Skip to Content

Configure an identity provider for use with Jitterbit Harmony single sign-on (SSO)

Introduction

Before you can configure SSO, you must set up your identity provider. This page shows how to do this for the following protocols and identity providers:

In these sections, the redirect and callback URLs for Harmony clients are as follows:

  • OAuth 2.0

    WMC
    https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/oauth
    
    Studio
    https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/oauth/login/studio/callback
    
  • SAML 2.0

    WMC
    https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml
    
    Studio
    https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml/login/studio/callback
    

REGION is your Harmony region, one of na-east, emea-west, or apac-southeast.

Changes to redirection URLs

Previously published redirection URLs (containing jitterbit-cloud-mgmt-console) are being updated to the new URLs shown above.

While the old URLs will continue to work through redirection to the new ones, they will be deprecated at some point in the future.

Jitterbit recommends that organizations currently enabled for SSO and using configured identity providers with the old URLs should reconfigure SSO using the new URLs as soon as possible to prevent any future disruptions.

OAuth 2.0

Autodesk

To get an Autodesk OAuth 2.0 client ID and client secret, log in to the Autodesk Forge portal, then follow these steps for two Jitterbit client applications, WMC, for access to the Harmony web applications via the Harmony portal, and Studio, for access to Design Studio:

Important

You must create both apps even if you don't intend to use Design Studio.

  1. Go to My Apps and click the Create App button.

  2. Create an app in Autodesk

  3. Set the following values:

    • App Name: Enter the app name that users see when logging in to Harmony via this provider.

    • Callback URL: Enter your Harmony region's OAuth redirect or callback URL for the Jitterbit client application.

  4. Click Create App.

  5. Use the client ID and client secret in the app's section of the Configure SSO OAuth 2.0 drawer on the Management Console Organizations page.

BMC

For instructions on how to configure the BMC identity provider, contact BMC customer support.

Google

To get a Google OAuth 2.0 client ID and client secret, log in to the Google API Console, then follow these steps for two Jitterbit client applications, WMC, for access to the Harmony web applications via the Harmony portal, and Studio, for access to Design Studio:

Important

You must create both apps even if you don't intend to use Design Studio.

  1. From the Dashboard, click Create Project.

  2. On the New Project screen, enter a Project name.

    Tip

    You can create both Jitterbit client applications within the same project.

    If required, select an Organization and Location, then click Create:

    Create project

  3. Go to the project's OAuth consent screen tab, select External, then click Create:

    Consent

  4. In the OAuth consent screen, enter an App name, complete the required contact information, and make any additional changes to the default values.

  5. Click Save and Continue.

  6. Go to the project's Credentials tab.

  7. Click Create Credentials.

  8. In the dropdown, select OAuth client ID, then set the following values:

    • Application type: Select Web application.

    • Name: Enter a name for the client.

  9. Under Authorized redirect URIs, click Add URI, then set the following:

    • URIs: Enter your Harmony region's redirect URL for the Jitterbit client application.
  10. Click Create.

  11. Use the client ID and client secret in the app's section of the Configure SSO OAuth 2.0 drawer on the Management Console Organizations page.

Salesforce

To enable Salesforce as an identity provider and get an OAuth 2.0 client ID and client secret, log in to the Salesforce Classic UI as a Salesforce Admin, then follow these steps:

  1. Navigate to Setup > Administer > Security Controls > Identity Provider.

  2. In the section Identity Provider Setup, verify that you have a domain name configured and that Salesforce is enabled as an identity provider:

    • If you do not have a domain configured, click the link to Configure a Domain Name and follow the steps to set up a domain and deploy it to users. This automatically enables Salesforce as an identity provider.

    • If you have a domain configured but disabled as an identity provider, click the button Enable Identity Provider.

    Tip

    After making changes in Identity Provider Setup, you may need to refresh the page.

Do the following steps for two Jitterbit client applications, WMC, for access to the Harmony web applications via the Harmony portal, and Studio, for access to Design Studio:

Important

You must create both apps even if you don't intend to use Design Studio.

  1. In the Service Providers section, click the link to create via Connected Apps, or navigate to Setup > Build > Create > Apps and click New under the Connected Apps section.

  2. Set the following values:

    • Basic Information:

      • Connected App Name: Enter a name for the Jitterbit client application.

      • Set any other required fields.

    • API (Enable OAuth Settings):

      • Enable OAuth Settings: Enable this setting to reveal the Callback URL and Selected OAuth Scopes fields:

        For WMC:

        Salesforce OAuth

        For Studio:

        Salesforce OAuth

        Set these fields as follows:

        • Callback URL: Enter your Harmony region's redirect or callback URL for the Jitterbit client application.

        • Selected OAuth Scopes: Select these OAuth scopes by moving them to Selected OAuth Scopes:

          • Full access (full)

          • Perform requests on your behalf at any time (refresh_token, offline_access)

  3. Click Save.

  4. Under API (Enable OAuth Settings), use the Consumer Key for the client ID and the Consumer Secret for the client secret in the app's section of the Configure SSO OAuth 2.0 drawer on the Management Console Organizations page.

    Enable OAuth

SAML 2.0

Azure Active Directory

To get the SAML 2.0 identity and service provider metadata for Microsoft Azure Active Directory (now known as Microsoft Entra ID), log in to the Microsoft Azure portal with an account that includes Microsoft Azure AD Premium P2 edition, then follow these steps:

  1. Go to the Enterprise applications blade and click New application:

    Azure SAML 1

  2. On the Add an application screen under Add your own app, select Non-gallery application:

    Azure SAML 2

  3. On the Add your own application screen, enter a name for the new application, then click Add:

    Azure SAML 3

  4. On the Overview screen for the new application, under the Manage category on the left, select Single sign-on:

    Azure SAML 4

  5. On the Single sign-on screen for the new application, under Select a single sign-on method, select SAML:

    Azure SAML 5

  6. On the SAML-based Sign-on screen, edit the first step, Basic SAML Configuration:

    Azure SAML 6

  7. On the Basic SAML Configuration screen, set values for the following fields:

    Azure SAML 7

    • Identifier (Entity ID): Enter your Harmony region's SAML redirect URL for the WMC Jitterbit client application, and select the Default checkbox.

    • Reply URL (Assertion Consumer Service URL): On separate lines, enter your Harmony region's SAML redirect and callback URLs for both Jitterbit client applications, WMC, for access to the Harmony web applications via the Harmony portal, and Studio, for access to Design Studio. Select the Default checkbox for the WMC redirect URL.

      Important

      You must create both apps even if you don't intend to use Design Studio.

  8. Click Save and close.

  9. On the SAML-based Sign-on screen, edit the second step, User Attributes & Claims:

    Azure SAML 8

  10. By default, Microsoft Azure uses the user.userprincipalname as the identifier, which is onemicrosoft.com. This must be changed to user.mail.

    To open the claim for modifying, click the row with a Claim name of Unique User Identifier (Name ID):

    Azure SAML 9

  11. On the Manage claim screen, change the Source attribute field from user.userprincipalname to user.mail.

    Azure SAML 10

  12. Click Save and close.

  13. On the SAML-based Sign-on screen, in the third step, SAML Signing Certificate, download the Federation Metadata XML. Use this as the Identity Provider Metadata field in the app's section of the Configure SSO SAML 2.0 drawer on the Management Console Organizations page.

    Note

    Multiple certificate definitions (<X509Data> elements) in the metadata are supported with agents version 10.84 / 11.22 and later.

    Azure SAML 11

  14. Under the Manage category on the left, select Users and groups.

  15. For each user, click Add user and add their email address.

    Azure SAML 12

  16. After adding each user, provide an Alternate email that matches the Harmony username. These users must be members of the Harmony organization.

    Azure SAML 13

  17. To create the service provider metadata for the WMC and Studio clients, use the samples below, replacing REGION on the highlighted lines with your Harmony region's SAML redirect and callback URLs for the Jitterbit client application:

    WMC
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    
    Studio
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml/login/studio/callback"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    
  18. Use these metadata in the Service Provider Metadata field in the app's section of the Configure SSO SAML 2.0 drawer on the Management Console Organizations page. to configure SSO for SAML 2.0.

Salesforce

To get the SAML 2.0 identity and service provider metadata for Salesforce, log in to the Salesforce Classic UI as a Salesforce Admin, then follow these steps:

  1. Navigate to Setup > Administer > Security Controls > Identity Provider.

  2. In the section Identity Provider Setup, verify that you have a domain name configured and that Salesforce is enabled as an identity provider:

    Identity provider setup

    • If you do not have a domain configured, click the link to Configure a Domain Name and follow the steps to set up a domain and deploy it to users. This automatically enables Salesforce as an identity provider.

    • If you have a domain configured but disabled as an identity provider, click the button Enable Identity Provider.

    Tip

    After making changes in Identity Provider Setup, you may need to refresh the page.

Do the following steps for two Jitterbit client applications, WMC, for access to the Harmony web applications via the Harmony portal, and Studio, for access to Design Studio:

Important

You must create both apps even if you don't intend to use Design Studio.

  1. In the Service Providers section, click the link to create via Connected Apps, or navigate to Setup > Build > Create > Apps and click New under the Connected Apps section.

  2. Set the following values:

    • Basic Information:

      • Connected App Name: Enter a name for the Jitterbit client application.

      • Set any other required fields.

    • Web App Settings:

      • Enable SAML: Enable this setting to reveal the Entity Id and ACS URL fields:

        For WMC:

        Salesforce SAML

        For Studio:

        Salesforce SAML

        Set these fields as follows:

        • Entity Id: This must be unique per Harmony client.

          Tip

          Inspect the downloaded XML metadata file and find the entityID element. This should match your Salesforce domain (https://yourdomain.my.salesforce.com/). To create a unique Entity Id per client, you can append /wmc or /studio to the default ID.

        • ACS URL: Enter your Harmony region's redirect or callback URL for the Jitterbit client application.

  3. Complete any other optional fields as desired, and click Save.

To assign profiles to the Connected Apps so that users have the appropriate permissions, follow these steps:

  1. For each Connected App, click the Manage button, or navigate to Setup > Administer > Manage Apps > Connected Apps.

  2. You must assign profiles for each Connected App. Do the following for each:

    1. Under the Profiles section, click Manage Profiles.

    2. On the Application Profile Assignment screen, select System Administrator. This provides access to the service provider.

      Select any additional profiles associated with users using Harmony SSO.

    3. When all desired profiles have been assigned, click Save.

  3. The Harmony clients should now be listed under Manage Connected Apps. (You may not see the apps from the identity provider page listed under service providers.)

  4. To create the service provider metadata for the WMC and Studio clients, use the samples below, replacing (on the highlighted lines) ENTITY_ID with the Salesforce Entity ID, and REGION with your Harmony region's SAML redirect and callback URL for the Jitterbit client application:

    WMC
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="ENTITY_ID">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    
    Studio
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="ENTITY_ID">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml/login/studio/callback"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    

    Tip

    If you see the error No valid signing cert found, check that the identity provider metadata has a KeyDescriptor tag with the attribute use="signing".

Okta

To get the SAML 2.0 identity and service provider metadata for Okta, log in to your Okta organization as a user with administrative privileges, then follow these steps:

  1. On the main menu, go to Applications > Applications, then click Create App Integration.

  2. In the Create a new app integration window, select SAML 2.0 and click Next.

    create new integration

  3. On the Create SAML Integration page, several steps walk you through configuring the new app.

    1. In step 1, General Settings, enter an App name, then click Next:

      general settings

    2. In step 2, Configure SAML, provide the following information under part A, SAML Settings:

      • Single sign on URL: Enter your Harmony region's SAML 2.0 redirect URL for the WMC Jitterbit client application.

      • Audience URI (SP Entity ID): Again, enter your Harmony region's SAML 2.0 redirect URL for the WMC Jitterbit client application.

      • Name ID format: Click the dropdown and choose the EmailAddress option. Leave the remaining fields with their default values.

      SAML settings

    3. Click Show Advanced Settings.

    4. Under Other Requestable SSO URLs, click + Add Another. Enter your Harmony region's SAML 2.0 callback URL for the Studio Jitterbit client application. Leave the remaining fields with their default values.

      SAML settings

  4. When finished, you can skip part B and click Next to continue.

  5. Complete the last step, Feedback, then click Finish to finish creating the app.

To create the metadata for the Service Provider Metadata field in the app's section of the Configure SSO SAML 2.0 drawer on the Management Console Organizations page, follow these steps:

  1. Go to the Sign On tab of your newly created application.

  2. In the Actions column, select Actions > View IdP Metadata to download the metadata file:

    View IdP metadata

    This example shows how the metadata file should look:

    Example Identity Provider Metadata
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exknvfdjbL8smSRvK2p6"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAWFj+QgOMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
    A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
    MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDWppdHRlcmJpdGJsdWUxHDAaBgkqhkiG9w0B
    CQEWDWluZm9Ab2t0YS5jb20wHhcNMTgwMjA1MDMxNzQwWhcNMjgwMjA1MDMxODQwWjCBlTELMAkG
    A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
    BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1qaXR0ZXJiaXRibHVl
    MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEAwRuDKQWs/uWFEulxYk1/V436/zhy/XxAL3swKUdfFlevC4XZcQtTdpspgwdt0TIgTpz1
    dZGx5ystxz1slZ5e9jk20iHAsRuzKKeL657DDFHlG8Qg7HCg8B55TKKhTUsYQLikqeWx8R7F+rHh
    dG6eEJut4/CHOMlb/G4Ynrq8tpwlqVtaqLZrL2GPfEKUJVOvqxHeqVqmB7Pduh3E9/7rgEN6yXiL
    6hISTRLIb13TGGyqpLPMRsgJnkMifQMI12OK0PQnFqRc2ES0JUnWhpv/WN4VYuvN3SgaIgE5VY86
    C0J8IB6ljXx6uJj6EeC60KTmDUPtC1Au345jzBwY9yKLoQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
    AQAD7Ba6pwUUmxCtiqKE4E4JwMMCUrlHghL80Vru3SHWU3GdMEM9kVizVUcM57QzyIlwx8KdCXbB
    yfxo8Eh88mAYDRifLmeospLQvC5OhfF/5XKmsTa5JnF+bSB41iCZUsB88byLI1nARFZGznboQXK9
    pT3egaEHsWffiIYR+Y2lcAW66OH6FEZ0lTy628q1LsuS/UruA3so+qFgPqTc0yiZEv65MZQWd1cg
    qRlLK1bcoR4d5Qfo0nWFDBXWqX4LX4c5xe7zh4wtbiG1i9Oh8qWJp8KUmgfSkQf79mUhib9YvzBE
    RdXU7eUS0/E3G21yLa9wQtHkEY3cIDs58AEIpuR0</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://jitterbitblue.okta.com/app/jitterbitorg316974_jitterbitsamlapplication_1/exknvfdjbL8smSRvK2p6/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://jitterbitblue.okta.com/app/jitterbitorg316974_jitterbitsamlapplication_1/exknvfdjbL8smSRvK2p6/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
    

To assign users to the Jitterbit SAML application within Okta, follow these steps:

  1. Go to the Assignments tab of your newly created Jitterbit application.

  2. For each user that must log in to Harmony via Okta, click the Assign dropdown, select Assign to People, then assign them.

    Assign to users

  3. When finished, click Done.

  4. To create the service provider metadata for the WMC and Studio clients, use the samples below, replacing REGION with the SAML URL for the Harmony region on the highlighted lines:

    WMC
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    
    Studio
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
        entityID="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml">
        <md:SPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
            <md:AssertionConsumerService index="1" isDefault="true"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                Location="https://apps.REGION.jitterbit.com/identity/api/v1/organizations/sso/saml/login/studio/callback"/>
        </md:SPSSODescriptor>
    </md:EntityDescriptor>
    

    Tip

    If you see the error No valid signing cert found, check that the identity provider metadata has a KeyDescriptor tag with the attribute use="signing".