Single Sign-On (SSO) with SAML

Updated 4 months ago by Michael Cretzman

Harness supports Single Sign-On (SSO) with SAML, integrating with your SAML SSO provider to enable you to log your users into Harness as part of your SSO infrastructure.

Currently, Harness uses SAML for authentication only. It does not incorporate the authorization roles associated with SAML SSO Providers.

Before You Begin

  • You need a SAML Identity Provider.
  • You need the SAML meta-data file from your SAML Identity Provider.

Intended Audience

  • DevOps

To set up SAML SSO

The following procedure adds a SAML SSO provider to your Harness account, and enables it as the default authentication method.

To set up a SAML SSO provider, do the following:

  1. Add SAML support to your app. Depending on how your application is developed, there are many ways to add SAML support. Several companies provide SAML-based SSO, such as Okta and OneLogin.
  2. Add your Harness user(s) to the SSO account in your app.
    The only user properties that must match between a Harness user and its corresponding SSO Provider user account is its email address.
  3. In Harness, click Continuous Security, and then click Access Management.
  4. Expand Single Sign-on(SSO) Provider Setup.
  5. Click Add SSO Provider. The Single Sign-on (SSO) Provider dialog appears.
  6. Copy the Single Sign On URL from the dialog, https://app.harness.io/api/users/saml-login. You must provide this URL to your SAML Identity Provider. This is where the Identity Provider will post the SAML response after authentication.
  7. In your app, in its Single Sign-On URL (or similar name), enter in the Harness Single Sign On URL you copied. For example, here is where you enter the Harness SSO URL in Okta when you are creating an app (Classic UI view only):
  8. Download the SAML metadata file from your Identity Provider. (This is a mandatory XML file.) For example, here is what the SAML metadata file section looks like in an Okta application, in its Sign On tab (only available in Classic UI view):


    In this example, you can click Identity Provider metadata. The metadata is displayed in your browser. Save the page with a .xml extension.
  9. Back in Harness, in the Single Sign-on (SSO) Provider dialog, in SAML Meta-data File, click Choose File and add the SAML meta-data file you downloaded.
  10. In Display Name, enter a name for your SAML SSO provider, and click SUBMIT. The new SSO provider is displayed.
  11. To enable the SSO provider, click the checkbox under Enabled. SAML SSO is now enabled.
    If you become locked out of Harness because of a SSO issue, you must contact Harness to have the SSO Provider disabled.
  12. Log out of Harness and log back in. You will be redirected to your SSO Provider's log in page.
  13. Log into your SSO Provider using an email address for a Harness user. The password does not have to be the same.
    You are automatically returned to app.Harness.io, and logged into the dashboard using your SSO credentials.

Setup SSO with Google G Suite

Harness supports SAML integration with Google G Suite to enable your employees to use their Google account credentials to sign into the Harness platform.

For information about G Suite and SAML, see Service provider SSO set up from Google.

To set up SAML with Google, you must be a G Suite administrator. To integrate G Suite SAML with Harness, your Harness account must be a member of the Account Administrator group. For more information, see Users and Permissions.

First, we will set up Harness as a SSO SAML app with Google G Suite, and then we will configure Harness to use Google G Suite for SSO.

If you become locked out of Harness because of a SSO issue, you must contact Harness to have the SSO Provider disabled.

Add Harness as G Suite SSO App

To set up SAML with Google G Suite, do the following:

  1. Log into your G Suite Admin console.
  2. From the Admin console Home page, go to SAML apps.

  3. Click the plus sign next to Enable SSO for a SAML Application.

  4. In Step 1, at the bottom, click SETUP MY OWN CUSTOM APP.


  5. In Step 2, the Google IdP Information appears, including the SSO URL and Entity ID URLs.


    1. In Option 2, click DOWNLOAD to download the IDP metadata to your computer. The IDP metadata file will be used to set up G Suite SSO in Harness.
    2. Click NEXT.
  6. In Step 3, in Application Name, enter Harness.



    1. Now you will get the Harness logo so your employees will easily identify Harness in their G Suite apps. In another browser tab, download the Harness logo from https://harness.io/images/harness_logo.png.
    2. Back in Step 3, in Upload logo, click CHOOSE FILE, and upload the Harness logo.
    3. Click NEXT.
  7. In Step 4, provide the Harness provider details.
    1. In ACS URL, enter https://app.harness.io/api/users/saml-login. As you will see later, this URL is taken from the Harness SSO dialog.
    2. In Entity ID, enter Harness.
    3. In Start URL, enter the same URL you entered for ACS URL, https://app.harness.io/api/users/saml-login. When you are finished, the dialog will look like this:
    4. Leave Signed Response unchecked, and click NEXT.
  8. In Step 5, click FINISH.
  9. In the Harness service provider page, click the pencil icon to turn on the new Harness SSO app.

  10. In the Status setting, click Settings for all organizational units.

  11. In the Service Status settings, click ON for everyone, and then click SAVE.

Next, add G Suite as a Harness SSO provider for your Harness account.

Add G Suite as a Harness SSO Provider

To add the Harness SSO G Suite App you created as a Harness SSO Provider, do the following:

  1. Log into Harness with an account that is in the Harness Account Administrator group.
  2. In Harness, click Continuous Security, and then click Access Management.
  3. Expand Single Sign-on(SSO) Provider Setup.
  4. Click Add SSO Provider. The Single Sign-on (SSO) Provider dialog appears.

  5. Click Choose File, and upload the IDP metadata file you downloaded from Google.
  6. In Display Name, enter a name to identify this SSO account, such as Google, and click SUBMIT.
  7. Back in the Single Sign-on(SSO) Provider Setup list, enable the new SSO provider.

  8. You are finished. To test the provider, log out of Harness.
  9. Open a G Suite app, such as Mail, and locate the Harness app you added by clicking the Google Apps icon.

  10. Click the Harness app icon and you will be redirected to app.Harness.io, and logged in.

Notes

Here are two popular SSO providers:


How did we do?