This question is aimed for those who uses CA PPM SaaS (aka On Demand)
We had a issue with CA ondemand portal recently
We wanted to block user login using portal as they should only be using Clarity only using SSO
Now due to that CA made the existing one as SAML_Only and created a tenant admin group for admins like us
The problem now we have is that we can't login anymore as users using portal to troubleshoot after this change
As per CA team there is no alternate of this, and if they open it again users will be able to use reset password in ondemand and again can login using ondemand.
The problem is even though we being tenant admin we can reset the user password but of no use , as whenever we try to login using the portal password it says "your organization has restricted access over internet. Please contact your administrator"
On the other hand CA can't give us any extra access other than tenant admin which would help us to login as users
If I understand this correctly this issue could be their with your environments too
How Are you handling such things ? Is there any solution to it ?
I think there still is no solution, but there are work arounds.
Those are different for different versions. See
I think your environment is IDP Initiated SSO. It is default in CA PPM SaaS.
It has 2 access path as following.
1. IDP(ID Provider) --> SP(Service provider: CA ondemand portal) --> PPM
2. SP(Service provider: CA ondemand portal) --> PPM
If SAML-Only is enabled for users, second path (2. SP-->PPM) will not be available anymore.
Only first path (1. IDP--> SP -->PPM) is available, so users have to access PPM via IDP.
Tenant admin is not configured as SAML-Only, so Tenant admin is allowed to access PPM by using above 2 paths.
I don't know the details of your requirement and following my idea may not be fit your requirement.
In SP Initiated SSO environment, users have to access SP first.
SP will communicate with IDP for authentication. It means that user always access PPM via CA ondemand portal.
I think that IDP Initiated SSO is default in CA PPM SaaS, and SP Initiated SSO may have any limitation.