Skip to end of metadata
Go to start of metadata

Introduction

You can use single sign-on (SSO) to log in to Jitterbit with SAML 2.0 or OAuth 2.0 for Harmony versions 8.24 and above.

The third-party system used to authenticate with Jitterbit is considered the Identity Provider (IdP), while each Jitterbit Harmony client is considered a Service Provider (SP). 

Jitterbit has confirmed SSO support with these Identity Providers:

  • Autodesk (OAuth 2.0)
  • Google (OAuth 2.0)
  • Okta (SAML 2.0)
  • Salesforce (SAML 2.0)

In addition, you may configure SSO with another SAML 2.0 Identify Provider by exploring the proper configuration on your own. However, note that SSO configuration with Identity Providers other than those listed above has not been tested.

The Identity Providers can be configured for SSO with these Jitterbit Harmony clients (Service Providers):

This page explains how to enable and configure SSO on your Jitterbit org, how to exempt certain users from SSO if desired, and how the login process works depending on if you are using SSO or Harmony credentials.

Important Notes

Before using SSO with your organization, there are several key points to be aware of that are specific to Jitterbit's SSO implementation.

  • Who can enable SSO?
    Only Harmony users with Admin permissions can configure SSO for a Jitterbit organization. This organization must be their only enterprise organization. They can configure either SAML 2.0 or OAuth 2.0 for a single Identify Provider. When configuring SSO, Admins must be logged into Harmony using an email address that matches the username of your SSO account. See Configure SSO in the Management Console for more details.
  • What if we have org members who aren't part of our SSO system?
    Admins for an SSO-enabled org can add individual members to a "Bypass SSO" list to exempt them from using SSO for that organization. Members on a Bypass SSO list will use Harmony credentials in place of SSO to log in to that org. This may be useful, for example, to add contractors, support personnel, or others outside of your internal organization. It can also be used to add members who are already a member of another SSO-enabled org. Learn more under Bypass SSO and Manage SSO Org Members.
  • How will users who are members of multiple orgs log in?
    A Harmony user can be a member of either (1) a single SSO-enabled org only, (2) multiple non-SSO-enabled orgs only, or (3) SSO-enabled orgs with "Bypass SSO" flag and multiple non-SSO-enabled orgs. Harmony will then determine how to authenticate based on the username provided upon login. See Use SSO or Harmony Credentials for more information.
    • Member of a single SSO org only: A Harmony user can be a member of only one SSO-enabled Jitterbit organization. In this case, the user will log in using SSO credentials.
    • Member of multiple non-SSO orgs only: A Harmony user can be a member of multiple non-SSO-enabled organizations. In this case, the user will log in using Harmony credentials.
    • Member of SSO org and non-SSO orgs: A Harmony user can be a member of multiple bypassed SSO-enabled organizations and multiple non-SSO-enabled organizations. In this case, the user will log in using Harmony credentials. The user will be able switch between bypassed SSO-enabled and non-SSO-enabled orgs without any interruption.
  • Is SSO supported for all of Jitterbit?
    SSO is currently supported for the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console) and Design Studio versions 8.24 and later. SSO is not supported for Private Agents. Currently, Harmony credentials must be provided in order to install Private Agents. See Use SSO or Harmony Credentials for details.

Configure SSO in the Management Console

These sections cover requirements for configuring SSO in the Management Console, enabling and configuring SSO, and managing org members.

Requirements

You must meet these requirements in order to enable and configure SSO for your organization:

  • Admin User: Only Jitterbit org Admins can enable SSO on a Jitterbit organization. These are users who have a role assigned Admin permissions within the Organizations page (see Managing Roles and Permissions for more information).
  • Enterprise Organization: This organization must be the only enterprise organization that the Jitterbit org Admin belongs to. The Admin cannot enable SSO if they are a member of multiple enterprise organizations, and cannot enable SSO on a personal organization (Personal organizations typically use your email address as the name of the organization).
  • Identity Provider: The Admin can configure either SAML 2.0 or OAuth 2.0 for a single Identify Provider. For example, you can use SAML 2.0 for Salesforce, SAML 2.0 for Okta, OAuth 2.0 for Google, or OAuth 2.0 for Autodesk, but cannot configure more than one of these.
  • SSO Username: When configuring SSO, Admins must be logged in to Harmony using an email address that matches the username of your SSO account. If your SSO username is not in email format or the email does not match your current Harmony email address, you will not be able to configure SSO. This is required for authentication purposes.

Edit Organization Policies

The configuration options for SSO as well as other org settings are available from the Organizations page, accessible within the organizations table on the row for your enterprise organization.

On the far right of each row of the organizations table are the available Actions for Admins:

Choose Edit Organization to update basic information about your organization (name, address, time zone):

Choose Edit Organization Policies to enable/disable or specify the following settings. Each configurable field or action is explained below.

Settings that do not apply to organizations using SSO are noted. Members who are on the Bypass SSO list will be subject to the org policies for any other non-SSO-enabled orgs of which they are a member.

  • Password Require special character(s): Require at least one special character per Harmony password for each registered user within the organization. This setting does not apply to SSO orgs.
  • User password expires in: Require the organization's registered users to change passwords every X number of days. This setting does not apply to SSO orgs.
  • Disable user accounts in: Disable any account registering no activity within X number of days. This setting applies to both Harmony and SSO orgs.
  • Password history: Require users with forgotten password to identify the last X number of used passwords. This setting does not apply to SSO orgs.
  • Two-Factor Authentication (TFA): Require two-factor authentication (TFA). All of the organization's members will be required to enter a verification code sent by Jitterbit (in addition to their username and password) when they sign in. They will be required to reverify their devices every X number of days. This setting does not apply to SSO orgs.
  • TFA on each login: Require two-factor authentication on every login as opposed to every X number of days. This setting does not apply to SSO orgs.
  • Enable remote Agent configuration: Enable remote agent configuration (via the Management Console from the Agents > Agent Groups page).
  • Member's domains: Restrict access to the following domains. Separate multiple domains using commas or semicolons.
  • Enable SSO: Enable SSO for all members of the org, except for those included under Bypass SSO. More information about SSO options is provided under Enable SSO.

    NOTE: Configuring and enabling SSO is a two-step process:

    1. Configure SSO: First, select SAML 2.0 or OAuth 2.0 to open a new screen to configure SSO. Click Save within this popout to save the configuration but not yet enable SSO. 
    2. Enable SSO: Next, make sure the appropriate configuration for SAML 2.0 or OAuth 2.0 is selected and click Save within the Edit Organization Policies screen to enable SSO using your configured settings.
  • Bypass SSO: Bypass the SSO settings for users added within the popout screen. The Bypass SSO list applies only when SSO is enabled; however, you can still manage your Bypass SSO list when SSO is disabled, for example to prepare for enabling SSO. More information about exempting users from SSO is provided under Bypass SSO.

    NOTE: When you make changes to the Bypass SSO list and click Save within this popout, the changes will be saved regardless of if you Save or Cancel out of the Edit Organization Policies screen.
  • Enable Whitelist IP Range: Require the user to log in only from the specified IP range (note, this applies to all client systems, websites, and Studio).
  • Save/Cancel: Choose Save to save any changes to the organization policies, or Cancel to close without saving. The Save button will be disabled unless changes have been made, with the exception of the Bypass SSO list (see note above).

Enable SSO

Under Edit Organization Policies, the Enable SSO option presents a dropdown with three selections:

  • None: This option is enabled by default, meaning organizations are configured to use Harmony credentials by default.
  • SAML 2.0: Choose SAML 2.0 if you want to configure SSO using SAML 2.0. Jitterbit currently supports SAML 2.0 for Salesforce and Okta. In addition, you may configure SSO with another SAML 2.0 Identify Provider by exploring the proper configuration on your own.
  • OAuth 2.0: Choose OAuth 2.0 if you want to configure SSO using OAuth 2.0. Jitterbit currently supports OAuth 2.0 for Autodesk and Google.

To configure SSO, under the Enable SSO dropdown select either the SAML 2.0 or OAuth 2.0 option to open the Edit Organization SSO Provider Info screen. If you already have SAML 2.0 or OAuth 2.0 selected, you can also click the Edit button to the right to return to the configuration screen. More information is provided below for SAML 2.0 and OAuth 2.0 configuration. Once you have configured and tested your configuration, click Save within this popout to save the configuration but not yet enable SSO. 

After SSO is configured, to enable SSO using your configured settings, under the Enable SSO dropdown make sure the appropriate configuration for SAML 2.0 or OAuth 2.0 is selected. Then click Save within the Edit Organization Policies screen. The newly configured SSO settings will take effect upon next login.

After SSO is enabled, if you then want to disable SSO, under the Enable SSO dropdown change the selection to None. In this case, users who already have Harmony credentials will again be able to use them for this organization. Users without Harmony credentials (that is, those whose only org was the SSO org) will not be able to access the org.

SAML 2.0

The Edit Organization SSO Provider Info screen for SAML provides the following configurable fields or actions. An example is provided below, followed by an explanation of each item.

  • Identity Provider Metadata: This field should contain the XML metadata obtained directly from the Identity Provider (that is, Salesforce or Okta).

    TIP: To generate the appropriate Identity Provider XML metadata file, see Configuring SSO with Salesforce or Configuring SSO with Okta.
  • Harmony Client: Jitterbit supports SSO for two Harmony clients (Service Providers). The two clients are provided by default in the configuration and cannot be edited.

    1. WMC: This selection applies to the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console).

      NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including Cloud Studio, API Manager, Citizen Integrator, and Management Console.
    2. Studio: This selection applies to Design Studio versions 8.24 and later.

    WARNING: Both WMC and Studio must be configured for SSO when SSO is enabled. If either client is configured improperly, you will not be able to test the configuration successfully or save the SSO settings.
  • ACS URL: This field is the URL associated with the Harmony client. It is provided by default in the configuration depending on the Harmony client and cannot be edited.
  • Service Provider Metadata: This field should contain the XML metadata from the Service Provider. You will need to create the metadata manually, replacing information specific to the Identify Provider.

    TIP: To manually construct the appropriate Service Provider XML metadata file, see Configuring SSO with Salesforce or Configuring SSO with Okta.
  • Test Configuration: After you have configured all of the above fields, you must test the end-to-end connections to make sure they are working. Upon clicking this link, a new browser screen will open, displaying the native login interface for the Identity Provider. Enter/verify your credentials for the Identify Provider as normal, and accept prompts to allow access to the Jitterbit client.
    • If SSO is configured properly, you will be redirected to the Management Console with a message indicating success.
    • If SSO is not configured properly, you will be redirected to the Management Console with an error message providing more information about the specific error.

      CAUTION: Be careful about how many times you test configuration within a given timeframe. Continuous unsuccessful test attempts may lock out your Identity Provider account.
  • Save/Cancel: Save will be disabled until Test Configuration is performed successfully for all Harmony clients. Choose Save to save the configured SSO settings, or Cancel to close without saving. Once you have configured and saved a SAML 2.0 configuration, the newly configured SSO policies will take effect upon next login.

OAuth 2.0

The Edit Organization SSO Provider Info screen for OAuth provides the following configurable fields or actions. An example is provided below, followed by explanation of each item.

  • OAuth Provider: Use the dropdown to select your OAuth Identity Provider. Currently, Jitterbit supports OAuth for Autodesk and Google.

  • Harmony Client: Jitterbit supports SSO for two Harmony clients (Service Providers). The two clients are provided by default in the configuration and cannot be edited.

    1. WMC: This selection applies to the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console).

      NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including the Cloud Studio, API Manager, Citizen Integrator, and Management Console.
    2. Studio: This selection applies to Design Studio versions 8.24 and later.
    WARNING: Both WMC and Studio must be configured for SSO when SSO is enabled. If either client is configured improperly, you will not be able to test the configuration successfully or save the SSO settings.
  • Redirect URL: This field is the URL associated with the Harmony client. It is provided by default in the configuration depending on the Harmony client and cannot be edited.
  • Client Id: This field should contain the Client Id obtained from the Identity Provider following the instructions for Google or Autodesk.

  • Client Secret: This field should contain the Client Secret obtained from the Identity Provider following the instructions for Google or Autodesk.
  • Test Configuration: After you have configured all of the above fields, you must test the end-to-end connections to make sure they are working. Upon clicking this link, a new browser screen will open, displaying the native login interface for the Identity Provider. Enter/verify your credentials for the Identify Provider as normal, and accept prompts to allow access to the Jitterbit client.
    • If SSO is configured properly, you will be redirected to the Management Console with a message indicating success.
    • If SSO is not configured properly, you will be redirected to the Management Console with an error message providing more information about the specific error.

      CAUTION: Be careful about how many times you test configuration within a given timeframe. Continuous unsuccessful test attempts may lock out your identity provider account.
  • Save/Cancel: Save will be disabled until Test Configuration is performed successfully for all Harmony clients. Choose Save to save the configured SSO settings, or Cancel to close without saving. Once you have configured and saved an OAuth 2.0 configuration, the newly configured SSO policies will take effect upon next login.

Bypass SSO

Under Edit Organization Policies, the Bypass SSO option allows you to bypass SSO settings for specific users who are members of organizations that have SSO enabled. Instead, these users will authenticate with their Harmony credentials.

TIP: The Bypass SSO list applies only when SSO is enabled; however, you can still manage your Bypass SSO list when SSO is disabled, for example to prepare for enabling SSO.

In cases where members of your org are members of other enterprise organizations as well, you are required to add users to the Bypass SSO list or remove them as a member of the organization before SSO can be enabled. If they are added to the Bypass SSO list, these users will be subject to the org policies for any other non-SSO-enabled orgs of which they are a member. For example:

  • Mary is an org Admin for Bird Feathers Inc. and has SSO for Salesforce enabled on her org. She wants to invite Garrett, a member of another org, Birds & Bugs, which doesn't have SSO enabled. Mary needs to add Garrett to the Bypass SSO list for Bird Feathers Inc. before she can add him under the Members tab, since Garrett is already a member of another enterprise organization. Garrett will receive an invitation to use his existing Harmony credentials to access Mary's org. Garrett's password policies will be controlled by Birds & Bugs only.
  • Chris is a contractor for Bird Feathers Inc. and does not have a Salesforce account. Mary wants to invite Chris to her SSO-enabled org, but wants him to use Harmony credentials. Mary needs to add Chris to the Bypass SSO list before she can add him under the Members tab. Chris will then receive an invitation to register with Harmony credentials.

After adding new users to the Bypass SSO list, you must add them as a member under the Members tab for your org if they are not already listed.

NOTE: If using SSO, a Harmony user can be a member of only one SSO-enabled org using SSO credentials, OR, a Harmony user can be a member of multiple bypassed SSO orgs and multiple non-SSO orgs using Harmony credentials. See Use SSO or Harmony Credentials for more information.

Click the popout icon  to open the Bypass SSO User Info screen.

  • Email: Enter the email address of the user you would like to exempt from SSO. This may be an email associated with an existing Harmony user or new Harmony user who has not yet been invited. 

    CAUTION: Do not add users belonging to another SSO-enabled organization. You will not be able to add these to your org under the Members tab.
  • +Add User: Click this link to add the email address to the Bypass SSO list, and open an additional row where you can enter another email.
  • Action: After you have added a user, actions you can take for that user are located to the right of the email. Choose Delete to remove the row from the list.

    WARNING: Deleting a user from the Bypass SSO list will also remove the user as a member of your organization. If you want this person to have access using SSO, you will need to re-add the user as a member of your organization after removing them from the Bypass SSO list.

  • Save/Cancel: Choose Save to save the Bypass SSO list, or Cancel to close without saving. 

    TIP: If you have added users, don't forget to invite them to your org under the Members tab (see Manage SSO Org Members).
    NOTE: When you make changes to the Bypass SSO list and click Save within this popout, the changes will be saved regardless of if you Save or Cancel out of the Edit Organization Policies screen.

Manage SSO Org Members

Only Jitterbit org Admins can add members to a Jitterbit organization. These are users who are assigned a role with Admin permissions within the Organizations page (see Managing Roles and Permissions for more information).

Members can be added or removed from the Organizations page within the Members tab at the bottom of the page. When adding members to your org, the behavior is different depending on whether a user is new or already registered with Harmony, if your organization has SSO enabled, whether a user already has an SSO-enabled org, and whether a user is on a Bypass SSO list.

Members of an organization must be assigned to one or more predefined roles. That is, when a new member is created, they must be assigned to a role; it is not possible to have a member without any roles. To remove a member from the organization, remove them from all roles. See Managing Roles and Permissions for more information about predefined roles.

  • Add New Member to Role: Click the button to add a member to your organization. In the popup, enter an email address and specify the predefined role, then click Save. The next actions will depend on whether a user is new or already registered with Harmony, if your organization has SSO enabled, whether a user already has an SSO-enabled org, and whether a user is on a Bypass SSO list.

    NOTE: For organizations that have SSO enabled, take note when adding members:

    • Email addresses must match the usernames of your SSO Identity Provider. If a member's SSO username is not in email format or does not match the email you've provided under your org's Members list, this user will not be able to log in to Harmony with SSO. This is required for authentication purposes.
    • A Harmony user can be a member of only one SSO-enabled org using SSO credentials, OR, a Harmony user can be a member of multiple bypassed SSO orgs and multiple non-SSO orgs using Harmony credentials. See Use SSO or Harmony Credentials for more information.
    • New Harmony Users: Users that are not yet registered in Harmony will receive an email with further instructions and a link to log in to Jitterbit depending on SSO settings:
      • If the org has SSO enabled, and the user being invited is not on the Bypass SSO list, the user will be able to authenticate with SSO and access the organization. 
      • If the org does not have SSO enabled or the user has already been added to the Bypass SSO list, the user will need to access the link and complete registration with Jitterbit prior to accessing the organization with Harmony credentials.

    • Existing Harmony Users: Users that are already registered in Harmony as members of another organization will be able to added as follows and receive an email with further instructions depending on SSO settings:
      • If the org has SSO enabled, and the user is not on the Bypass SSO list for that org, and the user is not a member of any other enterprise organization, the user will be able to authenticate with SSO and access the organization.

      • If the org has SSO enabled, and the user is already added to the Bypass SSO list for that org, then the user will be able to access the organization using their Harmony credentials.

      • If the org does not have SSO enabled, then the user will be able to access the organization using their Harmony credentials.
    TIP: The Invitation Status of new members with Harmony credentials is set to "Pending" until Jitterbit registration is completed. Members using SSO are already activated users.
    • Add Existing Member to Role: On the member row, click the Action dropdown to add a role.
    • Remove/Deactivate Members from a Role: On the member row, click on the  to the left of the member to view the assigned roles.
      The roles are now expanded, with an additional set of actions that have become available on each role row. Here you can remove or deactivate the role.

      WARNING: You must remove the member from each role in order to remove the member from the organization.

Use SSO or Harmony Credentials

The credentials you use to log in to the Harmony Portal and Design Studio versions 8.24 and later depend on the SSO settings for the organization(s) of which you are a member. For those installing Private Agents, you will need to use Harmony credentials.

A Harmony user can be a member of either (1) an SSO org only, (2) non-SSO-enabled orgs only, or (3) bypassed SSO-enabled orgs and non-SSO-enabled orgs. Harmony will then determine how to authenticate based on the username provided upon login.

  • Member of SSO org only: A Harmony user can be a member of only one SSO-enabled Jitterbit organization. In this case, the user will log in using SSO credentials.
  • Member of non-SSO orgs only: A Harmony user can be a member of multiple non-SSO-enabled organizations. In this case, the user will log in using Harmony credentials.
  • Member of SSO and non-SSO orgs: A Harmony user can be a member of multiple bypassed SSO organizations and multiple non-SSO organizations. In this case, the user will log in using Harmony credentials. The user will be able switch between SSO and non-SSO orgs without any interruption.

Log in to the Harmony Portal with Harmony or SSO Credentials

When you log in to the Harmony Portal, there is a two-step login process:

  1. Enter your Harmony or SSO username, then click the Next button.

    TIP: Your username will always be in the form of an email address. This email will be associated with your Harmony username for a non-SSO org or a bypassed SSO org, or will match the username for your SSO Identity Provider.
  2. The next actions depend on if you entered a Harmony or SSO username:

    Harmony

    • If the username is associated with a valid Harmony user, the next step will ask for your password. Enter your password, then click the Next button.

      • If the supplied credentials are associated with a valid Harmony user, you will be logged in to the Harmony Portal. This includes users in SSO-enabled orgs that are on the Bypass SSO list.

      • If the username/password combination is not valid for Harmony, you will receive a message "Invalid credentials specified" and return to step 1 to try again.

    SSO

    • If the username is associated with a valid user with SSO-enabled org, and the user is not on the Bypass SSO list, you will be redirected via browser to the native login interface for the Identity Provider. 

    • Enter your credentials for the Identify Provider as normal. If validated by the Identity Provider, you will be redirected and logged in to the Harmony Portal. 

    Invalid

    • If the username is not associated with either a Harmony user or a user with SSO-enabled org, you will receive a message "Invalid credentials specified" and return to step 1 to try again.

Log in to Design Studio with Harmony or SSO Credentials

CAUTION: Users who are members of an SSO-enabled org and are not on its Bypass SSO list must be using Design Studio version 8.24 or later. Versions prior to 8.24 do not support SSO login.

When you log in to the Design Studio application (versions 8.24 and later), there is a similar two-step login process:

  1. Enter your Harmony or SSO username, then click the Login button.

    TIP: Your username will always be in the form of an email address. This email will be associated with your Harmony username for a non-SSO org or a bypassed SSO org, or will match the username for your SSO Identity Provider.
  2. The next steps depend on if you entered a Harmony or SSO username:

    Harmony

    • If the username is associated with a valid Harmony user, the next step will ask for your password. Enter your password, then click the Login button.

      • If the supplied credentials are associated with a valid Harmony user, you will be logged in to Design Studio. This includes users in SSO-enabled orgs that are on the Bypass SSO list.

      • If the username/password combination is not valid for Harmony, you will receive a message "Invalid credentials specified" and return to step 1 to try again.

    SSO

    • If the username is associated with a valid user with SSO-enabled org, and the user is not on the Bypass SSO list, you will be redirected via browser to the native login interface for the Identity Provider. 

    • Enter your credentials for the Identify Provider as normal. If validated by the Identity Provider, you will be redirected and logged in to Design Studio. 

    Invalid

    • If the username is not associated with either a Harmony user or a user with SSO-enabled org, you will receive a message "Invalid credentials specified" and return to step 1 to try again.

Install Private Agent with Harmony Credentials

SSO is currently supported for the Harmony Portal and Design Studio. SSO is not supported for Private Agents.

Currently, the users listed below can install Private Agents depending on whether the org has SSO enabled:

Non-SSO-Enabled Organizations

Organizations that do not have SSO enabled are subject to the standard roles and permissions for installing Private Agents as defined under Managing Roles and Permissions from the Organizations page.

That is, if a member has a role assigned a permission of Admin or Agent Install, these users will be able to use their Harmony credentials to install Private Agents.

SSO-Enabled Organizations

Organizations that have SSO enabled are subject to an exception for installing Private Agents.

Harmony credentials must be provided in order to install Private Agents. Several people may be able to provide Harmony credentials, including these users:

  • The organization Admin who originally enabled SSO for the org. In this case, the Admin can provide their Harmony credentials that were valid prior to enabling SSO. These Harmony credentials are not subject to password policies such as password expiration.
  • Users belonging to another non-SSO-enabled organization who is also added on the Bypass SSO list for the SSO-enabled org, and belongs to a role having either Admin or Agent Install permissions in the SSO-enabled org.

If a user does not have Harmony credentials, but is a member with a role assigned a permission of Admin or Agent Install, these users will not be able to install Private Agents. The user must already have Harmony credentials established in order to perform Agent installations.

On This Page

Last updated:  Apr 22, 2019