Single Sign-On (SSO) with LDAP
Harness supports Single Sign-On (SSO) with LDAP implementations, including Active Directory and OpenLDAP. Integrating Harness with your LDAP directory enables you to log your LDAP users into Harness as part of Harness' SSO infrastructure.
Once you integrate your Harness account with LDAP, you can create a Harness User Group and sync it with your LDAP directory users and groups. Then the users in your LDAP directory can log into Harness using their LDAP emails and passwords.
Important
- Make sure that the FirstGen delegate is active to configure LDAP settings.
Lightweight Directory Access Protocol (LDAP) overview
Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services.
Directory services, such as Active Directory, store user and account information, and security information like passwords.
The service then allows the information to be shared with other devices on the network.
This lets you use LDAP to authenticate, access, and find information.
Harness supports Single Sign-On through Active Directory and OpenLDAP.
Harness LDAP setup overview
Here is an overview of the steps to set up SSO with LDAP in Harness.
To set up Harness SSO with LDAP, do the following:
- Add LDAP as a SSO Provider in Harness. This step involves authenticating with your LDAP server and defining how Harness will query it for users and groups.
- Add a Harness User Group and link it to your LDAP directory. Harness syncs all the users in that LDAP user group automatically and manages user authorization.
- Enable the LDAP Provider you set up in Harness as the Harness SSO provider.
- To verify the LDAP SSO, log into Harness using one of the synchronized LDAP users.
Ports and permissions
The following ports and permissions are required to add LDAP as a Harness SSO provider.
Ports
The Harness LDAP connection is between the Harness Delegate and your LDAP server. The delegate uses the following ports:
HTTPS | 443 |
LDAP without SSL | 389 |
Secure LDAP (LDAPS) | 636 |
By default, LDAP traffic is transmitted unsecured. For Windows Active Directory, you can make LDAP traffic confidential and secure by using SSL/TLS. You can enable LDAP over SSL by installing a certificate from a Microsoft certification authority (CA) or a non-Microsoft CA.
Permissions
Authentication with an LDAP server is called the Bind operation. The Bind operation exchanges authentication information between the LDAP client (Harness Delegate) and your LDAP server. The security-related semantics of this operation are in RFC4513.
When you configure Harness with LDAP, you will enter a Bind DN (distinguished name) for the LDAP directory user account used to authenticate.
The specific permissions needed by Harness depend on the LDAP directory service you are using.
- Windows Active Directory: By default, all Active Directory users in the Authenticated Users group have Read permissions to the entire Active Directory infrastructure. If you have limited this, ensure that the account used to connect Harness may enumerate the Active Directory LDAP users and groups by assigning it Read MemberOf rights to User objects. Changing the default is not a trivial task and requires you to change the basic authorization settings of your Active Directory. For more information, go to Configure User Access Control and Permissions from Microsoft.
- OpenLDAP: The default access control policy is allow read by all clients. If you change this default, ensure that the account used to connect Harness to OpenLDAP is granted the Authenticated users entity. For more information, go to Access Control from OpenLDAP.
Add LDAP SSO provider
Adding your LDAP Provider to Harness initially involves establishing a connection from Harness (specifically, the Harness Delegate) and querying your LDAP directory for the users and groups you want to sync with Harness for SSO.
If you experience frequent delegate time-out errors, try the following:
- In Harness, set the LDAP Response Timeout to 2 minutes.
- Set the sync interval to the default value of 1 hour if the configured value is lower.