Harness Authentication Capabilities

An Overview of Harness Platform

Harness is an Enterprise DevOps platform that provides a comprehensive set of tools and services to help organizations deliver software faster and more securely. Harness Capabilities authentication process is designed to ensure that only authorized users have access to the platform and its resources.

Harness Authentication Overview

Harness authentication provides a secure way for users to access and interact with Harness capabilities. It offers various authentication mechanisms to use for a wide range of customer needs. This guide will walk you through Harness' authentication capabilities, explain the options available, and help you decide which method is best for your organization

Supported Authentication Mechanisms

• Login via a Harness Account or Public OAuth Providers: Harness allows users to authenticate using either a Harness account (email and password) or a range of single sign-on with public OAuth 2.0 providers like Google, GitHub, and GitLab. This method is ideal for organizations that either want a Harness-managed user account system or OAuth providers for authentication

e.g. if an user (registered with Harness) John logs into a Harness account using a OAuth 2.0 provider i.e. GitHub, then the user must also be registered with GitHub using JohnOAuth20@outlook.com.

• SAML Provider: Harness supports Single Sign-On (SSO) via Security Assertion Markup Language (SAML), which allows organizations to integrate with an identity provider (IdP) such as Okta, Azure AD, or Google Workspace. This option is best for organizations that already have a centralized IdP and want to provide a seamless, secure login experience across their applications.

e.g. if an user (registered with Harness) John logs into a Harness account using a SAML provider i.e. Okta, then the user must also be registered with an Okta account using the same email address.

• LDAP Provider: Harness also supports Lightweight Directory Access Protocol (LDAP), which allows organizations to integrate with internal directory services like Microsoft Active Directory (AD) or OpenLDAP. This method is ideal for organizations with an established LDAP infrastructure that want to manage users centrally through their directory service.

How to Set Up Authentication in Harness:

Setting Up Login via a Harness Account or OAuth Providers

• Navigate to Account Settings → Authentication.
• Select either Enable Harness Account Authentication or choose an OAuth Provider (e.g., Google, GitHub, GitLab).
• Enforce password policies: Ensure that users create and use strong passwords that meet complexity requirements, and periodically expire passwords
• Enforce lockout after failed logins: Implement a lockout mechanism that automatically blocks access after a specified number of consecutive failed login attempts.
• Enforce two factor authentication: Implement two-factor authentication (2FA) for all Harness users to add an extra layer of security.
• Follow the provider’s instructions to configure OAuth credentials, such as Client ID and Client Secret.
• Once configured, users can log in via Harness-managed credentials or their OAuth provider’s login flow.

Setting Up SAML Authentication

• Navigate to Account Settings → Authentication.
• Select Enable SAML.
• Provide the required SAML metadata from your IdP (such as Okta or Azure AD), including the SAML Metadata in XML format.
• Configure the required SAML attributes (e.g., Entity Id).
• Save the configuration and test logging in via your IdP.
• Note: To do this, you should first disable any configured public OAuth providers. And to use SAML SSO, Harness Users must use the same email addresses to register in Harness and the SAML provider as mentioned in the example above.

Set up vanity URL

• You can access app.harness.io using your own unique subdomain URL in the following format; https://\{company}.harness.io where {company}is the name of your account.
• To set up this, you have to contact Harness Support.

Restrict email domains

You can allow (whitelist) only certain domains as usable in login credentials, e.g. gmail.com

Set inactive and absolute session timeout

You can set a session timeout (in minutes) for auto logout if there has been no activity. Similarly, you have an option to set an absolute Session Timeout (in minutes) for any user’s logout, regardless of any activity.

Conclusion:

Harness offers a range of authentication options to meet the needs of organizations of all sizes, from small teams leveraging public OAuth providers to large enterprises managing users with SAML or LDAP providers. Choosing the right method depends on your existing infrastructure, security requirements, and user management needs. By following the setup guides, you can ensure that your organization’s authentication is secure, scalable, and easy to manage, that’s where Harness stands out and makes a difference.

Reference:

• https://developer.harness.io/docs/platform/authentication/authentication-overview