Clarity
Authentication Methods

ccppmop1581
Broadcom is currently migrating SaaS customers to the new Google Cloud Platform (GCP) data center. The information provided here applies only to the legacy data center. Please review Clarity SaaS Authentication in the Google Cloud Platform to learn more about authentication in the GCP data center.
This document describes authentication methods (SSO, LDAP, SAML) available for the on-premise and SaaS editions of
Classic PPM
. Learn how SSO compares with other authentication methods.
Use this guide to decide the right authentication method for your organization. In general, we recommend centralized authorization and password management using single sign-on (SSO). However, your organization can prepare its own assessment to determine readiness.
2
Classic PPM
offers an internal password security policy feature. You can also upgrade to a single sign-on (SSO) model. SSO reduces IT costs because fewer credentials to manage means fewer calls to the help desk for lockouts and resets. SSO is also more secure because it centralizes authorization policies. Finally, because users only need to remember one strong password, they no longer write them down, a common security risk.
This document answers the following questions:
  • Which authentication methods enable SSO?
  • Are third-party SSO solutions required?
  • Which SSO options are supported?
  • Will
    Classic PPM
    support federated SSO? If so, what type?
On-Premise SSO Options
:
Clarity
15.8.1 and higher releases allow on-premise customers to use the credentials issued by an IDP - that supports SAML 2.0 - and log into
Clarity
. Review Configuring Clarity to Support SAML 2.0 for more information.
On-Demand (SaaS) SSO Options
:
Classic PPM
includes three options.
  • The Standard
    Classic PPM
    login page.
  • The On-Demand Portal access for standard user authentication where the customer manages user accounts via the On-Demand Portal. If your organization requires centralized authentication/management and is able to support SAML 2.0, select this option.
  • Federated SAML SSO to provide a trusted integration between your enterprise directory and the CA On-Demand network.
We highly recommend the following best practice for new and existing customers in on-premise or SaaS environments. Configure the
Username
field as seen on the
Resources
page under the
Administration
menu as the email address for each user. This important step is required for true single sign-on (SSO). This step resolves conflicts with duplicate domain accounts. The email format is the only supported username format for SSO in the CA SaaS environment. Licensed users can conveniently access
Classic PPM
SaaS and additional CA SaaS products with their single secure SSO credentials.
Classic PPM
Authentication Options Table
Authentication Model
Environment
Advantages
Disadvantages
1
Standard Authentication
OP or SaaS
  • Simple configuration inside your
    Classic PPM
    product
  • No integration setup required
  • Fully supported by CA
  • Single sign-on is not enabled
  • Must use
    Clarity
    Login page
  • Multiple passwords to manage; may not follow company policies
2
Standard Authentication in the CA On Demand Portal
SaaS
  • Simple configuration inside your
    Clarity
    product with the CA On Demand Portal common user experience
  • No integration setup required.
  • Fully Supported by CA
  • Single sign-on is not enabled
  • Must use CA Portal Login page
  • Multiple passwords to manage; may not follow company policies
3
LDAP Authentication
OP
  • Configuration inside your
    Clarity
    product with CSA
  • Single enterprise passwords
  • Mixed mode support for LDAP or internal authentication by user
  • Single sign-on is not enabled
  • Must use
    Classic PPM
    Login page
  • Some limitations with multiple directories, forests, or domains
  • Not available for
    Clarity
    SaaS customers
4
SSO – On Premise with CA Single Sign-On
OP
  • Fully tested and supported by CA
  • Single enterprise passwords
  • Optional use of enterprise portal
  • Access to XOG and OWB/MSP through SSO nodes is supported
  • No custom code development work is required
  • Customers must implement CA Single Sign-On (not provided with
    Clarity
    )
  • Moderate solution complexity
5
SSO on CA On-Demand (SaaS)
SaaS
  • This is only supported SSO method for OD customers.
  • Fully support and tested by CA.
  • Single enterprise passwords.
  • Optional enterprise portal and management.
  • Supports SAML 2.0.
  • Customers must support their side of the federated identity including SAML
  • Only SAML 2.0 is supported (OAuth, OpenID, and any other access tokens are not supported)
6
SSO with a third-party solution that supports SAML 2.0
Review Configuring Clarity to Support SAML 2.0for more information.
OP
  • Seamless integration between networks and environments: All users can move easily between your organization's intranet and
    Clarity
    .
  • Simplified password management: No need to manage user passwords separately from
    Clarity
    , because your existing user management system handles password management.
  • Usernames need to match for
    Clarity
    and IDP
Clarity
Authentication Methods
3
3
1. Standard Authentication:
Clarity
Login Page with
Clarity
Authentication (OP/SaaS)
Clarity
presents the out of the box login page to users. When a user logs out of
Clarity
they are sent back to the
Clarity
Login page. All the users’ passwords are encrypted and stored in the
Clarity
database. Password management setting like password expiration, history and other rules are configured in
Clarity
under Administration & General Setting. This is default authentication method for
Clarity
. Standard authentication is compatible with LDAP authentication ‘On Premise only’, more below on chapter 3. LDAP Authentication.
The following image shows the
Clarity
Change Password Options available with Standard
Clarity
authentication:
image2017-2-14 8:59:0.png
2. Standard Authentication: CA On-Demand Portal Login Page with
Clarity
Authentication (SaaS Only)
Clarity
SaaS presents the On Demand Portal login page to users. After the user successfully authenticate, they land on the Portals ‘My Places’ page. The user may then select the desired application, in this case
Clarity
. When users logout of
Clarity
SaaS they are sent back to the On Demand Portal login page. All the user passwords are encrypted and stored in the CA On-Demand Portal database. This is default authentication method used by the CA On-Demand deployment of
Clarity
SaaS. Note: Currently the On-Demand Portal is used mostly for SSO customer’s non-prod environments. Non-SSO customer will typical use standard authentication with the
Clarity
login page.
image2017-2-14 9:4:14.png
3. LDAP Authentication:
Clarity
Login Page with LDAP Directory Service (OP Only)
Clarity
presents the out of the box login page to users, however
Clarity
will query the customers LDAP v3 compliant directory servers to authentic
Clarity
users. The LDAP compliant directory could be one of the following supported systems, CA Directory, Microsoft Active Directory, Novell eDirectory, Oracle Directory Server, Sun One Directory. The passwords stored in the
Clarity
database are not used in this configuration. The LDAP passwords are never stored in the
Clarity
Database. SSL enable LDAP or LDAPS is supported. The
Clarity
configuration for LDAP is contain in the CSA. Note: This configuration is not SSO enabled, however centralized password management is obtained.
LDAP authentication is compatible with standard internal authentication in mix mode i.e. when ‘Allow non-LDAP users’ is enabled in CSA. This will allow users which are set as ‘externally authenticated’ to authentication against LDAP and other users to use standard internal authentication.
The following view illustrates the
Clarity
CSA setting for LDAP configuration.
Figure 3: View of
Clarity
CSA setting for LDAP configuration.
image2017-2-14 9:7:15.png
4. SSO - On Premise with CA Single Sign-On, (formally CA Site Minder)
On Premise customers may leverage
Clarity
in conjunction with CA Single Sign-On. Organizations may configure this solution with or without their own corporate login & logout portal page. Organizations CA Signal Sign-On implementation will handle user authentication,
Clarity
will not challenge users for authentication in this mode. This is the only supported and tested SSO solution for on premise
Clarity
. This configuration relies on a SSO WEB agent installed on Apache or Microsoft IIS HTTP proxy server. Note this configuration does not leverage SAML as the
Clarity
application is on premise or contained when the organizations own network.
The following diagram illustrates the typical Single Sign-On/
Clarity
configuration with an Apache server.
Typical Single Sign-On/Apache/Clarity Environment
5. SSO -
Clarity
SaaS - using Federated Identities (SAML 2.0)
Clarity
SaaS supports federated single sign-on using SAML 2.0. This Integration allows customers to create a trusted relationship with the CA On-Demand network. This allows user to move between their intranet and their
Clarity
SaaS environments located in the On-Demand network. Password management is simplified as they are handled by their existing enterprise user management system. CA On-demand currently support IdP initiated SAML version 2.0 with HTTP-POST Binding. SP initiated SSO may be approved for support, however certain limitations exist which the customer needs to understand and agree to accept:
• The users favorite links (for projects or timesheets etc.,) saved in the browser will not work unless the user click on them twice.
• CA does not generated the SAML assertions from CA servers, it’s is just a URL redirection to IDP URL.
Note: Most customer use IdP initiated SSO with CA On-Demand which is recommended.
Organizations who intend to leverage federated SSO with CA On-Demand must be able to implement the client side (IdP) requirements and tools to support SAML federated SSO such as CA Single Sign-On or Active Directory Federation Services (ADFS), or other vendors. On-Demand customers may use the standard portal authentication or SAML Federated SSO, all other methods of authentication are not supported with CA On-Demand e.g. using the
Clarity
LDAP interface as described in charter two above.
The following diagram illustrates the typical configuration of SSO in the CA On-Demand Environment:
image2017-2-14 9:9:51.png
The process to start using federated SSO with CA On-Demand begins with opening a CA Support case to start the request process. The overall process is a cooperative effort between CA On-Demands Support & Engineering Teams and the customers IT & Security Team who manages the customer side federated Idp solution. CA Support will send out a working document to capture the configuration details which need to be shared between the customers and CA On-Demands teams. This document is called the ‘Customer Onboarding Information Exchange Form.docx’. The process of enabling SSO for each environments will happen in two phases for each environment e.g. development, testing and production.
Phase I: Portal migration (an activity entirely from CA side)
This phase will require some downtime of the targeted environment usually about 4 hours. This is where the CA team will perform the activity needed to move an environment behind the SSO portal (SP), and other activities if needed.
Phase II: Implementation of SSO
This is mostly on the customer side. IDP is configured with the required parameters detailed in the onboarding exchange including SP-ID, Assertion Consumer Service URL, and RelayState parameter.
Other important items.
  • Levering SSO with On-Demand REQUIRES that usernames are configured the same as the email address. If they are not set as the email address, a username conversion or migration will be required for SSO to work.
  • Some parameters may be unique between each environments e.g. dev, test and production may have different values for the Idp ID or RelayState parameters.
  • The customer will need to provide an SSL certificate(s) for the SMAL assertion, customer will need to provide CA their public certificate by uploading it the support case created for the SSO migration process.
Full details and documents are provided by CA Support during the engagement. The most current details and requirements are documented in your ‘CA On Demand Portal Administration Guide.pdf’ under Chapter 7: Federated Single Sign.
6. SSO with a Third-Party Solution (OP Only)
Clarity
15.8.1 and higher releases allow on-premise customers to use the credentials issued by an IDP - that supports SAML 2.0 - and log into
Clarity
.
Some key advantages of using SAML-based SSO login are:
  • Seamless integration between networks and environments: All users can move easily between your organization's intranet and
    Clarity
    .
  • Simplified password management: No need to manage user passwords separately from
    Clarity
    , because your existing user management system handles password management.
Clarity
supports SAML by using a virtual object and REST APIs that allow SAML metadata to be uploaded as a file into
Clarity
. After the file is successfully uploaded, a REST API call to that same virtual object will provide the SAML metadata from
Clarity
that can be used by the IDP to complete its connection to
Clarity
.
Clarity
also has additional REST API endpoints that allow you to modify and examine the metadata configured in
Clarity
.
You need to perform two key actions to enable
Clarity
to Support SAML 2.0:
  1. Import the SAML Metadata for your IDP by using REST APIs.
  2. Configure
    Clarity
    to enable SAML authentication.
Review Configuring Clarity to Support SAML 2.0 for more information.