The community will be in read-only from Tuesday 11:59pm (PST) to Wednesday 7:30am (PST)
The community will be in read-only from Tuesday 11:59pm (PST) to Wednesday 7:30am (PST)
Project and Portfolio Management Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

NTLM/Single Sing On

Highlighted
eps414
Regular Collector

NTLM/Single Sing On

We have activated SSO for our PPM instance. However, every user is getting No Access and I believe its because our usernames are <last name, first name> and we have the logon_id setup to match the users windows logon and PPM by default is trying to compare the username for SSO. How can we have PPM/SSO authenticate against the Logon id instead of the username?

7 REPLIES
Utkarsh_Mishra
Honored Contributor

Re: NTLM/Single Sing On

If you are using SSO and authenticating user with login id then set this parameter in server.conf file.

 

com.kintana.core.server.LOGON_METHOD=LOGON_ID

 

Then run kUpdateHtml.sh and start the server.

 

If you are having cluster configuration, then set this parameter in all server.conf file.

Cheers..
Utkarsh Mishra

-- Remember to give Kudos to answers! (click the KUDOS star)
philipwood
Regular Collector

Re: NTLM/Single Sing On

Hi,



I'm not sure this answers your question, because from your question I'm not sure if you allready have your instance configured to logon with the logon_id and are now trying to configure SSO as well or whether you are attempting both configurations simultaneously.



If you have LOGON_ID configured then this does not help as you know it allready.  :)

Otherwise the following might help...



I believe the server.conf paramter you are looking for is LOGON_METHOD and the value is LOGON_ID:



I used this configuration for a client in ITG 6 succesfully.

Note that this did not include SSO, which might complicate matters.



My suggestion would be that you get logging on with the desired logon method working first before attempting SSO configuration.



From the installation/Admin guide parameters section:



LOGON_METHOD 

Method used to log on to PPM Center.

Default:

USER_NAME

Valid values:[sic]



Valid values are not supplied.



But the Data Model Guide gives the following info for the column in the database:

LOGON_IDENTIFIER 

NOT NULL 

VARCHAR2(800)

The logon ID of the user.

Used when the system is

started in LOGON_ID mode.



The Open Interface Guide confirms this:

LOGON_IDENTIFIER 

Required 

VARCHAR2

Identifies the ID used for the logon. The

value should be a valid USERNAME in

KNTA_USERS.

Depends on the LOGON_METHOD

setting in the

server.conf file. If

LOGON_METHOD = LOGON_ID, the

LOGON_IDENTIFIER column must be

populated. Otherwise, populate the

USERNAME column.



Some advice:

Keep in mind that this is not well documented, hence not well used and so probably not as well tested as the normal configuration.

Do you really need this configuration?

And are you willing to take the extra (small) risk of issues?



Why are you using <First Name, Last Name> as username? It adds no extra information that is not available in the other fields and does not make autocompletion any easier.



If you have a security requirement that the LDAP usernames not be visible to the end-users then this configuration is a must, but otherwise ask yourself the question if the extra confiuration difficulty and risk is really worth it.



Kind Regards



Philip Wood

 

eps414
Regular Collector

Re: NTLM/Single Sing On

That server.conf parameter has been set for a very long time as that is how the users have been logging in for years and does still work after the upgrade to 9.14. It is only SSO that will not work. It is comparing to the username field and not the logon_id field. Any other ideas?

abhinavgarg
Acclaimed Contributor

Re: NTLM/Single Sing On

Hi,

 

We have recently upgraded the PPMC instance from 7.5 to 9.14 and arefacing the similar issue.

 

That server.conf parameter has been set for a very long time as that is how the users have been logging in for years It is comparing to the username field and not the logon_id field?

 

Any update on any solution to make the authentication works on logon_id for SSO?

eps414
Regular Collector

Re: NTLM/Single Sing On

HP Support identified that this is a bug in 9.14. We had to rollback to 9.12. This has supposed been fixed in 9.2 so that you can have all the functionality of 9.14, but 9.2 is having its own problems right now, so unless there is something specific you need out of 9.14 I would roll back to 9.12 for now until 9.2 is more stable.

randull
HPE Expert

Re: NTLM/Single Sing On

Hi,

 

This problems seems to be resolved on 9.140001, so maybe you can install it and see if it works.

 

Thanks,

Randall

Best regards,
Randall

-- Remember to give Kudos to answers! (click the KUDOS star)
"If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
ParamMugundhan
Occasional Contributor

Re: NTLM/Single Sing On

Hi,

 

We recently upgraded from 7.5 to 9.14002 and we started facing the issue. If this is a bug identified by HP support, can you give us the tracking number for the bug? or even the Support case ID will be helpful.

 

Thanks much in advance!!

 

Regards,

Param

//Add this to "OnDomLoad" event