Single Sign On
Helix supports Single Sign-On (SSO) for Enterprise customers. SSO allows your users to log in to Helix using your organisation's existing authentication system, such as Active Directory or SAML.
Supported SSO Providers
Active Directory (ADFS)
Entra ID (formerly Azure AD)
Okta
OneLogin
Google Workspace
SAML 2.0-compliant providers not listed above
How to Enable SSO
SSO is enabled as part of your organisational onboarding process. Your Helix account manager will work with you to configure SSO for your organisation.
Automatic User Provisioning
When using SSO, Helix can automatically create user accounts for your users the first time they log in. Accounts created in this way are linked to your SSO provider, and users can log in to Helix using their SSO credentials. Accounts are not able to login manually (excluding Global Administrators) and must login via federated authentication. This is for compliance (e.g. Cyber Essentials) and security reasons.
Users must be eligible for any role with the View Incidents permission to be able to log in to Helix. If a user is not eligible for any role with this permission, they will not be able to log in and will instead be presented with a request to contact their service desk.
Windows Authentication
For customers using Active Directory, Helix supports Windows Authentication. For domain-joined Windows devices, Helix can automatically log users in using their Windows credentials. This provides a seamless login experience for users, as they do not need to enter their username and password.
This feature can be activated on any existing Enterprise installation via group policy. You must create a registry key HKEY_LOCAL_MACHINE\SOFTWARE\RedEye\Helix\EnterpriseADPassthrough with a value of 1 to enable this feature.
SSO Configuration
Helix supports the following SSO configurations:
Just-In-Time Provisioning: Helix can automatically create user accounts the first time a user logs in.
User Attribute Mapping: You can map user attributes from your SSO provider to Helix user fields, such as name and email address.
Group-Based Access Control: You can map security groups from your SSO provider to Helix roles, allowing you to automatically assign permissions to users based on their group membership.
Group-Based Access Control
Within Helix, Roles and Permissions are used to gate access to different parts of the application. When using SSO, you can map security groups from your SSO provider to Helix roles. This allows you to automatically assign permissions to users based on their group membership in your SSO provider.
SSO Limitations
User De-Provisioning: Users are not presently de-provisioned from Helix when they are removed from your SSO provider. You must manually remove users.
User Account Creation: Users must be eligible for any role with the View Incidents permission to be able to log in to Helix. If a user is not eligible for any role with this permission, they will not be able to log in and will instead be presented with a request to contact their service desk.
Manual Login: Accounts created via SSO are not able to login manually (excluding Global Administrators) and must login via federated authentication. This is for compliance (e.g. Cyber Essentials) and security reasons.
User Attribute Mapping: Helix supports user attribute mapping from your SSO provider to Helix user fields, such as name and email address. However, Helix does not support user attribute mapping for custom fields.
Helix has been primarily designed for use with Active Directory based SSO providers (ADFS, Entra etc.) and all features may not be available when using other SSO providers. For more information, please contact your account manager.
Helix may be able to provide additional support for in-house IAM solutions, but this is not guaranteed and will require engineering time to implement. Contact your account manager for more information.