Creating a header-based SSO authentication integration#

A header-based single sign-on (SSO) authentication realm uses an external server for authentication.

  1. On the HCL™ Accelerate dashboard, click Settings > User authentication > SSO > Configure SSO.

  2. In the required fields, specify the following parameters:

    Field Description
    Name The name for the integration.
    Full name header name The user name on the SSO server that contains the list of users.
    Email header name The user email on the SSO server that contains the list of users. Note: For Email header name, there is a change to lower case in the HCL Accelerate database.
    Logout URL The SSO server's logout URL.

    Note: HCL Accelerate supports header-based SSO and can integrate with other SSO mechanisms, such as Security assertion markup language (SAML). It is the responsibility of the user to modify the SSO scheme in use to transmit the headers to authenticate with HCL Accelerate and then block the login page. The aforementioned method is different for every SSO product and mechanism.

  3. Click Save.

    Setting up an SSO user does not automatically add the user to the HCL Accelerate database and is explained in further detail below.

When users log on to an SSO-configured HCL Accelerate instance, their Email header name SSO credential is compared to the SSO server's user list. If the email address matches an existing user in the HCL Accelerate database, a user will automatically be created in the database and listed as SSO in the User Type field.

Note: Once the SSO setup is completed properly by the admin user and that user logs out of HCL Accelerate, there is a loss of admin access privileges because of the inability to log back in as the admin. New users created via the SSO login only have the Viewer and Release participant permissions by default and the admin cannot change the permissions as stated previously. Possible solutions for this scenario include the following:

  1. Set the HCL Accelerate server to allow direct access from specific IPs that will allow the admin to login.
  2. Create an SSO user with the HCL Accelerate admin email address of admin@admin.com.
  3. Perform an SSO login with a different browser while the local HCL Accelerate admin navigates to Settings > User authentication > Teams and grants full admin privileges to the SSO user.

As a guideline, Item 3 is the recommended method for preserving admin access privileges to HCL Accelerate.

To delete a current SSO configuration after it was created, click the Delete Configuration button on the Settings page for SSO.

Parent topic: Managing users and authentications