Horde system user authentication (ServiceAccounts)

Jacobo-rpg · November 20, 2025, 8:39am

We are using Horde for distributed compilation for our developers and have configured Horde with Okta SSO.
We would like to also allow our current CI system, which runs on TeamCity, to utilize Horde agents for compilation, but these agents can obviously not perform a SSO login.
Is there a way to handle this situation?

I see that Horde has the concept of ServiceAccounts, but there’s no documentation of what they are used for or how to use them.
I have created a ServiceAccount, which provides me with an id and a token, but I don’t seem to be able to use it for anything when the auth provider is set to OIDC/Okta.
Attempting to log in (/account/login/horde) and get a token for BuildConfiguration.xml results in a somewhat buggy error message:

Unhandled exception: No authentication handler is registered for the scheme ‘Horde built-in authentication is disabled’. The registered schemes are: Cookies, ServiceAccount, OktaOpenIdConnect, ServerJwt, ExternalJwt.

Should I be able to use ServiceAccounts for this scenario and if so, what do I need to configure or do to authenticate?

StephenStorrie · February 19, 2026, 5:38pm

Were you ever able to resolve this?

having same issue with wanting to use UBA on our Teamcity , as we are not in a position to shift our whole pipeline to Horde.

Jacobo-rpg · February 27, 2026, 1:23pm

Yes, after digging through the source code, I found a way to make it work the way I want.

There are three parts to the setup.

1. Create a Service Account
I do this through the API /api/v1/serviceaccounts, but you might be able to also do it in the web UI.

{
“name”: “teamcity”,
“description”: “Used by TeamCity agents to connect to horde and assign compilation jobs”,
“claims”: [
{
“type”: “serviceaccount”,
“value”: “teamcity”
}
],
“enabled”: true
}

You can set whatever claims you want - this is a simple example - but you must set some claims for step 2

2. Set ACL rules in globals.json
In the compute.clusters section, add an ACL entry matching one or more claims from the serviceaccount and grant access to the actions you need.

“compute”: {
“clusters”: [
{
“id”: “default”,
“namespaceId”: “<ns_id>”,
“acl”: {
“entries”: [
{
“claim”: {
“type”: “serviceaccount”,
“value”: “teamcity”
},
“actions”: [
“AddComputeTasks”,
“GetComputeTasks”
]
}
]
}
}
]
}

3. Use the service account from a TeamCity build
In your build steps, you must fetch a token from Horde, using the service account secret.
Send a GET request to /api/v1/admin/token with an Authorization header with the value “ServiceAccount <token_secret>” (the space is important)
This returns a JWT which you can then use to authenticate for other actions.

For my purpose of letting TeamCity use Horde agents for remote compilation, I modify the BuildConfiguration.xml in the working directory on the TeamCity agent and insert a <Horde><Token>xml property with the JWT value.
Once UAT runs, it will pick up this token and use it to add compute tasks.

Hope this helps