Clarity PPM Authentication Methods

ccppmop1561
This document describes authentication methods (SSO, LDAP, SAML) available for the on-premise and SaaS editions of CA PPM. Learn how SSO compares with other authentication methods. 
Use this guide to decide the right authentication method for your organization. In general, we recommend centralized authorization and password management using single sign-on (SSO). However, your organization can prepare its own assessment to determine readiness.
2
CA PPM offers an internal password security policy feature. You can also upgrade to a single sign-on (SSO) model. SSO reduces IT costs because fewer credentials to manage means fewer calls to the help desk for lockouts and resets. SSO is also more secure because it centralizes authorization policies. Finally, because users only need to remember one strong password, they no longer write them down, a common security risk.
This document answers the following questions:
  • Which authentication methods enable SSO?
  • Are third-party SSO solutions required?
  • Which SSO options are supported?
  • Will CA PPM support federated SSO? If so, what type?
On-Premise SSO Options
: CA PPM includes configuration options for SSO using the System Admin Console (CSA). It is possible to disable the standard login page and allow another solution to take over the authentication function performed by CA PPM. CA PPM does not encompass the full SSO solution. Integrations with external SSO authentication solutions are required to fully implement SSO successfully with CA PPM. 
On-Demand (SaaS) SSO Options
: CA PPM includes three options.
  • The Standard CA PPM login page.
  • The On-Demand Portal access for standard user authentication where the customer manages user accounts via the On-Demand Portal. If your organization requires centralized authentication/management and is able to support SAML 2.0, select this option.
  • Federated SAML SSO to provide a trusted integration between your enterprise directory and the CA On-Demand network.
We highly recommend the following best practice for new and existing customers in on-premise or SaaS environments. Configure the
Username
field as seen on the
Resources
page under the
Administration
menu as the email address for each user. This important step is required for true single sign-on (SSO). This step resolves conflicts with duplicate domain accounts. The email format is the only supported username format for SSO in the CA SaaS environment. Licensed users can conveniently access CA PPM SaaS and additional CA SaaS products with their single secure SSO credentials.
CA PPM Authentication Options Table
Authentication Model
Environment
Advantages
Disadvantages
1
Standard Authentication
OP or SaaS
  • Simple configuration inside your CA PPM product
  • No integration setup required
  • Fully supported by CA
  • Single sign-on is not enabled
  • Must use CA PPM Login page
  • Multiple passwords to manage; may not follow company policies
2
Standard Authentication in the CA On Demand Portal
SaaS
  • Simple configuration inside your CA PPM product with the CA On Demand Portal common user experience
  • No integration setup required.
  • Fully Supported by CA
  • Single sign-on is not enabled
  • Must use CA Portal Login page
  • Multiple passwords to manage; may not follow company policies
3
LDAP Authentication
OP
  • Configuration inside your CA PPM product with CSA
  • Single enterprise passwords
  • Mixed mode support for LDAP or internal authentication by user
  • Single sign-on is not enabled
  • Must use CA PPM Login page
  • Some limitations with multiple directories, forests, or domains
  • Not available for CA PPM SaaS customers
4
SSO – On Premise with CA Single Sign-On
OP
  • Fully tested and supported by CA
  • Single enterprise passwords
  • Optional use of enterprise portal
  • Access to XOG and OWB/MSP through SSO nodes is supported
  • No custom code development work is required
  • Customers must implement CA Single Sign-On (not provided with CA PPM)
  • Moderate solution complexity
5
SSO on CA On-Demand (SaaS)
SaaS
  • This is only supported SSO method for OD customers.
  • Fully support and tested by CA.
  • Single enterprise passwords.
  • Optional enterprise portal and management.
  • Supports SAML 2.0.
  • Customers must support their side of the federated identity including SAML
  • Only SAML 2.0 is supported (OAuth, OpenID, and any other access tokens are not supported)
6
SSO with a third-party solution
(Not CA Single Sign-On)
OP
  • Leverages customer SSO solution.
  • Fully customized solution could meet other requirements beyond SSO with PPM. 
  • Single enterprise passwords.
  • Optional enterprise portal and management.
  • Custom solutions cannot be supported by CA.
  • Custom solutions will likely require custom development work.
  • Poorly implemented solutions could negatively impact CA PPM performance, security, availability and operation.
  • Access to XOG and to OWB/MSP through SSO nodes might not be possible
  • Assistance from CA Services or third-party vendors will likely be billable and not covered by EULA or CA Support agreements
CA PPM Authentication Methods
3
3
1. Standard Authentication: CA PPM Login Page with CA PPM Authentication (OP/SaaS)
CA PPM presents the out of the box login page to users. When a user logs out of CA PPM they are sent back to the CA PPM Login page. All the users’ passwords are encrypted and stored in the CA PPM database. Password management setting like password expiration, history and other rules are configured in CA PPM under Administration & General Setting. This is default authentication method for CA PPM. Standard authentication is compatible with LDAP authentication ‘On Premise only’, more below on chapter 3. LDAP Authentication.
The following image shows the CA PPM Change Password Options available with Standard PPM authentication:
image2017-2-14 8:59:0.png
2. Standard Authentication: CA On-Demand Portal Login Page with CA PPM Authentication (SaaS Only)
CA PPM SaaS presents the On Demand Portal login page to users. After the user successfully authenticate, they land on the Portals ‘My Places’ page. The user may then select the desired application, in this case CA PPM. When users logout of CA PPM SaaS they are sent back to the On Demand Portal login page. All the user passwords are encrypted and stored in the CA On-Demand Portal database. This is default authentication method used by the CA On-Demand deployment of CA PPM SaaS. Note: Currently the On-Demand Portal is used mostly for SSO customer’s non-prod environments. Non-SSO customer will typical use standard authentication with the CA PPM login page. 
image2017-2-14 9:4:14.png
3. LDAP Authentication: CA PPM Login Page with LDAP Directory Service (OP Only)
CA PPM presents the out of the box login page to users, however CA PPM will query the customers LDAP v3 compliant directory servers to authentic CA PPM users. The LDAP compliant directory could be one of the following supported systems, CA Directory, Microsoft Active Directory, Novell eDirectory, Oracle Directory Server, Sun One Directory. The passwords stored in the CA PPM database are not used in this configuration. The LDAP passwords are never stored in the CA PPM Database. SSL enable LDAP or LDAPS is supported. The CA PPM configuration for LDAP is contain in the CSA. Note: This configuration is not SSO enabled, however centralized password management is obtained.
LDAP authentication is compatible with standard internal authentication in mix mode i.e. when ‘Allow non-LDAP users’ is enabled in CSA. This will allow users which are set as ‘externally authenticated’ to authentication against LDAP and other users to use standard internal authentication.
The following view illustrates the CA PPM CSA setting for LDAP configuration.
Figure 3: View of CA PPM CSA setting for LDAP configuration.
image2017-2-14 9:7:15.png
4. SSO - On Premise with CA Single Sign-On, (formally CA Site Minder)
On Premise customers may leverage CA PPM in conjunction with CA Single Sign-On. Organizations may configure this solution with or without their own corporate login & logout portal page. Organizations CA Signal Sign-On implementation will handle user authentication, CA PPM will not challenge users for authentication in this mode. This is the only supported and tested SSO solution for on premise CA PPM. This configuration relies on a SSO WEB agent installed on Apache or Microsoft IIS HTTP proxy server. Note this configuration does not leverage SAML as the CA PPM application is on premise or contained when the organizations own network.
The following diagram illustrates the typical Single Sign-On/CA PPM configuration with an Apache server.
Typical Single Sign-On/Apache/CA PPM Environment
5. SSO - CA PPM SaaS - using Federated Identities (SAML 2.0)
CA PPM SaaS supports federated single sign-on using SAML 2.0. This Integration allows customers to create a trusted relationship with the CA On-Demand network. This allows user to move between their intranet and their CA PPM SaaS environments located in the On-Demand network. Password management is simplified as they are handled by their existing enterprise user management system. CA On-demand currently support IdP initiated SAML version 2.0 with HTTP-POST Binding. SP initiated SSO may be approved for support, however certain limitations exist which the customer needs to understand and agree to accept:
• The users favorite links (for projects or timesheets etc.,) saved in the browser will not work unless the user click on them twice. 
• CA does not generated the SAML assertions from CA servers, it’s is just a URL redirection to IDP URL. 
Note: Most customer use IdP initiated SSO with CA On-Demand which is recommended.
Organizations who intend to leverage federated SSO with CA On-Demand must be able to implement the client side (IdP) requirements and tools to support SAML federated SSO such as CA Single Sign-On or Active Directory Federation Services (ADFS), or other vendors. On-Demand customers may use the standard portal authentication or SAML Federated SSO, all other methods of authentication are not supported with CA On-Demand e.g. using the CA PPM LDAP interface as described in charter two above.
The following diagram illustrates the typical configuration of SSO in the CA On-Demand Environment:
image2017-2-14 9:9:51.png
The process to start using federated SSO with CA On-Demand begins with opening a CA Support case to start the request process. The overall process is a cooperative effort between CA On-Demands Support & Engineering Teams and the customers IT & Security Team who manages the customer side federated Idp solution. CA Support will send out a working document to capture the configuration details which need to be shared between the customers and CA On-Demands teams. This document is called the ‘Customer Onboarding Information Exchange Form.docx’. The process of enabling SSO for each environments will happen in two phases for each environment e.g. development, testing and production. 
Phase I: Portal migration (an activity entirely from CA side) 
This phase will require some downtime of the targeted environment usually about 4 hours. This is where the CA team will perform the activity needed to move an environment behind the SSO portal (SP), and other activities if needed.
Phase II: Implementation of SSO
This is mostly on the customer side. IDP is configured with the required parameters detailed in the onboarding exchange including SP-ID, Assertion Consumer Service URL, and RelayState parameter.
Other important items.
  • Levering SSO with On-Demand REQUIRES that usernames are configured the same as the email address. If they are not set as the email address, a username conversion or migration will be required for SSO to work.
  • Some parameters may be unique between each environments e.g. dev, test and production may have different values for the Idp ID or RelayState parameters.
  • The customer will need to provide an SSL certificate(s) for the SMAL assertion, customer will need to provide CA their public certificate by uploading it the support case created for the SSO migration process. 
Full details and documents are provided by CA Support during the engagement. The most current details and requirements are documented in your ‘CA On Demand Portal Administration Guide.pdf’ under Chapter 7: Federated Single Sign.
6. SSO with a Third-Party Solution (OP Only)
This option does not use the recommended CA Single Sign-On product.
Some on premise CA PPM customers have leveraged custom SSO integrations or other third party SSO solution. These solutions sometimes required custom code to integrate with CA PPM. Below is a list of some of the other solution customer have attempted to use:
• Third Party vender Access Manager SSO solutions.
• SPNEGO (spnego.sourceforge.net) with customized code.
• Hardware Load Balancer SSO with customized code.
• Other customized solution which leverage the CA provided sample code (JSP).
All non- CA Single Sign-On (formally CA SiteMinder) solutions for on premise implementation of CA PPM including the list above have not been tested by CA and are therefore not supported by CA. Customers who choose to implement any non-supported solution, will need to support these solutions internally (themselves) or obtain support from their third party vendor. CA does provides a sample JSP component which may be used by a custom SSO solution. This sample code may be found in the /webroot directory of any CA PPM deployment home directory. If assistance is needed with this sample JSP code, we recommend contacting CA Services or CA Service Global Delivery as CA support will not be able to assist with any custom SSO solution. CA Support will be able to support CA Single Sign On, as it is a CA product as well as all customer using CA On-demand Federated SAML for SSO.
Information on supported versions of CA Single Sign-On can be found under
Integrated Servers
in the
Compatibilities
section of the
Release Notes (On Premise)
.