The following article will outline the steps necessary in order to have SSO authentication working with harness using ADFS as the identity provider(iDP).
**NOTE: User accounts must be created prior to attempting login via ADFS currently unless SCIM is enabled via another provider.
- First, we will need to login to the harness UI, and goto Access Management->Authentication Settings->Add SSO Provider->(SAML), which will bring up the following dialog with the ACS URL:
- Next, in AD FS management, we will now want to add a new ‘Relying party trust’ for harness, and under the ‘Endpoints’ tab we will want to add this ACS URL captured from above, for example:
- Ensure endpoint type = SAML Assertion consumer, Binding = POST. Next, save the endpoint configuration as above, and now we will to goto the ‘Identifiers’ tab and add the following entityID(app.harness.io). Please note this is the default entityID and you can change this in your authentication settings.
- The last ADFS configuration items we need to take care of are the claim rules for the Harness App(relying party trust). After clicking ‘Edit Claim Rules’ for harness, we need to first add a rule using the ‘Send LDAP Attributes as claims’ template for User Principal Name as NameID:
Then, using the template ‘Transform an Incoming Claim’, add the following to transform UPN to NameID with email format:
- Finally, we just need to export the iDP metadata from ADFS, which can be accessed with a couple of different methods, but I am going to use the easiest one, which is using the following URL(substituting yourdomain.com with the hostname of your server running ADFS):
https://yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
Save this XML file and upload it into harness, after this you can perform a login test by enabling the newly created SSO provider in harness and clicking ‘Test’(note: user accounts must be created prior to attempting login via ADFS currently unless SCIM is enabled via another provider).
You should hopefully have working SSO Authentication at this point, if not please verify all steps and then contact support, thanks!