In this guide, we install and configure the Helix authentication service, which enables a user to access multiple applications or services with a single set of login credentials (aka SSO or Single Sign-On).
-
Copy the
docker-compose.yaml
file in your server :version: '3' services: helix-auth-svc: image: perforce/helix-auth-svc:latest container_name: helix-auth-svc restart: unless-stopped environment: - SVC_BASE_URI=<YOUR_SVC_BASE_URI> # e.g https://<YOUR_SRV_IP>:3000/ - PROTOCOL=https - DEBUG=no - NODE_ENV=production - OIDC_ISSUER_URI=<YOUR_ISSUER> - OIDC_CLIENT_ID=<YOUR_CLIENT_ID> - OIDC_CLIENT_SECRET=<YOUR_CLIENT_SECRET> ports: - "3000:3000" #networks: # - nginx-proxy # networks: # nginx-proxy: # external: true
-
(Optional) If you install Nginx Proxy Manager, add a new proxy host.
-
In docker-compose.yaml file, change the SVC_BASE_URI to your service url (e.g https://<YOUR_SRV_IP>:3000/ or the reverse proxy subdomain). You can also add extra Helix Authentication settings depending on your need.
Now, we need to link Helix Authentication to an Identity Provider.
We use Auth0, because it proposes a free tier without credit card that is limited to 7500 active user.
-
Create an account on Auth0, it will unify authentication for Helix and other services. Complete all steps depending on your location.
-
In Auth0, create a
Regular Web Application
without specifying the technology. It will allow Helix Authentication to use Auth0 for Authentication. -
Now, go to Applications > <YOUR_NEWLY_APPLICATION_CREATED> > Settings and keep aside
Client ID
andClient Secret
, it will be needed for Helix Authentication variables. -
In
Allowed Callback URLs
, add <YOUR_SVC_BASE_URI>/oidc/callback. -
In
Allowed Logout URLs
, add <YOUR_SVC_BASE_URI>. -
Scroll and open
Advanced Settings
section and click onEndpoints
. -
Copy
OpenID Configuration
URL and open it in your browser. Keep aside theissuer
value. -
In docker-compose.yaml file, update the following variables :
OIDC_ISSUER_URI: "<YOUR_ISSUER>" OIDC_CLIENT_ID: "<YOUR_CLIENT_ID>" OIDC_CLIENT_SECRET: "<YOUR_CLIENT_SECRET>"
-
Launch the service :
sudo docker-compose up -d
Now we will the link it with Helix core server.
-
In Portainer, open a console in Helix Core container.
-
Clone the Helix Authentication extension :
git clone https://github.com/perforce/helix-authentication-extension.git /srv/helix-authentication-extension
-
Launch the configuration script :
bash /srv/helix-authentication-extension/bin/configure-login-hook.sh
-
In configuration steps, override some defaults values :
Parameter Value Details Helix Server P4PORT <YOUR_HELIX_CORE_PORT> NA Helix super-user <YOUR_SUPER_USER> Superuser name of Helix Core Service base URL <YOUR_SVC_BASE_URI> Helix Authentication Service URL Preferred auth protocol NA NA Debug logging enabled yes List of SSO users NA Leave blank to apply rule on a group. It's cleaner and easy to maintain. List of SSO groups <YOUR_PERFORCE_GROUP_NAME> User group name which must not contain your superuser (other services will not be able to connect using this name). List of non-SSO users <YOUR_SUPER_USER> At least one superuser that does not authenticate using SSO to always keep the control. List of non-SSO groups NA Avoid generic name easily targeted. Name identifier property email Trigger variable used as unique user identifier, one of: fullname
,email
, oruser
.Perforce user property email Field within identity provider user profile containing unique user identifier. -
Say yes to the next question, the configuration script will automatically configure Helix Core variables that are needed by Helix Authentication Service.
-
Now, you can test the extension by typing :
p4 extension --run loginhook-a1 test-all
It will run several tests, a complete description is available here.
-
If you enabled logging in the extension configuration, you could find them by typing :
p4 extension --list --type=extensions
The path assigned to the
data-dir
field corresponds to the log path (e.g.P4ROOT/server.extensions.dir/117E9283-732B-45A6-9993-AE64C354F1C5/1-data/log.json
).
And on Helix Authentication container, they are visible in the Portainer log section. -
Login in P4V client with your superuser account and create a new user in <YOUR_PERFORCE_GROUP_NAME> group. Create the same user in Auth0 (same email address and password).
-
When the user login, a web browser page will be opened. After completing the form, he will be connected !