Helix Core SSO.md

We installed Perforce Helix Authentication Service and Extension following the this guide. We installed everything on the same box that runs p4d, Swarm and Jenkins. We created and populated background and corp-sso groups in p4admin to control which users are prompted to authenticate against our IdP.

Install NodeJS

curl -sL https://deb.nodesource.com/setup_14.x | sudo -E bash 
sudo apt-get install nodejs

Install Authentication Service

We installed the HAS service with apt-get.

sudo apt-get install helix-auth-svc

Configure Apache vhost

This software won't currently function behind a reverse proxy, so we simply created and host a welcome page so certbot can create and refresh the certificate.

Create a vhost apache config at /etc/apache2/sites-available/has-site.conf

<VirtualHost *:80>
    ServerName has.domain.com
    DocumentRoot /var/www/html
    DirectoryIndex welcome.html 
    ErrorLog "/var/log/apache2/has.error_log"
    CustomLog "/var/log/apache2/has.access_log" common
</VirtualHost>

Don't forget to make a sites-enabled symlink and restart Apache.

cd /etc/apache2/sites-enabled
ln -s ../sites-available/has-site.conf .
sudo systemctl reload apache2

Install server certificate

We've already installed Let's Encrypt, now run certbot.

sudo certbot --apache -d has.domain.com

Consent screen

We configured the OAuth consent screen and created credentials in a project on GCP. Take note of the Client ID and Client secret and add these Authorized redirect URIs.

https://has.domain.com:3000/
https://has.domain.com:3000/oidc/callback

Configure Authentication Service

This NodeJS service runs as root (which is a bit sketch) but this allows us to point directly to the real certificate and private key maintained by certbot.

sudo /opt/perforce/helix-auth-svc/bin/configure-auth-service.sh 

cat /opt/perforce/helix-auth-svc/.env
> A_CERT_FILE='certs/ca.crt'
> SP_CERT_FILE='/etc/letsencrypt/live/has.domain.com/fullchain.pem'
> SP_KEY_FILE='/etc/letsencrypt/live/has.domain.com/privkey.pem'
> LOGGING=/opt/perforce/helix-auth-svc/logging.config.js
> DEFAULT_PROTOCOL=oidc
> SVC_BASE_URI=https://has.domain.com:3000/
> OIDC_ISSUER_URI=https://accounts.google.com
> OIDC_CLIENT_ID=123456789012-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com
> OIDC_CLIENT_SECRET_FILE=client-secret.txt

If the service won't start, tail the syslog and restart the service.

sudo systemctl restart helix-auth
tail -f /var/log/syslog

Download the extension

Download an extract HAE using the following commands:

wget https://github.com/perforce/helix-authentication-extension/archive/2020.2.zip
sudo apt-get install -y unzip
unzip 2020.2.zip

Install the extension

To install the extension:

cd helix-authentication-extension-2020.2/
p4 extension --package loginhook
p4 configure set server.extensions.allow.unsigned=1
p4 extension --install loginhook.p4-extension -y

Configure the extension

To configure the extension, use tabs as described here:

p4 extension --configure Auth::loginhook

> ExtP4USER:      admin
> Auth-Protocol:  oidc
> Service-URL:    https://has.domain.com:3000/

To configure the instanceuse, use tabs as described here:

p4 extension --configure Auth::loginhook --name Auth::loginhook-all

> enable-logging:  true
> name-identifier: email
> non-sso-groups:  background
< non-sso-users:
> sso-groups:      corp-sso
< sso-users:       
> user-identifier: email

Finally, restart Helix Core:

sudo -u perforce p4dctl restart -a

Uninstall the extension

If things go badly, you can remove the extension.

p4 extension --list --type=extensions
p4 extension --delete Auth::loginhook --yes
sudo -u perforce p4dctl restart -a