Skip to main content

Single Sign-On (SSO) for Harness MCP

Last updated on

Harness MCP supports authentication through your existing Single Sign-On (SSO) provider. To enable SSO for MCP, add an Assertion Consumer Service (ACS) URL (for SAML) or redirect URI (for OIDC) to your Identity Provider (IdP).

An ACS URL or redirect URI specifies where your IdP sends authentication responses after a user signs in. Harness MCP requires its own ACS URL or redirect URI because it authenticates through a separate endpoint from the standard Harness platform.

Adding the MCP-specific URL does not affect your existing Harness platform login. You can continue to access both Harness and Harness MCP through the same SSO provider.

What will you learn in this topic?

By the end of this topic, you will be able to:

  • Retrieve the MCP-specific ACS URL or redirect URI from Harness.
  • Add the MCP URL to your Identity Provider.
  • Configure SSO authentication for Harness MCP.
  • Verify that users can authenticate successfully.

Before you begin

Before you configure SSO for Harness MCP, ensure you have the following:

  • Account Admin or Authentication Settings permissions in Harness.
  • Identity Provider configured for SAML or OIDC authentication with Harness. Go to Single Sign-On (SSO) with SAML to set this up if needed.
  • Administrative access to your Identity Provider.

Step 1: Configure SAML for Harness MCP

Before you update your Identity Provider, retrieve the MCP ACS URL from your Harness SAML configuration.

  1. Sign in to Harness.
  2. Go to Account Settings > Security and Governance > Authentication.
  3. Locate your SAML provider.
  4. Select > Edit.
  5. Copy the value from Enter this SAML Endpoint URL as your Harness SAML Provider application's ACS URL.

Based on your Identity Provider, go to Microsoft Entra ID, Okta, or Ping Identity and add the MCP ACS URL.

Microsoft Entra ID (Azure AD)

  1. Sign in to the Azure portal.
  2. Go to Microsoft Entra ID > Manage > Enterprise Applications.
  3. Select your Harness application.
  4. Select Manage > Single sign-on.
  5. In Basic SAML Configuration, click Edit.
  6. Under Reply URL (Assertion Consumer Service URL), click Add reply URL.
  7. Enter the MCP ACS URL copied from Harness.
  8. Click Save.

Troubleshooting

If you receive the following error:

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application.

Verify that the MCP ACS URL has been added and exactly matches the value displayed in Harness.

Okta

Okta handles multiple ACS URLs differently from other Identity Providers. Instead of a list of Reply URLs, Okta requires you to enable Requestable SSO URLs and add each additional endpoint with an index value.

  1. Sign in to the Okta Admin Console.
  2. Go to Applications > Applications.
  3. Select your Harness application.
  4. On the General tab, select Edit in the SAML Settings section.
  5. Select Next.
  6. Leave the existing Single sign-on URL unchanged.
  7. Enable Allow this app to request other SSO URLs.
  8. Under Other Requestable SSO URLs, select Add Another.
  9. Select Next, then click Finish.

After configuration, your Okta application will have three URLs:

URLSourcePurpose
SAML Endpoint URL (index 0)Copy from Harness SAML configHarness platform login via HarnessID
Additional Reply URL for MCP (index 1)Copy from Harness SAML configHarness MCP login

Both URLs are required. Removing the SAML Endpoint URL disables Harness platform login. Removing the MCP URL disables MCP login.

Ping Identity (PingOne)

PingOne supports multiple ACS URLs for a single SAML application and automatically selects the appropriate URL during authentication.

  1. Sign in to the PingOne Admin Console.
  2. Go to Applications > Applications.
  3. Select your Harness application.
  4. Open the Configuration tab.
  5. Select Edit.
  6. Under ACS URLs, select Add.
  7. Enter the MCP ACS URL copied from Harness.
  8. Click Save.
PingOne ACS URL configuration

Keep your existing ACS URL and add the MCP ACS URL as an additional entry. Both URLs are required to support authentication for the Harness platform and Harness MCP.

Do not modify any other SAML settings, including certificates, Entity IDs, signing configuration, or NameID settings.

Step 2: Configure OIDC for Harness MCP

This section explains how to add the MCP redirect URI to your Identity Provider for OIDC authentication.

If your Harness account uses OpenID Connect (OIDC), add the MCP redirect URI to your Identity Provider.

  1. Sign in to Harness.
  2. Go to Account Settings > Authentication.
  3. Locate your OIDC provider under Login via OIDC.
  4. Select > Edit.
  5. Copy the value from Additional Reply URL for MCP (Optional).

Microsoft Entra ID (Azure AD)

  1. Sign in to the Azure portal.
  2. Go to Microsoft Entra ID > App registrations.
  3. Select your Harness application.
  4. Go to Authentication in the left navigation.
  5. Under Redirect URIs, click Add URI.
  6. Enter the MCP redirect URL and click Save.

Okta

  1. Sign in to the Okta Admin Console.
  2. Go to Applications > Applications.
  3. Select your Harness application.
  4. On the General tab, select Edit in the Login section.
  5. Under Sign-in redirect URIs, select Add URI.
  6. Enter the MCP redirect URL and click Save.

Ping Identity (PingOne)

  1. Sign in to the PingOne Admin Console.
  2. Go to Applications > Applications.
  3. Select your Harness application.
  4. Open the Configuration tab.
  5. Select Edit.
  6. Under Redirect URIs, select + Add.
  7. Enter the MCP redirect URL and click Save.

Keep your existing redirect URI and add the MCP redirect URI as an additional entry. Both redirect URIs are required to support authentication for the Harness platform and Harness MCP.

Frequently asked questions

Will adding the MCP URL affect my existing Harness login?

No. Adding the MCP ACS URL or redirect URI does not affect your existing SSO configuration. Users can continue to access both Harness and Harness MCP through the same Identity Provider.

Do I need to update certificates, Entity IDs, or other SSO settings?

No. You only need to add the MCP ACS URL (SAML) or redirect URI (OIDC). No other changes are required.

What happens if I do not add the MCP URL?

Users will not be able to sign in to Harness MCP through SSO. Standard Harness platform login will continue to work.

Can my Identity Provider support multiple ACS URLs or redirect URIs?

Most enterprise Identity Providers, including Microsoft Entra ID, Okta, and PingOne, support multiple ACS URLs or redirect URIs for a single application.

Do I need to make this change if I do not use Harness MCP?

No. This update is only required if you use Harness MCP with SSO authentication. If you only use the standard Harness platform login, no action is required.

Do I need to create a separate application in my Identity Provider for Harness MCP?

No. Add the MCP ACS URL or redirect URI to your existing Harness application. You do not need to create a separate application for Harness MCP.

Next steps

After you configure SSO for Harness MCP, verify that users can authenticate successfully by signing in to Harness MCP using your Identity Provider.

For more information about authentication and access control: