Currently we are on PPM 8.01 with LDAP integration using Active Directory. I have a single sign on requirements. Once you are login to desktop using this AD account, automatically you can access PPM. Would a Web Remote Single Sign On implementation can cater this requirement? Do you have any other suggestion on how to get it?
The idea behind SSO is to enable a user to sign in once and then allow them to access PPM freely until the user is signed out. I know that we use a time limit in which you are able to continuously use PPM before you have to log in again but that is just a security feature. Also if you are inactive for a long period of time SSO makes you login before getting back to work. SSO also makes it possible for you to sign in once and then switch between multiple database instances.
It is not possible to have both LDAP and SSO on the PPM aplication, you could have LDAP or SSO not both.
If you do not want to use any third party SSO application.
You can use NTLM, pls refer to Implementing Web Remote Single Sign-On with PPM Center of sys admin (page 176).
These NTLM accounts are window accounts made inside the server. You need to create account in the windows OS for the client users.
Pls see the details below, also you can find detailed NTLM information in microsoft website or through google search.
NTLM / Windows Integrated Authentication:
NTLM is similar to basic authentication in that it works with a popup window generated by the browser. The main difference is that the supplied information is encrypted and passed securely to the client. In order to accomplish this the browser must have special functionality.
Requires no additional software
Username and password passed securely without using SSL
The NTLM authentication login box is generated by the web browser, as such you can not control the look and feel of this dialog.
This requires that you create NT users and groups for all web site users. This can be difficult to administer, particularly with large number of users.
Clients must use Internet Explorer (no other web browser supports NTLM).
Hi, maybe I did not understand correctly what you are trying to achive. Web Remote Single Sign On plugin on one (or more) front-end IIS webservers will allow SSO (being automatically logged in into PPM with the AD account). All you need to make sure is that usernames match between AD and PPM and the respective domain needs to be set in the user config in PPM. If you are already getting the users from AD, that should be the case, right? Our users are very happy to use SSO, we are offering this since 7.5 and are now running 8.0.1. Works fine in both IE and Firefox.
Currently PPM authenticates users access from AD accounts using LDAP authentication, but you still need to key in the username and password.
My requirement is an automatic access to PPM since desktop access and ppm access have the same account that came from AD. If you are login in your desktop then you access PPM, PPM will give your dashboard directly without keying your username and password.
I've tried implementing Web Remote Single Sign On but I'm getting a "No Access" error. Do you have any other documents to try on?
This is with NTLM authentication. As your LDAP directory is AD that should be an option for you too. The setup we are using is pretty much straight forward as it is described in the PPM admin manual. There is just one disadvantage in this solution: the AD-usernames must be unique, i.e. if there is a "johnd" in AD-domain "A" there must not be a "johnd" in AD-domain "B". We had to change some usernames in AD to make this work. Now it does exactly what you try to achive.
Hello Chona, do you want the HP-official answer to that question: running a system in a mixed mode with SSO users and non-SSO users is not supported. It is possible though if you are running the system with multiple cluster nodes. We have put this parameter: com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.WebRemoteUserSingleSignOn in the cluster node specfic section of server.conf, this way we have one cluster node without the parameter all other nodes with this parameter. Works fine. Still, it is not supported by HP.