Overview of Helix Authentication Service

The Helix Authentication Service (HAS) is designed to enable certain Perforce products to integrate with your organization's Identity Provider (IdP).

HAS supports:

The officially supported Example Identity Provider configurations include AuthO, Azur Active Directory, Okta (identity management), OneLogin, Google G Suite IdP for SAML. In addition, we have positive results with our initial testing with Shibboleth for SAML and Ping Identity. We expect HAS can also work with Cisco Duo Security and probably any standard IdP.

Important security consideration


The IdP authentication precedes and is separate from the Helix Core "ticket" and the ALM License Server login reponse. Therefore, when the user logs out of Helix Core, the user is not necessarily logged out from the IdP's perspective.

Logging out of a Helix Core or Helix ALM client does not invoke a logout with the IdP. Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials.

Helix Core, Helix ALM, and Hansoft

After you perform the tasks of Installing Helix Authentication Service, Configuring Helix Authentication Service, and Starting Helix Authentication Service, see one of the following:

Supported client applications and minimal versions

The client version must be equal to or greater than the version specified:

Helix Core Client Helix ALM or
Surround SCM


Hansoft Server 11.0

Sequence for Helix Core


Helix Core clients get a p4 ticket to log in from a Helix Core Server Extension on the Helix Core server. To learn about the necessary work with a Helix Core Server Extension, see Next steps for Helix Core.

Sequence for Helix ALM


For Helix ALM clients, the user gets a login response from the Helix ALM License Server. See Next steps for Helix ALM.

Sequence for Hansoft

See Integrating with identity providers for single sign-on in the Hansoft System Administrator Guide.

Load balancing

If you are using load balancing in front of HAS, configure your load balancer to:

  • preserve session cookies so the login sequence can succeed
  • use session affinity (sticky sessions) so that all requests from the client go to the same HAS instance