Release Notes for Helix Authentication Extension Version 2023.1 Introduction The Helix Authentication Extension is a Helix Core extension that integrates th the Helix Authentication Service to facilitate the integration of identity providers supporting either the OpenID Connect or SAML 2.0 authentication protocols. Perforce numbers releases YYYY.R/CCCCC, for example 2002.2/30547. YYYY is the year; R is the release of that year; CCCCC is the bug fix change level. Each bug fix in these release notes is marked by its change number. Any build includes (1) all bug fixes for all previous releases and (2) all bug fixes for the current release up to the bug fix change level. Important Notes Logging out of a Helix Core or Helix ALM client does not invoke a logout with the identity provider (IdP). Depending on the IdP, subsequently starting a Helix Core or Helix ALM client might result with the user being logged in again without the user being prompted to provide credentials. Supported Platforms Linux (x86_64) RHEL 7, 8 CentOS 7, 8.0 Ubuntu 18.04, 20.04, 22.04 The above platforms are tested and subject to regression testing on a frequent basis. Errors or bugs discovered in these platforms are prioritized for correction. Any platform not listed above is not actively tested by Perforce. Requirements Helix Core Server 2019.1 or higher Documentation The Helix Authentication Extension Administrator's Guide is publicly available on perforce.com. The guide details the steps for installation, upgrade, and configuration of the server extension. Known Limitations Perforce cannot guarantee and has not exhaustively tested the compatibility of 3rd Party Plugins with the Helix Authentication Service. It is up to each 3rd party plugin owner to make his/her plugin compatible. Users authenticating with the Helix Server will likely need to use one of the supported clients to authenticate. Once a valid P4 ticket has been acquired, then clients other than those listed above should function normally. In particular, the clients need to handle the `invokeURL` feature added in the 2019.1 P4API. This includes the P4API-derived clients (P4Python, P4Ruby, etc) which at this time do not yet support this feature. P4Eclipse When using P4Eclipse, you must authenticate using one of the clients listed above under the **Requirements** section. Then, when setting up the initial P4 connection in P4Eclipse, you are prompted for a user and password. Only put in the username and leave the password field blank. The client will then use the existing connection. P4SL When using P4SL, you must authenticate using one of the clients listed above under the **Requirements** section. Then, when setting up the initial P4 connection in P4SL, you are prompted for a user and password. Only put in the username and leave the password field blank. The client will then use the existing connection. IntelliJ (3rd Party Plugin) When logging in to Perforce using IntelliJ, it will prompt for a password but also open the browser to the identity provider. Once you have authenticated with the IdP and acquired a P4 ticket, IntelliJ will still be waiting for a password. Submit that login request and let it fail, after which IntelliJ will operate normally. Changes in every release: Bugs Fixed, New Functionality ---------------------------------------------------------------------- New functionality in 2023.1 (2023.1/2422401) (2023/03/24) HAS-332 Add configurable Service-Down-URL to which the extension will direct the user in the event that the authentication service is failing. ---------------------------------------------------------------------- Bugs fixed in 2022.2 (2023.1/2422401) (2023/03/24) HAS-333 (Change #2295793) Configure script will build extension before removing existing extension, avoiding issue with older p4 client failing to build the extension. ---------------------------------------------------------------------- Bugs fixed in 2022.1 (2023.1/2422401) (2023/03/24) HAS-173 (Change #2204616, 2206760, 2206866, 2207007) A cryptographically signed build of the extension will be provided via GitHub, avoiding the need to allow unsigned extensions. HAS-267 (Change #2221386) If the extension setting Service-URL is missing from the global configuration, the extension will fail in a manner that still permits database-password accounts to authenticate. ---------------------------------------------------------------------- New functionality in 2021.2 (2021.2/2186511) (2021/09/23) HAS-48 (Change #2143954) Allow changing the TLS certificate file paths. ---------------------------------------------------------------------- Bugs fixed in 2021.1 (2021.1/2130312) (2021/05/27) HAS-188 (Change #2084514) Configure script now reads extension configuration correctly. HAS-189 (Change #2084411) Extension correctly distinquishes P4V from P4VS during login. ---------------------------------------------------------------------- Other changes in 2021.1 (2021.1/2130312) (2021/05/27) HAS-139 (Change #2090744) Extension automatically treats non-standard users as not using SSO mechanism for authentication (i.e. operators and service users). ---------------------------------------------------------------------- Bugs fixed in 2020.2 (2020.2/2065870) (2021/01/28) HAS-78 (Change #2049963, 2050005) Add options "sso-users" and "sso-groups" to define Perforce users and groups that must use the SSO authentication mechanism. ---------------------------------------------------------------------- Bugs fixed in 2020.1 (2020.1/2016391) (2020/09/24) HAS-43 URL not sent to user logging in to edge server. Caused by P4-19549 in Helix Core Server, fixed in 2019.1.11, 2019.2.8, 2020.1.1, and 2020.2 releases. ---------------------------------------------------------------------- New functionality in 2019.1.1.000002 HAS-83 (Change #1983564) Bypass SSL usage for plain HTTP service URL. HAS-123 (Change #1995552) Linux-based configuration script for login extension. ---------------------------------------------------------------------- Bugs fixed in 2019.1.1.000002 HAS-105 (Change #1999883) Error 408 during login when the auth-protocol setting is empty. ---------------------------------------------------------------------- New functionality in 2019.1.1.000001 HAS-37 (Change #1911767) Treat users whose AuthMethod is LDAP as non-SSO users. ---------------------------------------------------------------------- Bugs fixed in 2019.1.1.000001 HAS-47 (Change #1952506) User identifiers should be compared in a case-insensitive fashion. ---------------------------------------------------------------------- 2019.1 Initial release