Clarity

Hello,

Good morning! 

We are new users of CA PPM and have a SaaS tenant. We are expecting to enable SSO with Microsoft ADFS for the production environment but I have some questions:

- Currently we're only working with the dev environment and the production is with OOTB configuration. When is advisable to enable the SSO configuration? When we finish to configure everything in the prod environment or can we enable it and when everything is migrated we have the authentication working?

- If SSO is enable, is possible to login with local users like OOTB 'admin' account?

- What are the alternatives to load users from an human resource system/LDAP query and keep them updated? 

- If SSO is enable, how the user management is changed? I read somewhere in documentation that if PPM is behind On Demand portal all user configuration should be done in OD portal, it means that I won't be able to upload users through XOG or create them manually in PPM interface?

Thanks for your help! 

Hi.

Here my experience, in italic my answers:

- When is advisable to enable the SSO configuration?  SSO configuration can be done in any moment. It should not interfere with developments or configuration. It's only a matter of user's login. Just pay attention that SAAS prefer to use email address as login username; it means that every login username is updated with the email address.

- If SSO is enable, is possible to login with local users like OOTB 'admin' account? NO

- What are the alternatives to load users from an human resource system/LDAP query and keep them updated?  Every new user must be added to the OD portal manually or with the ODUM utility provided by support (windows command line utility)

- If SSO is enable, how the user management is changed? I read somewhere in documentation that if PPM is behind On Demand portal all user configuration should be done in OD portal, it means that I won't be able to upload users through XOG or create them manually in PPM interface? You can still create and manager users/resources manually or via XOG but new users must be defined also on the OD portal

Stefano

Hi Kevin,

See my answers inline:

- Currently we're only working with the dev environment and the production is with OOTB configuration. When is advisable to enable the SSO configuration? When we finish to configure everything in the prod environment or can we enable it and when everything is migrated we have the authentication working?

ANSWER:  This really depends on your company's business needs.  You can work with the On Demand team to schedule this at a point when it suits your business needs.  Putting the SSO into place will allow you to do all of your testing with SSO in place.  Also, development is normally done in a test or dev system and most testing is done in that system.  Then the db with all of your tested changes is moved over to the production environment when you are ready.

- If SSO is enable, is possible to login with local users like OOTB 'admin' account?

ANSWER:  This depends on how you choose to have On Demand set up your system.  It is possible to restrict usage so that users can only log on via SSO.  The On Demand team has a method that will only allow a small number of users to log on differently than other users so that they can access without SSO.  Most customers have it set up so that users can log in via SSO from the customer's own SSO login page.  SSO passwords are stored on the customer's SSO/LDAP system and not in the portal or PPM.  The only way they can log in directly to ondemand.ca.com is if they know the password that was entered for them in the portal.  This way end users are prevented from logging into the portal directly unless you want them to.

- What are the alternatives to load users from an human resource system/LDAP query and keep them updated?

Only a minimal amount of user information is stored in the portal (i.e. first name, last name, email address, active/inactive, which environment(s) the user is assigned to, and maybe 1 or 2 more items).  There are three ways to add users to the portal:

1.  Adding them manually while logged into the portal

2.  ODUM - This requires creation of a flat file in the format specified by the On Demand team and a utility that can be installed on the admin's desk top.  When the admin opens this utility, he can use it to upload the information in the flat file.

3.  WSDL - You can have your developer, services or a partner create a WSDL interface between your HR System and the On Demand Portal.  If you have additional information about your users that you want added to PPM, you can create a second WSDL interface between your HR System and the portal to add any required information to PPM.

Once users are added to the portal, activated, and assigned to your production, development, and/or test environment, the users will be automatically xogged into PPM by the portal.  From then on all activation, inactivation and environment assignment of users should be done through the portal which will then xog the changes into ppm.  Doing this will allow the two entities to remain in synch and prevent problems.

- If SSO is enable, how the user management is changed? I read somewhere in documentation that if PPM is behind On Demand portal all user configuration should be done in OD portal, it means that I won't be able to upload users through XOG or create them manually in PPM interface?

You should add new users, activate users, inactivate users, and assign them to your various environments through the portal.  The portal will automatically XOG these changes into PPM.  This will  allow you to keep the portal and PPM in synch with each other and will prevent problems down the road.

You can xog users directly into PPM and then add them to the portal later.  This is not a good practice because it increases the chances of accidentally creating duplicate users if the information is not matched up properly among other things. 

If you have resources that will not log into PPM, but you want people to be able to add time for them, assign them to projects, etc, you can xog those resources directly into PPM.  

The On Demand team should answer these questions in detail for you during your on boarding process.

I hope this helps.

Jeanne

Thanks Jeanne for your input!

Regarding of the questions, we have some users that were created in CA PPM as resources but now we want them to access to the site... you said that is not a good practice to first create the users in CA PPM and after that in the OD Portal, why (taking in consideration that all the users have email address as the userid)?

Also, regarding of an integration between CA PPM and an human resource system... should I first create the users in OD Portal (ODUM/WSDL) and after that update contact information in CA PPM via XOG? Right?

Thanks!

Jeanne_Gaskill_CA_Clarity_Support Can you paste examples of XOG scripts used for connecting to ondemand portal clients or SSO clients. 

Hi Atul,

You can't use XOG for communication with the portal.  XOG is specifically an import/export utility for CA PPM.  The portal is a separate piece of software with its own database separate from the PPM database.  The portal, itself, uses XOG to add/modify Clarity data.  But that is underneath the covers and not something you can do yourself.

You can use the On Demand ODUM utility or Web Services to add/modify information in the portal.  The Web Services commands are detailed in the attached guide.  It is an old guide but the Bulk User Management section is still correct.  When you use one of these methods(or the portal itself) to assign a user to Prod, Dev, or Test, the portal will add the users to the PPM server you chose using XOG.

Portal Admin Guide

I hope you find this helpful.

Jeanne