable.
  9. Ensure the Application Type is set to Web.
  10. Ensure the Token Endpoint is set to Basic.

SAML 2.0

  1. From the admin dashboard, create a new app: search for "SAML" and select SAML Test Connector (Advanced) from the list.
  2. On the Configuration screen, enter https://has.example.com for Audience
  3. On the same screen, enter for Recipient
  4. For ACS (Consumer) URL Validator, enter .* to match any value
  5. For ACS (Consumer) URL, enter
  6. For Single Logout URL, enter
  7. For Login URL, enter
  8. For SAML initiator select Service Provider
  9. Click the Save button.
  10. From the SSO tab, copy the SAML 2.0 Endpoint value to the environment variable.
  11. From the SSO tab, copy the SLO Endpoint value to SAML_IDP_SLO_URL
  12. Configure the extension to use nameID as the name-identifier value.

Google G Suite IdP

Note that OpenID Connect is not supported.

SAML 2.0

  1. Visit the Google Admin console.
  2. Click the Apps icon.
  3. Click the SAML apps button.
  4. Click the Add a service/App to your domain link.
  5. Click the SETUP MY OWN CUSTOM APP link at the bottom of the dialog.
  6. On the Google IdP Information screen, copy the _SSO URL_ and _Entity ID_ values to the SAML_IDP_SSO_URL and SAML_IDP_ENTITY_ID environment variables.
  7. Click the NEXT button.
  8. For the ACS URL enter {SVC_BASE_URI}/saml/sso
  9. For the Entity ID enter https://has.example.com
  10. Click the NEXT button, and then FINISH, and then OK to complete the initial setup.
  11. On the Settings page for the new application, click the EDIT SERVICE button.
  12. Change the Service status to ON to enable users to authenticate with this application.

Next

See one of the following: