Skip to main content

Authentication

Last updated on

Authentication in Harness controls who can access your account and how. The first layer of Harness access control includes:

  • Authentication: Checks who you are.
  • Authorization: Checks what you can do.
  • Auditing: Logs what you do.

If you are in an Administrator group, you can use Authentication Settings to restrict access to an organization's Harness account. The options you choose apply to all account users.

This page covers authentication. For information about authorization, go to RBAC in Harness.

What will you learn in this topic?

By the end of this topic, you will be able to understand:

Before you begin

  • Basic Harness navigation: Sign up or sign in to your Harness account.
  • Harness account hierarchy: Authentication settings are configured at the account level and apply to all users. Understand the account/organization/project hierarchy before proceeding.
  • Admin-level permissions: Permission to create, edit, and delete Authentication Settings. Contact your administrator to get the required permissions.
  • RBAC concepts: A general understanding of role-based access control, since authentication is one of the three aspects of Harness access control, and how RBAC works in Harness.
  • SSO familiarity: Basic knowledge of what SAML, LDAP, and OAuth are, so you can choose the right method for your organization.

Configure authentication

To configure authentication, follow the steps below:

  1. In Home, select Account Settings, and then select Authentication.

    The Authentication page opens.

  1. Select one of the following authentication methods to follow its configuration:

Enable public OAuth providers

You can use Harness logins with different single sign-on mechanisms by enabling the Use Public OAuth Providers under Login via a Harness Account or Public OAuth Providers and selecting individual OAuth partners (such as Azure, Bitbucket, GitLab, Github, and so on).

For more information, go to Single Sign-On with OAuth.

Enforce password policies

Under Password Policies, configure the following requirements:

  • Enforce password strength: Set minimum length and character requirements.
  • Periodically expire passwords: Define how often passwords must be refreshed.
  • Enforce Two Factor Authentication: Require 2FA as part of password policy enforcement.

Enforce password strength

  1. Select Enforce password strength to open the dialog.

  1. Specify and enforce any of the following options:

    • Minimum password length: Set the minimum number of characters required.
    • Include at least one uppercase letter: Require at least one capital letter.
    • Include at least one lowercase letter: Require at least one lowercase letter.
    • Include at least one digit: Require at least one number.
    • Include at least one special character: Require one or more of the following: ! @ # $ % ^ & * ( ) - _ = + \ | [ ] { } ; : / ? . >

Enforce password expiration

Select Periodically expire passwords to set an interval at which you must refresh your Harness passwords. In the same dialog, you can also set an advance notification interval.

Enforce lockout after failed logins

Select Enforce lockout policy to open the dialog. Use the dialog to configure the lockout trigger (how many failed logins), lockout time (in days), and notifications to locked-out users and Harness user groups.

A summary appears on the main Authentication page:

Enforce two factor authentication

Select Enforce Two Factor Authentication to enforce 2FA for all users in Harness. This option governs all logins - whether through SSO providers or Harness username/password combinations. For more information, go to Two-factor authentication.

Enable multiple identity providers

Harness supports multiple identity providers (IdPs) for user authentication using SAML. You can configure a variety of SAML providers and enable or disable them for user authentication.

note

Currently, this feature is behind the feature flag PL_ENABLE_MULTIPLE_IDP_SUPPORT. Contact Harness Support to enable the feature.

To configure multiple SAML providers in Harness, follow the steps below:

  1. Select Account Settings, and then select Authentication.

  2. Add the SAML providers you need.

    a. If no SAML providers are configured for the account, select an SAML Provider from the list of providers.

    For steps to configure, go to SAML SSO with Microsoft Entra ID.

    b. Select Continue.

    c. Select Submit.

    The SAML provider is now listed in Login via SAML.

    d. If one or more SAML providers are configured, select Add SAML Provider. The SAML Provider settings appear.

  3. In the Name field, enter a name for the SAML provider. Names can only contain alphanumeric characters, _, -, ., and spaces. Optionally, add a Display Name (optional).

  4. Select Continue.

  5. Select Select a SAML Provider to enable an SAML provider.

Before enabling SAML, disable any configured public OAuth providers. For more information, go to Single Sign-On with SAML.

Enable login via SAML

Enable one or more SAML providers and follow the steps to enable SAML login for your account .

  1. Login to your Harness account and select Login via SAML.
  2. Choose your organization's SAML provider. When you click Single sign-on, you will be redirected to your selected provider's login page to complete authentication.

Set up vanity URL

You can access app.harness.io using your own unique subdomain URL.

The subdomain URL is in the following format, with {company} being the name of your account:

https://{company}.harness.io

Contact Harness Support to set up your account's subdomain URL. The subdomain URL cannot be changed later. Harness automatically detects your Account ID from the subdomain URL and redirects you to the account's login mechanism.

Restrict email domains

Select Only allow users with the following email domains: to allow (whitelist) only certain domains as usable in login credentials. In the dialog, enter your chosen domains into the Domains multi-select field.

Click Save. The success message Domain restrictions have been updated successfully appears at the top of the page, indicating that certain domains were added to the allowlist.

The allowlist filters logins to Harness via both SSO providers and username/passwords. To modify your domain selections, select the Edit icon.

Allow public access to resources

You can use this feature to grant unauthenticated access to view Harness resources without requiring login. Once enabled, you can allow public access to your pipelines. For more information, go to Allow public access to executions.

note
  • Currently, this feature is behind the feature flag PL_ALLOW_TO_SET_PUBLIC_ACCESS. Contact Harness Support to enable the feature.

Set inactive session timeout

Harness logs you out after a period of inactivity.

To configure your account's session inactivity timeout, follow the steps below:

  1. In your Harness account, select Account Settings and select Authentication.

  2. In Session Inactivity Timeout (in minutes), enter the time in minutes to set the session inactivity timeout.

    The default session inactivity timeout value is 1440 minutes (1 day).

    You can set this to a minimum of 30 minutes and a maximum of 4320 minutes (3 days). The field automatically converts the minutes you enter to higher units of time and displays the result under the field. For example, if you enter 1440, the UI shows 1 day below the field.

  1. Click Save.

Set absolute session timeout

When you set the Absolute Session Timeout (in minutes), Harness logs you out after the configured timeout, regardless of any activity.

To configure your account's absolute session timeout, follow the steps below:

  1. In your Harness account, select Account Settings and select Authentication.

  2. In Absolute Session Timeout (in minutes), enter the time in minutes to set the absolute session timeout.

    The default absolute session timeout is 0, which means it is not set.

    You can set this to a maximum of 4320 minutes (3 days). The field automatically converts the minutes you enter to higher units of time and displays the result under the field. For example, if you enter 1440, the UI shows 1 day below the field.

  3. Click Save.

info

When both the session inactivity timeout and the absolute session timeout are set, whichever condition is met first takes precedence.

Audit logs for authentication

Harness audit trails record login attempts across all supported authentication methods. These audit events help administrators monitor authentication activity and investigate both successful and failed login attempts. Audit logs are generated for the following methods:

Each audit entry shows how the login was attempted, whether it was successful or failed, and the reason for failure, if applicable. Audit logs are only created for users who exist in your Harness account and are associated with a valid email address. No audit log is generated for login attempts by users who do not exist in the account.

While successful login events are common, pay closer attention to unsuccessful attempts. You may encounter the following failure reasons in the audit trail or in the JSON output when audit streaming is enabled for your account.

LDAP authentication

Unsuccessful login attempts can occur for the following reasons:

  • Domain not whitelisted: Your email domain is not permitted for the account.
  • LDAP not configured for the account: LDAP authentication is not set up.
  • Invalid credentials: The username or password provided is incorrect.
  • Unable to fetch LDAP configuration: Harness could not retrieve LDAP settings due to an internal error.
  • LDAP not configured: LDAP authentication is not configured for this account.
  • LDAP authentication error: An unexpected error occurred during the LDAP authentication process.

Example JSON:

{
  "module": "CORE",
  "resource": {
    "type": "USER",
    "identifier": "demouser@harness.io",
    "labels": {
      "resourceName": "Demo Test",
      "userId": "68xLsmP7RzOJ_F3M_LBBHw"
    }
  },
  "action": "UNSUCCESSFUL_LOGIN",
  "auditEventData": {
    "type": "UnsuccessfulLoginEventData",
    "loginType": "LDAP",
    "failureReason": "Invalid LDAP credentials"
  }
}

SAML authentication

Unsuccessful login attempts can occur for the following reasons:

  • Domain not in allowlist: Your email domain is not included in the account's allowed domain list.
  • Replay attack: A previously used SAML login request was detected and blocked for security reasons.

Example JSON:

{
  "module": "CORE",
  "resource": {
    "type": "USER",
    "identifier": "demouser@harness.io",
    "labels": {
      "resourceName": "Demo Test",
      "userId": "jWF23r4XQjyRTLVsAS_mVw"
    }
  },
  "action": "UNSUCCESSFUL_LOGIN",
  "auditEventData": {
    "type": "UnsuccessfulLoginEventData",
    "loginType": "SAML",
    "failureReason": "Domain not whitelisted"
  }
}

Two-Factor Authentication (2FA)

Unsuccessful login attempts can occur for the following reasons:

  • Invalid two-factor configuration: Two-factor authentication is not properly set up for your account.
  • Invalid TOTP token: The one-time password provided is incorrect or has expired.
  • Two-factor authentication failed: The security code could not be verified.

Example JSON:

{
  "module": "CORE",
  "resource": {
    "type": "USER",
    "identifier": "demouser@harness.io",
    "labels": {
      "resourceName": "Demo Test",
      "userId": "jWF23r4XQjyRTLVsAS_mVw"
    }
  },
  "action": "UNSUCCESSFUL_LOGIN",
  "auditEventData": {
    "type": "UnsuccessfulLoginEventData",
    "loginType": "TWOFA",
    "failureReason": "Invalid TOTP token"
  }
}

Username/password authentication

Failed login attempts using username/password occur when:

  • Your credentials are incorrect.
  • Your account is temporarily locked or deactivated, or your access has been revoked.
note

The JSON response for username/password failures follows a different schema than the audit event entries above. This is an API error response.

Example JSON:

{
  "metaData": null,
  "resource": null,
  "responseMessages": [
    {
      "code": "INVALID_CREDENTIAL",
      "level": "ERROR",
      "message": "Invalid credentials: INVALID_CREDENTIAL"
    }
  ]
}

Next steps