Example Identity Provider configurations
This section provides details for several hosted identity providers, but is not an exhaustive list of supported identity providers.
Auth0
OpenID Connect
- From the admin dashboard, click the CREATE APPLICATION button.
- Enter a meaningful name for the application.
- Select the Regular Web Application button, then click Create.
- In a new browser tab,
- Open the OpenID Configuration value to get the raw configuration values.
Find issuer and copy the value to OIDC_ISSUER_URI in the service config.
- Close the browser tab.
- At the bottom of the page, click the SAVE CHANGES button.
SAML 2.0
- From the admin dashboard, click the CREATE APPLICATION button.
- Enter a meaningful name for the application.
- Select the Regular Web Application button, then click Create.
- On the application Settings screen, add SVC_BASE_URI/saml/sso to the Allowed Callback URLs field.
- For Allowed Logout URLs add SVC_BASE_URI/saml/slo
- At the bottom of the page, click the SAVE CHANGES button.
- Click the Addons tab near the top of the application page.
- Click the SAML2 WEB APP button to enable SAML 2.0.
- Enter SVC_BASE_URI/saml/sso for the Application Callback URL
- Ensure the Settings block looks something like the following:
- Click the ENABLE button at the bottom of the page.
- On the Usage tab of the addon screen, copy the Identity Provider Login URL to the SAML_IDP_SSO_URL setting in the service configuration.
- To get the single logout URL, download the metadata and look for the SingleLogoutService element, copying the Location attribute value to SAML_IDP_SLO_URL in the config.
{
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
],
"logout": {
"callback": "SVC_BASE_URI//saml/slo"
}
}
Azure Active Directory
OpenID Connect
- Visit the Microsoft Azure portal.
- Register a new application under Azure Active Directory.
- You can use a single app registration for both OIDC and SAML.
- For the redirect URI, enter SVC_BASE_URI//oidc/callback
- Copy the Application (client) ID to the OIDC_CLIENT_ID variable.
- Open the OpenID Connect metadata document URL in the browser.
Click the Endpoints button from the app overview page. - Copy the issuer URI and enter it as the OIDC_ISSUER_URI variable.
If the issuer URI contains {tenantid}, replace it with the Directory (tenant) ID from the application overview page. - Under Certificates & Secrets, click New client secret, copy the secret value to the OIDC_CLIENT_SECRET environment variable.
- Add a user account (such as guest) such that it has a defined email field.
Note that "personal" accounts do not have the email field defined. - Make sure the user email address matches the user in Active Directory.
SAML 2.0
- Visit the Microsoft Azure portal.
- Register a new application under Azure Active Directory.
- You can use a single app registration for both OIDC and SAML.
- For the redirect URL, add the suffix
/saml/sso
to the string that represents the auth service URL. - Copy the Application (client) ID to the SAML_SP_ENTITY_ID environment variable
- Open the API endpoints page.
Click the Endpoints button from the app overview page - Copy the SAML-P sign-on endpoint value to the SAML_IDP_SSO_URL environment variable.
- Copy the SAML-P sign-out endpoint value to the SAML_IDP_SLO_URL environment variable.
- Set the SAML_NAMEID_FORMAT environment variable to the value urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Make sure the user email address matches the user in Active Directory.
- Configure the extension to use nameID as the name-identifier value.
SAML via Azure's Active Directory Gallery
These steps involve a template that might make configuration easier.
- Visit the Microsoft Azure portal.
- Select Azure Active Directory.
- Under Enterprise applications, click New Application.
- In the Add an application page, enter Perforce and select the Perforce Helix Core - Helix Authentication Service.
- Click the Add button.
- Wait for the application to be added.
- In Assign users and groups, add a user or a group.
- In the Single sign-on page, click SAML.
- In the Basic SAML Configuration section, configure the required fields:
- For the Entity ID, enter the value from the SAML_SP_ENTITY_ID setting in the HAS service configuration.
- For the Reply URL, enter SVC_BASE_URI/saml/sso
- For the Sign on URL, enter SVC_BASE_URI
- Click the Save button.
- Click Single sign-on and navigate to SAML Signing Certificate area.
- Copy the value in the field for App Federation Metadata Url to the SAML_IDP_METADATA_URL variable.
- Make sure the user email address matches the user in Active Directory.
- Configure the extension to use nameID as the name-identifier value.
Okta
You might want separate groups for internal users and external contractors. If so, see
https://developer.okta.com/docs/guides/configure-signon-policy/prompt-factor-group/
OpenID Connect
- On the Okta admin dashboard, navigate to the Applications screen and click the Create App Integration button.
-
Select the OIDC - OpenID Connect option, then select the Web Application option.
- Select Web as the Platform and OpenID Connect as the Sign on method.
- Provide a meaningful name on the next screen.
- For the Sign-in redirect URIs, enter SVC_BASE_URI/oidc/callback
- For the Sign-out redirect URIs, enter SVC_BASE_URI
- On the next screen, find the Client ID and Client secret values and copy to the OIDC_CLIENT_ID and OIDC_CLIENT_SECRET service settings.
- From the Sign On tab, click the Edit button in the OpenID Connect ID Token section, and change the Issuer to the static Okta URL value.
- Click Save, then copy the Issuer value to OIDC_ISSUER_URI
If you are already logged into Okta, do one of the following:
- assign that user to the application you just created
- log out so you can log in again using the credentials for a user that is assigned to the application.
Otherwise you will immediately go to the login failed page, and the only indication of the cause is in the Okta system logs.
SAML 2.0
- On the Okta admin dashboard, navigate to the Applications screen and click the Create App Integration button.
- Select the SAML 2.0 option.
- Provide a meaningful name on the next screen.
- Click Next to go to the next screen.
- For the Single sign on URL, enter SVC_BASE_URI/saml/sso
- For the Audience URI, enter https://has.example.com
- Click the Show Advanced Settings link and check the Enable Single Logout checkbox.
- For the Single Logout URL, enter SVC_BASE_URI/saml/slo
- For the SP Issuer, enter https://has.example.com
- For Signature Certificate, select and upload the certs/server.crt file.
- Download the Okta public certificate, which is named
X.509 Certificate
and located on the same page as the SSO and SLO URLs. - Save the
X.509 Certificate
file onto the HAS system. - Set
IDP_CERT_FILE
to point to theX.509 Certificate
file on the HAS system.
- Download the Okta public certificate, which is named
- Click the Next button to save the changes.
- There might be an additional screen to click through.
- From the Sign On tab, click the View SAML Setup Instructions button and copy the values for IdP SSO and SLO URLs to the SAML_IDP_SSO_URL and SAML_IDP_SLO_URL settings in the environment.
- Configure the extension to use nameID as the name-identifier value.
- Configure the extension to use user as the user-identifier value.
If you are already logged into Okta, do one of the following:
- assign that user to the application you just created
- log out so you can log in again using the credentials for a user that is assigned to the application.
Otherwise you will immediately go to the login failed page, and the only indication of the cause is in the Okta system logs.
OneLogin
OpenID Connect
- From the admin dashboard, create a new app: search for "OIDC" and select OpenId Connect (OIDC) from the list.
- On the Configuration screen, enter SVC_BASE_URI/oidc/login for Login Url
- On the same screen, enter SVC_BASE_URI/oidc/callback for Redirect URI's
- Click the Save button.
- From the SSO tab, copy the Client ID value to the OIDC_CLIENT_ID environment variable.
- From the SSO tab, copy the Client Secret value to OIDC_CLIENT_SECRET (you might need to "show" the secret to enable the copy button).
- From the SSO tab, find the OpenID Provider Configuration Information link and open in a new tab.
- Find the issuer and copy the URL value to the OIDC_ISSUER_URI environment variable.
- Ensure the Application Type is set to Web.
- Ensure the Token Endpoint is set to Basic.
SAML 2.0
- From the admin dashboard, create a new app: search for "SAML" and select SAML Test Connector (Advanced) from the list.
- On the Configuration screen, enter https://has.example.com for Audience
- On the same screen, enter for Recipient:
https://has.example.com/saml/sso
- For ACS (Consumer) URL Validator, enter .* to match any value
- For ACS (Consumer) URL, enter
https://has.example.com/saml/sso
- For Single Logout URL, enter
https://has.example.com/saml/slo
- For Login URL, enter
https://has.example.com
- For SAML initiator select Service Provider
- Click the Save button.
- From the SSO tab, copy the SAML 2.0 Endpoint value to the environment variable.
- From the SSO tab, copy the SLO Endpoint value to SAML_IDP_SLO_URL
- Configure the extension to use nameID as the name-identifier value.
Google Workspace
OpenID Connect
Perforce has no documentation on this topic. A third party has posted https://github.com/google/perforce-utils/tree/master/google_sso, which might not be up to date.
SAML 2.0
- Visit the Google Admin console.
- Click the Apps icon.
- Click the SAML apps button.
- Click the Add a service/App to your domain link.
- Click the SETUP MY OWN CUSTOM APP link at the bottom of the dialog.
- On the Google IdP Information screen, copy the _SSO URL_ and _Entity ID_ values to the SAML_IDP_SSO_URL and SAML_IDP_ENTITY_ID environment variables.
- Click the NEXT button.
- For the ACS URL enter SVC_BASE_URI/saml/sso
- For the Entity ID enter https://has.example.com
- Click the NEXT button, and then FINISH, and then OK to complete the initial setup.
- On the Settings page for the new application, click the EDIT SERVICE button.
- Change the Service status to ON to enable users to authenticate with this application.