Expand all | Collapse all

15.2 New UX - SSO

Jump to Best Answer
  • 1.  15.2 New UX - SSO

    Posted 08-03-2017 04:12 AM



    Did any one successfully implemented SSO with 15.2 new UX? 


    SSO is not working when users are directly hitting the new url /pm instead if they navigate to classic url first then new UX it is working fine as the session is carried from classic UI


    It looks like new UX is unable to authenticate based on the SSO header, Currently if timesheet users submits timesheet when new timesheets are activiated, then the email links will have new UX timesheets links and users are unable to login.


    Please share if any one successfully implemented SSO with new UX or if there are any workarounds. Thanks




  • 2.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-03-2017 04:33 AM

    Hi Karthik,,


    New UX is not a different app hosted where it will authenticate the SSO , the authentication layer in PPM classic and then gets navigated to new UX layer. The design so far on new UX is to authenticate via PPM db and in your case its SSO so if there is valid session it will allow you to see the new Ux else it won't .


    Also I would like to know how the notification is going to new UX as notifications are configured to go to OLD UX with the ENTRY UL updated in CSA 



    Suman Pramanik 

  • 3.  Re: 15.2 New UX - SSO

    Posted 08-03-2017 04:48 AM

    Hi Suman,


    Thanks for the reply. So you mean we cannot share the direct url as

    mentioned in document below to users if we have SSO enabled as only classic

    URL can create session with SSO but not new UX.


    As per the document:


    Use the following URL to access the New User Experience:



    So this url will not work directly if we enable SSO instead we have to

    navigate to Classic url and then naviagate to new UX, Is my assumption

    correct based on your reply?


    And regarding Timesheets, we have not changed any thing to direct timesheet

    emails to new UX. We enabled new UX & Timesheets from CSA and when

    timesheet users submit time, it is sending the submission email with link

    to new UX(/pm), this is  hyperlink in the email:



    Is it not the case in your instance, though you activated new timesheets,

    the hyperlinks in email are pointed to old timesheets?



    Thanks again for your time in checking this.







    On Thu, Aug 3, 2017 at 4:34 PM, SumanPramanik <

  • 4.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-03-2017 05:40 AM

    Hi Karthik,


    Yes the /PM URL will not work if the session is not there during SSO, let me check by submitting the timesheet va new UX and see what URL is generated. As far my understanding goes the NEW UX is not activated through CSA but from Administration --> System option  


  • 5.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-03-2017 05:43 AM

    Hi Karthik,


    I checked the notification after submitting the timesheet from new UX, and you can see the link its going to OLD UI and not NEW UI. Can you please more information on the http/https entry URL




    Suman Pramanik 

  • 6.  Re: 15.2 New UX - SSO

    Posted 08-03-2017 06:26 AM
      |   view attached

    Hi Suman,


    It looks like the screenshot that is provided is an action item triggered

    from the Timesheet process/workflow which would have triggered in your

    instance. We don't use the workflow. I was pointing out to OOTB timesheet

    notification that Resource manager receives when user submits timesheet

    which looks like something as attached, this will trigger when timesheet is

    submitted without any process/workflow.







    On Thu, Aug 3, 2017 at 5:43 PM, SumanPramanik <

  • 7.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-03-2017 07:23 AM

    Hi Krishna,


    I did not use any any process but just submitted the timesheet and it used the ootb and it used the notification Timesheet - Submitted. 



    Suman Pramanik 

  • 8.  Re: 15.2 New UX - SSO

    Posted 08-03-2017 08:54 PM

    Hi Suman,


    Our instance will not trigger any action item, if I am not wrong the action item screenshot you shared in the previous screenshot is from the Timesheet process which is provided out of the box(Assumption) and we don't use any process to create action item. Instead we use OOTB notifications that triggers internally by system when resource submits timesheets. You can also see these notification templates under Admin->Notifications. So the link in these OOTB notifications are pointing to new timesheets GUI and that is the concern.





  • 9.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-04-2017 01:39 AM

    Hi Karthik,


    This is the exact notification i used and it was pointing me to old UI. as you have the support case one of our team will work with you to get to the bottom of it.



    Suman Pramanik 

  • 10.  Re: 15.2 New UX - SSO

    Posted 08-04-2017 05:21 AM

    Hi Suman,


    The email body in the notification should be as per the notification template and in our system(OOTB, not modified), it is as below where the click here should navigate to submitted timesheet for resource managers to Approve. 


    The one you shared looks like is from process where the email body says it as an action item and the link is pointing to action item page instead of timesheet page.So wondering why you are not receiving this email as notification instead you are receiving an action item if there is no process/workflow.

  • 11.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-03-2017 09:47 AM

    Hi Karthik and Suman, and Others,

    Let us know if this doc helps or can otherwise be improved:

    Integrate CA PPM with CA Single Sign-On (SSO) - CA PPM SaaS - 15.2 - CA Technologies Documentation 

  • 12.  Re: 15.2 New UX - SSO

    Posted 08-03-2017 11:30 PM

    Thanks Damon. Yes we followed this document , SSO with /niku is absolutely working fine after the upgrade but not with pm. But unfortunately when users directly using http://server/pm (New UX) from their emails, it cannot identify header and generate clarity session instead it is only recognizing already generated session id from old context(/niku). So users cannot directly use this new UX page with SSO configured with header.


    I was thinking that we were missing something in setting up new UX with SSO but it looks like new UX cannot create the session on its own unlike niku or rather the internal handshake is missing in generating a new session if there is none based on the configured header. 


    I have created a support case to confirm this.Will update the community upon receiving the updates.


    Thanks again for your time in answering the post.


  • 13.  Re: 15.2 New UX - SSO
    Best Answer

    Posted 08-06-2017 10:16 PM

    Thanks everyone for your contributions. I wanted to share the good news that we were able to resolve the issues. 

    Users using /pm (New UX) url directly are now able to login directly with SSO, the problem was that the login was provided by  /ppm/rest/.. context for which our SSO application is blocking the request and returning the error as 403 Forbidden internally, it was because of BADQUERYCHARS which is blocking the request, once we enabled this property the SSO with new UX started working without having us to navigate to classic PPM. This property setting is documented under "Agent Propeties, LogoffUri, IgnoreExt, and IgnoreUrl" section of the document.


    With that users who are navigating to timesheets from timesheets notification emails are now successfully logging to new UX with SSO.


    Thanks again everyone.




  • 14.  Re: 15.2 New UX - SSO

    Broadcom Employee
    Posted 08-07-2017 01:58 AM

    Great news Karthik. One stop closer to PPM 15.2  

  • 15.  Re: 15.2 New UX - SSO

    Posted 05-17-2018 07:22 PM

    Hello Karthik,


    We are facing same issue. User can login to Classic PPM via SSO, but not to New UX.


    Which SSO authentication method you are using?




  • 16.  RE: Re: 15.2 New UX - SSO

    Posted 10-17-2019 10:15 AM
    Edited by David Marchal 10-17-2019 10:15 AM

    There is a paragraph on this subject in 15.7 documentation here.

    • On the Clarity side, you just need to activate SSO in CSA (as before)
    • On the SSO side, you need to add rules on /pm et /ppm/rest URI

    Right now, I am also trying to make it work.



  • 17.  RE: Re: 15.2 New UX - SSO

    Posted 12-19-2019 07:54 AM
    Edited by David Marchal 12-19-2019 07:54 AM
    Hello All,

    Context : Clarity 15.7 New UI SSO.

    With SSO activated, I've got an error on the logout action.

    - On the classic UI, no problem : it redirects to the logout URL configured in CSA
    - On the modern UI, an error appears on the click : "Refused to connect to <url_sso> because it violates the following Content Security Policy directive : "connect-src 'self'"

    As a workaround, I added the URL in Security Domains for new UI :
    cmn_option_values_ins_sp('CONTENT_SECURITY_DOMAINS', null, null, '<url_sso> ', 1);

    Another error occurs : "Access to XMLHttpRequest as <url_sso> from origin <url_sso> has been blocked by CORS policy : Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."

    I tried to modify Tomcat Configuration to add Access-Control-Allow-Origin : * in HTTP Header.

    - Solution 1 (Tomcat way) :

    - Solution 2 (Clarity "hard-coded" way) :

    I could add the parameter Access-Control-Allow-Origin : * in http headers.

    But I still got the same error at the end.

    Has anybody already seen this ?
    Thx for your help.