Clarity PPM Authentication Methods
This document describes authentication methods (SSO, LDAP, SAML) available for the on-premise and SaaS editions of CA PPM. Learn how SSO compares with other authentication methods.
Use this guide to decide the right authentication method for your organization. In general, we recommend centralized authorization and password management using single sign-on (SSO). However, your organization can prepare its own assessment to determine readiness.
CA PPM offers an internal password security policy feature. You can also upgrade to a single sign-on (SSO) model. SSO reduces IT costs because fewer credentials to manage means fewer calls to the help desk for lockouts and resets. SSO is also more secure because it centralizes authorization policies. Finally, because users only need to remember one strong password, they no longer write them down, a common security risk.
This document answers the following questions:
- Which authentication methods enable SSO?
- Are third-party SSO solutions required?
- Which SSO options are supported?
- Will CA PPM support federated SSO? If so, what type?
On-Premise SSO Options: CA PPM includes configuration options for SSO using the System Admin Console (CSA). It is possible to disable the standard login page and allow another solution to take over the authentication function performed by CA PPM. CA PPM does not encompass the full SSO solution. Integrations with external SSO authentication solutions are required to fully implement SSO successfully with CA PPM.
On-Demand (SaaS) SSO Options: CA PPM includes three options.
- The Standard CA PPM login page.
- The On-Demand Portal access for standard user authentication where the customer manages user accounts via the On-Demand Portal. If your organization requires centralized authentication/management and is able to support SAML 2.0, select this option.
- Federated SAML SSO to provide a trusted integration between your enterprise directory and the CA On-Demand network.
We highly recommend the following best practice for new and existing customers in on-premise or SaaS environments. Configure the
Usernamefield as seen on the
Resourcespage under the
Administrationmenu as the email address for each user. This important step is required for true single sign-on (SSO). This step resolves conflicts with duplicate domain accounts. The email format is the only supported username format for SSO in the CA SaaS environment. Licensed users can conveniently access CA PPM SaaS and additional CA SaaS products with their single secure SSO credentials.
CA PPM Authentication Options Table
OP or SaaS
Standard Authentication in the CA On Demand Portal
SSO – On Premise with CA Single Sign-On
SSO on CA On-Demand (SaaS)
SSO with a third-party solution
(Not CA Single Sign-On)
CA PPM Authentication Methods
1. Standard Authentication: CA PPM Login Page with CA PPM Authentication (OP/SaaS)
CA PPM presents the out of the box login page to users. When a user logs out of CA PPM they are sent back to the CA PPM Login page. All the users’ passwords are encrypted and stored in the CA PPM database. Password management setting like password expiration, history and other rules are configured in CA PPM under Administration & General Setting. This is default authentication method for CA PPM. Standard authentication is compatible with LDAP authentication ‘On Premise only’, more below on chapter 3. LDAP Authentication.
The following image shows the CA PPM Change Password Options available with Standard PPM authentication:
2. Standard Authentication: CA On-Demand Portal Login Page with CA PPM Authentication (SaaS Only)
CA PPM SaaS presents the On Demand Portal login page to users. After the user successfully authenticate, they land on the Portals ‘My Places’ page. The user may then select the desired application, in this case CA PPM. When users logout of CA PPM SaaS they are sent back to the On Demand Portal login page. All the user passwords are encrypted and stored in the CA On-Demand Portal database. This is default authentication method used by the CA On-Demand deployment of CA PPM SaaS. Note: Currently the On-Demand Portal is used mostly for SSO customer’s non-prod environments. Non-SSO customer will typical use standard authentication with the CA PPM login page.
3. LDAP Authentication: CA PPM Login Page with LDAP Directory Service (OP Only)
CA PPM presents the out of the box login page to users, however CA PPM will query the customers LDAP v3 compliant directory servers to authentic CA PPM users. The LDAP compliant directory could be one of the following supported systems, CA Directory, Microsoft Active Directory, Novell eDirectory, Oracle Directory Server, Sun One Directory. The passwords stored in the CA PPM database are not used in this configuration. The LDAP passwords are never stored in the CA PPM Database. SSL enable LDAP or LDAPS is supported. The CA PPM configuration for LDAP is contain in the CSA. Note: This configuration is not SSO enabled, however centralized password management is obtained.
LDAP authentication is compatible with standard internal authentication in mix mode i.e. when ‘Allow non-LDAP users’ is enabled in CSA. This will allow users which are set as ‘externally authenticated’ to authentication against LDAP and other users to use standard internal authentication.
The following view illustrates the CA PPM CSA setting for LDAP configuration.
Figure 3: View of CA PPM CSA setting for LDAP configuration.
4. SSO - On Premise with CA Single Sign-On, (formally CA Site Minder)
On Premise customers may leverage CA PPM in conjunction with CA Single Sign-On. Organizations may configure this solution with or without their own corporate login & logout portal page. Organizations CA Signal Sign-On implementation will handle user authentication, CA PPM will not challenge users for authentication in this mode. This is the only supported and tested SSO solution for on premise CA PPM. This configuration relies on a SSO WEB agent installed on Apache or Microsoft IIS HTTP proxy server. Note this configuration does not leverage SAML as the CA PPM application is on premise or contained when the organizations own network.
The following diagram illustrates the typical Single Sign-On/CA PPM configuration with an Apache server.
5. SSO - CA PPM SaaS - using Federated Identities (SAML 2.0)
CA PPM SaaS supports federated single sign-on using SAML 2.0. This Integration allows customers to create a trusted relationship with the CA On-Demand network. This allows user to move between their intranet and their CA PPM SaaS environments located in the On-Demand network. Password management is simplified as they are handled by their existing enterprise user management system. CA On-demand currently support IdP initiated SAML version 2.0 with HTTP-POST Binding. SP initiated SSO may be approved for support, however certain limitations exist which the customer needs to understand and agree to accept:
• The users favorite links (for projects or timesheets etc.,) saved in the browser will not work unless the user click on them twice.
• CA does not generated the SAML assertions from CA servers, it’s is just a URL redirection to IDP URL.
Note: Most customer use IdP initiated SSO with CA On-Demand which is recommended.
Organizations who intend to leverage federated SSO with CA On-Demand must be able to implement the client side (IdP) requirements and tools to support SAML federated SSO such as CA Single Sign-On or Active Directory Federation Services (ADFS), or other vendors. On-Demand customers may use the standard portal authentication or SAML Federated SSO, all other methods of authentication are not supported with CA On-Demand e.g. using the CA PPM LDAP interface as described in charter two above.
The following diagram illustrates the typical configuration of SSO in the CA On-Demand Environment:
The process to start using federated SSO with CA On-Demand begins with opening a CA Support case to start the request process. The overall process is a cooperative effort between CA On-Demands Support & Engineering Teams and the customers IT & Security Team who manages the customer side federated Idp solution. CA Support will send out a working document to capture the configuration details which need to be shared between the customers and CA On-Demands teams. This document is called the ‘Customer Onboarding Information Exchange Form.docx’. The process of enabling SSO for each environments will happen in two phases for each environment e.g. development, testing and production.
Phase I: Portal migration (an activity entirely from CA side)
This phase will require some downtime of the targeted environment usually about 4 hours. This is where the CA team will perform the activity needed to move an environment behind the SSO portal (SP), and other activities if needed.
Phase II: Implementation of SSO
This is mostly on the customer side. IDP is configured with the required parameters detailed in the onboarding exchange including SP-ID, Assertion Consumer Service URL, and RelayState parameter.
Other important items.
- Levering SSO with On-Demand REQUIRES that usernames are configured the same as the email address. If they are not set as the email address, a username conversion or migration will be required for SSO to work.
- Some parameters may be unique between each environments e.g. dev, test and production may have different values for the Idp ID or RelayState parameters.
- The customer will need to provide an SSL certificate(s) for the SMAL assertion, customer will need to provide CA their public certificate by uploading it the support case created for the SSO migration process.
Full details and documents are provided by CA Support during the engagement. The most current details and requirements are documented in your ‘CA On Demand Portal Administration Guide.pdf’ under Chapter 7: Federated Single Sign.
6. SSO with a Third-Party Solution (OP Only)
This option does not use the recommended CA Single Sign-On product.
Some on premise CA PPM customers have leveraged custom SSO integrations or other third party SSO solution. These solutions sometimes required custom code to integrate with CA PPM. Below is a list of some of the other solution customer have attempted to use:
• Third Party vender Access Manager SSO solutions.
• SPNEGO (spnego.sourceforge.net) with customized code.
• Hardware Load Balancer SSO with customized code.
• Other customized solution which leverage the CA provided sample code (JSP).
Information on supported versions of CA Single Sign-On can be found under
All non- CA Single Sign-On (formally CA SiteMinder) solutions for on premise implementation of CA PPM including the list above have not been tested by CA and are therefore not supported by CA. Customers who choose to implement any non-supported solution, will need to support these solutions internally (themselves) or obtain support from their third party vendor. CA does provides a sample JSP component which may be used by a custom SSO solution. This sample code may be found in the /webroot directory of any CA PPM deployment home directory. If assistance is needed with this sample JSP code, we recommend contacting CA Services or CA Service Global Delivery as CA support will not be able to assist with any custom SSO solution. CA Support will be able to support CA Single Sign On, as it is a CA product as well as all customer using CA On-demand Federated SAML for SSO.
Integrated Serversin the
Compatibilitiessection of the
Release Notes (On Premise).