Project and Portfolio Management Practitioners Forum
cancel

PPM 8.01 Single Sign On

SOLVED
Go to solution
Highlighted
PPM Admin
Respected Contributor.

PPM 8.01 Single Sign On

Currently we are on PPM 8.01 with LDAP integration using Active Directory. I have a single sign on requirements. Once you are login to desktop using this AD account, automatically you can access PPM. Would a Web Remote Single Sign On implementation can cater this requirement? Do you have any other suggestion on how to get it?

Thanks,
Chona
9 REPLIES
Nate Kelling
Contributor.

Re: PPM 8.01 Single Sign On

Chona,

The idea behind SSO is to enable a user to sign in once and then allow them to access PPM freely until the user is signed out. I know that we use a time limit in which you are able to continuously use PPM before you have to log in again but that is just a security feature. Also if you are inactive for a long period of time SSO makes you login before getting back to work. SSO also makes it possible for you to sign in once and then switch between multiple database instances.
PPM Admin
Respected Contributor.

Re: PPM 8.01 Single Sign On

Updates from HP Support:

It is not possible to have both LDAP and SSO on the PPM aplication, you could have LDAP or SSO not both.

If you do not want to use any third party SSO application.

You can use NTLM, pls refer to
Implementing Web Remote Single Sign-On with PPM Center of sys admin (page 176).

These NTLM accounts are window accounts
made inside the server. You need to create account in the windows OS for the client users.

Pls see the details below, also you can find detailed NTLM information in microsoft website or through google search.

NTLM / Windows Integrated Authentication:

NTLM is similar to basic authentication in that it works with a popup window generated by the browser. The main difference is that the supplied information is encrypted and passed securely to the client. In order to accomplish this the browser must have special functionality.

Advantages:

Requires no additional software

Username and password passed securely without using SSL

Disadvantages:

The NTLM authentication login box is generated by the web browser, as such you can not control the look and feel of this dialog.

This requires that you create NT users and groups for all web site users. This can be difficult to administer, particularly with large number of users.

Clients must use Internet Explorer (no other web browser supports NTLM).
PPM Admin
Respected Contributor.

Re: PPM 8.01 Single Sign On

Any 3rd party application recommendation to use? License or non-license? And would you elaborate how does it work? Any suggestion is appreciated.

Thanks,
Chona
Sascha Mohr_1
Outstanding Contributor.

Re: PPM 8.01 Single Sign On

Hi, maybe I did not understand correctly what you are trying to achive. Web Remote Single Sign On plugin on one (or more) front-end IIS webservers will allow SSO (being automatically logged in into PPM with the AD account). All you need to make sure is that usernames match between AD and PPM and the respective domain needs to be set in the user config in PPM. If you are already getting the users from AD, that should be the case, right?
Our users are very happy to use SSO, we are offering this since 7.5 and are now running 8.0.1. Works fine in both IE and Firefox.
PPM Admin
Respected Contributor.

Re: PPM 8.01 Single Sign On

Hi Sascha,

What SSO implementation you have used?

Currently PPM authenticates users access from AD accounts using LDAP authentication, but you still need to key in the username and password.

My requirement is an automatic access to PPM since desktop access and ppm access have the same account that came from AD. If you are login in your desktop then you access PPM, PPM will give your dashboard directly without keying your username and password.

I've tried implementing Web Remote Single Sign On but I'm getting a "No Access" error. Do you have any other documents to try on?

Thanks,
Chona
Sascha Mohr_1
Outstanding Contributor.

Re: PPM 8.01 Single Sign On

This is with NTLM authentication.
As your LDAP directory is AD that should be an option for you too.
The setup we are using is pretty much straight forward as it is described in the PPM admin manual. There is just one disadvantage in this solution: the AD-usernames must be unique, i.e. if there is a "johnd" in AD-domain "A" there must not be a "johnd" in AD-domain "B".
We had to change some usernames in AD to make this work. Now it does exactly what you try to achive.
PPM Admin
Respected Contributor.

Re: PPM 8.01 Single Sign On

Can we enable both ITG and LDAP authentication mode to enable PPM local and AD accounts at the same time with Web Remote Single Sign On in it?

As for my testing I can only used my AD accounts and not the PPM local accounts, Do you have any suggestion on how to implement this?

Thanks.
Sascha Mohr_1
Outstanding Contributor.
Solution

Re: PPM 8.01 Single Sign On

Hello Chona,
do you want the HP-official answer to that question: running a system in a mixed mode with SSO users and non-SSO users is not supported.
It is possible though if you are running the system with multiple cluster nodes. We have put this parameter:
com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.WebRemoteUserSingleSignOn
in the cluster node specfic section of server.conf, this way we have one cluster node without the parameter all other nodes with this parameter. Works fine.
Still, it is not supported by HP.
PPM Admin
Respected Contributor.

Re: PPM 8.01 Single Sign On

Thanks Sascha.

The SSO issue has been resolved, though we will still explore more on Non-SSO users.