Overview

P4 Authentication Service is designed to enable certain Perforce products to integrate with your organization's Identity Provider (IdP).

P4 Authentication Service supports:

Two protocols: Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
- P4 Authentication Service can work with one IdP per protocol. For example, you might want to use OpenID Connect with Azure Active Directory, and SAML with Google Workspace.
Security-Enhanced Linux (SELinux) enabled in enforcing mode

The officially supported Example Identity Provider configurations include AuthO, Azur Active Directory, Okta (identity management), OneLogin, and Google Workspace for SAML. In addition, we have positive results with our initial testing with Shibboleth for SAML and Ping Identity. We expect that P4 Authentication Service can also work with Cisco Duo Security and probably any standard IdP.

Two guides for complete solution

First Guide		Second Guide
This Guide focuses on configuring P4 Authentication Service with your IdP.		You will then use a different Guide to make your Perforce product work with P4 Authentication Service and your IdP, such as the Administrator's Guide for Helix Authentication Extension in https://github.com/perforce/helix-authentication-extension/tree/main/docs Perforce ALM License Server Admin Guide P4 Plan System Administrator Guide

First Guide

Second Guide

This Guide focuses on configuring P4 Authentication Service with your IdP.

You will then use a different Guide to make your Perforce product work with P4 Authentication Service and your IdP, such as the

Administrator's Guide for Helix Authentication Extension in https://github.com/perforce/helix-authentication-extension/tree/main/docs
Perforce ALM License Server Admin Guide
P4 Plan System Administrator Guide

Important security consideration

The IdP authentication precedes and is separate from the P4 Server "ticket" and the ALM License Server login reponse. Therefore, when the user logs out of Helix Core, the user is not necessarily logged out from the IdP's perspective.

Logging out of a P4 Server or Perforce ALM client does not invoke a logout with the IdP. Depending on the IdP, subsequently starting a P4 Server client or Perforce ALM client might result with the user being logged in again without the user being prompted to provide credentials.

Supported client applications and minimal versions

For P4 Server, see "Requirements" > "Perforce clients" under https://github.com/perforce/helix-authentication-extension/blob/main/README.md#perforce-clients

For Helix ALM or Surround SCM, see "Supported Clients" under Integrating with identity providers in the Perforce ALM License Server Admin Guide.

For P4 Plan, see Integrating with identity providers for single sign-on in the P4 Plan System Administrator Guide.

Authentication flow

The process for authenticating a user depends on the Perforce product.

For P4 Server

See the "Overview" of the Administrator's Guide for Helix Authentication Extension under https://github.com/perforce.

For Perforce ALM

See the "single sign-on flow" under Integrating the Perforce ALM License Server with identity providers in the Perforce ALM License Server Admin Guide.

For P4 Plan

See the See the "single sign-on flow" under Integrating with identity providers for single sign-on in the P4 Plan System Administrator Guide.

Load balancing

If you are using load balancing in front of P4 Authentication Service, configure your load balancer to:

Preserve session cookies so the login sequence can succeed.
Use session affinity (sticky sessions) so that all requests from the client go to the same instance of P4 Authentication Service.

Limitation

P4 Authentication Service does not support using an HTTP proxy for IdP connections.