The community will be in read-only from Tuesday 11:59pm (PST) to Wednesday 7:30am (PST)
The community will be in read-only from Tuesday 11:59pm (PST) to Wednesday 7:30am (PST)
cancel
Showing results for 
Search instead for 
Did you mean: 

Generic SSO

SOLVED
Go to solution
Highlighted
MikeCF
Super Collector

Generic SSO

Hi all,

 

if you enable the generic SSO in PPM by using an external web server and configuring the sso.conf file and server.conf, is it still possible to connect to PPM directly by using the URL of the app server?

Is there a possibility to disable/enable the SSO for specific users like switching the authentication mode between PPM and LDAP for any user?

 

Thx

Mike

 

5 REPLIES
Sascha_Mohr
Super Collector
Solution

Re: Generic SSO

Hello Mike,

the official answer from HP support is no, a mixed-mode with SSO and non-SSO users is not support. Nevertheless it is possible to exclude cluster nodes from SSO.

PPM reads the server.conf sequential, so a node that is accessible for users defined before the SINGLE_SIGN_ON_PLUGIN-parameter will not be affected by it. We are running such a setup because we have external resources who are not in our directory (AD in that case).

hth

Regards
Sascha
Jim Esler
Honored Contributor

Re: Generic SSO

We use a hardware switch to direct users to a cluster instance and validation is done within PPM. Most users are configured to use their AD id and password via LDAP while some users not in AD are configured to use PPM authentication. I have not tried doing this with a web server as the front end. The tradeoffs may make a similar solution unacceptable in your environment.

Johannes Y
Regular Collector

Re: Generic SSO

Sasha,


I know you mentioned this in Barcelona, are you using a secondary webserver with a different address to route the users to the SSO node, or how do you make sure the users end up on the correct node?

 

/Johannes

Sascha_Mohr
Super Collector

Re: Generic SSO

Hi Johannes,

that's right, one front end IIS for the SSO-enabled nodes with one DNS-alias and another DNS-alias for the single non-SSO-enabled node. There is only one node without SSO because SSO is the preferred way by both the users and us.

Regards

Sascha

Regards
Sascha
Johannes Y
Regular Collector

Re: Generic SSO

Ok, thats how I envisioned it as well. Thanks for your prompt reply.

Take care.

 

/Johannes

//Add this to "OnDomLoad" event