Configure Harmony SSO in the Management Console¶
Harmony supports single sign-on (SSO) using the common SSO standards OAuth 2.0 and SAML 2.0. This page provides the requirements for configuring SSO and describes how to configure and enable SSO for a Harmony organization, including how to exempt selected members from using SSO.
Before configuring Harmony SSO for a Harmony organization, you should be aware of these important points that are specific to Jitterbit's SSO implementation:
Who can enable SSO?
Only Harmony organization administrators (users who are assigned to a role with Admin permission) can configure SSO for that organization. The user configuring SSO must belong to one — and only one — enterprise organization.
The organization can be configured to use a single identity provider with either OAuth 2.0 or SAML 2.0. Multiple protocols and multiple identity providers are not supported.
When configuring SSO, the administrator must be logged in to the Harmony Portal using an email address that matches the username of the account that they have with the SSO identity provider. For details, see the Requirements below.
What if there are organization members who aren't part of the SSO system?
Administrators for an SSO-enabled organization can add individual members to a Bypass SSO list to exempt those members from using SSO for that organization.
Members on a Bypass SSO list will use Harmony credentials in place of SSO to log in to Harmony for that organization.
This may be useful for adding contractors, support personnel, or others outside of your internal organization. It can also be used to add members who are already a member of another SSO-enabled organization.
Learn more under Bypass SSO below.
How will users who are members of multiple organizations log in?
A Harmony user can be a member of only one of these possible configurations:
- A single SSO-enabled organization
- Multiple non-SSO-enabled organizations
- Multiple SSO-enabled — all with a Bypass SSO flag — and non-SSO-enabled organizations
Harmony then determines how to authenticate based on the username provided at login. For more information, see Register and Log In Using Harmony SSO.
- Member of a single SSO-enabled organization: A Harmony user can be a member of only one SSO-enabled Jitterbit organization. In this case, the user will log in using SSO credentials.
- Member of multiple non-SSO-enabled organizations: A Harmony user can be a member of multiple non-SSO-enabled organizations. In this case, the user will log in using Harmony credentials.
- Member of multiple SSO-enabled (with a Bypass SSO flag) and non-SSO-enabled organizations: A Harmony user can be a member of multiple bypassed-SSO-enabled organizations and multiple non-SSO-enabled organizations. In this case, the user will log in using Harmony credentials. The user will be able switch between bypassed-SSO-enabled and non-SSO-enabled organizations without interruption.
Is SSO supported for all of Harmony?
Harmony SSO is not supported for installation of Private Agents. Harmony credentials must be provided in order to install Private Agents. See Register and Log In Using Harmony SSO for details.
To configure and enable SSO in a Harmony organization, these requirements must be met:
- Admin User: Only Harmony organization administrators (users who are assigned to a role with Admin permission) can enable SSO for that organization. For more details, see Managing Permissions, Roles, and Members in Organizations.
- Enterprise Organization: The Harmony organization must be the only enterprise organization that the organization administrator belongs to. Administrators cannot enable SSO if they are a member of multiple enterprise organizations, and they cannot enable SSO on a personal organization. (Personal organizations typically use your email address as the name of the organization).
- Identity Provider: Administrators can configure SSO to either OAuth 2.0 or SAML 2.0 for a single identity provider. Multiple protocols and multiple identity providers are not supported. For example, you can use OAuth 2.0 for Salesforce, SAML 2.0 for Salesforce, or OAuth 2.0 for Google, but you cannot configure more than one of these.
- SSO Username: When configuring SSO, an administrator must be logged in to Harmony using an email address that matches the username of their SSO account. If your SSO username is not in email format or the email address does not match your registered Harmony email address, you will not be able to configure SSO. This is required for authentication purposes.
Harmony SSO Configuration¶
The configuration options for Harmony SSO and other Harmony organization settings are available from the Management Console Organizations page. To open the configuration options, use the organization's Action menu dropdown to select Edit Organization Policies:
With the exception of SSO-related options, the configuration options of the Edit Organization Policies dialog are explained under Edit Organizations in the Organizations documentation. The SSO-related options are explained here.
Within the Edit Organization Policies dialog, these options are relevant for configuring and enabling Harmony SSO: Enable SSO and Bypass SSO. These options are described in detail in Enable SSO and Bypass SSO later on this page.
In the Edit Organization Policies dialog, the Enable SSO option is used to both configure and enable SSO for all members of the Harmony organization, except for those included under Bypass SSO.
Use the dropdown to select from one of three selections:
- None: This option is selected by default, meaning organizations are configured to use Harmony credentials by default.
- OAuth 2.0: Choose OAuth 2.0 to configure SSO using OAuth 2.0. Jitterbit supports OAuth 2.0 for Autodesk, BMC (proprietary to BMC customers only), Google, and Salesforce.
- SAML 2.0: Choose SAML 2.0 to configure SSO using SAML 2.0. Jitterbit supports SAML 2.0 for Azure Active Directory, Okta, and Salesforce. In addition, you may be able to configure SSO with another SAML 2.0 identity provider by entering, testing, and confirming the identity provider credentials in the configuration.
Select OAuth 2.0 or SAML 2.0 to open the Edit Organization SSO Provider Info dialog. If you already have one of these options selected, you can click the Edit link to the right of the dropdown to open the configuration dialog. For configuration details, see Harmony SSO OAuth 2.0 Configuration or Harmony SSO SAML 2.0 Configuration, respectively.
Once you have configured and tested a configuration, click Save within its dialog to save the configuration, but to not yet enable SSO.
After SSO is configured, to enable SSO using the configured settings, make sure the appropriate configuration for OAuth 2.0 or SAML 2.0 is selected in the Enable SSO dropdown. Then click Save within the Edit Organization Policies dialog. The newly configured SSO settings will take effect the next time a user logs in.
If you want to disable SSO after SSO has been enabled, change the selection to None in the Enable SSO dropdown. In this case, users who already have Harmony credentials will again be able to use them for this organization. Users without Harmony credentials (that is, those whose only organization was the SSO organization) will not be able to access the organization.
In the Edit Organization Policies dialog, the Bypass SSO option allows you to bypass SSO settings for specific users who are members of organizations that have SSO enabled or who are not part of the SSO identity provider. It is recommended to add at least one Harmony organization administrator to the Bypass SSO list for disaster recovery purposes.
Users in an organization's Bypass SSO list authenticate with Harmony using their Harmony credentials.
The Bypass SSO list applies only when SSO is enabled; however, to prepare for enabling SSO, you can manage the Bypass SSO list independently of whether SSO is enabled or disabled.
In cases where members of an organization are also members of other enterprise organizations, you must either add the users to the Bypass SSO list or remove them as a member of the organization before SSO can be enabled. If they are added to the Bypass SSO list, these users will be subject to the organization policies for any other non-SSO-enabled organizations of which they are a member. For example:
- Mary is an organization administrator for Bird Feathers Inc. and has SSO for Salesforce enabled on that organization. She wants to invite Garrett, a member of another organization, Ocean Views, which doesn't have SSO enabled. Mary needs to add Garrett to the Bypass SSO list for Bird Feathers Inc. before she can add him under the Members tab, since Garrett is already a member of another enterprise organization. Garrett will receive an invitation to use his existing Harmony credentials to access Mary's organization. Garrett's password policies will be controlled by Ocean Views only.
- Chris is a contractor for Bird Feathers Inc. and does not have a Salesforce account. Mary wants to invite Chris to the SSO-enabled Bird Feathers Inc. organization, but wants him to use Harmony credentials. Mary needs to add Chris to the Bypass SSO list before she can add him under the Members tab. Chris will then receive an invitation to register with Harmony credentials.
After adding a user to the Bypass SSO list, you must add them as a member under the Members tab for the organization if they are not already listed.
To add a user to the Bypass SSO list, click the popout icon to open the Bypass SSO User Info dialog:
Email: Enter the email address of the user to be exempted from SSO. This may be an email address associated with an existing Harmony user or a new user who has not yet been invited to Harmony.
Do not add users belonging to another SSO-enabled Harmony organization. You will not be able to add those users to your organization under the Members tab.
Add User: After entering an email address, click this link to add the email address to the Bypass SSO list, and open an additional row where you can enter another email address.
Action: After adding a user, actions you can take for that user are located to the right of their Email under Action. To remove their row from the list, click Delete.
Deleting a user from the Bypass SSO list will also remove the user as a member of the Harmony organization. If you want this person to have access using SSO, you will need to re-add the user as a member of your organization after removing them from the Bypass SSO list.
Save: Click to save the Bypass SSO list. The Bypass SSO list will be saved regardless of if you Save or Cancel out of the Edit Organization Policies dialog.
Cancel: Click to close the Bypass SSO list without saving.