Hi Kevin,
See my answers inline:
- Currently we're only working with the dev environment and the production is with OOTB configuration. When is advisable to enable the SSO configuration? When we finish to configure everything in the prod environment or can we enable it and when everything is migrated we have the authentication working?
ANSWER: This really depends on your company's business needs. You can work with the On Demand team to schedule this at a point when it suits your business needs. Putting the SSO into place will allow you to do all of your testing with SSO in place. Also, development is normally done in a test or dev system and most testing is done in that system. Then the db with all of your tested changes is moved over to the production environment when you are ready.
- If SSO is enable, is possible to login with local users like OOTB 'admin' account?
ANSWER: This depends on how you choose to have On Demand set up your system. It is possible to restrict usage so that users can only log on via SSO. The On Demand team has a method that will only allow a small number of users to log on differently than other users so that they can access without SSO. Most customers have it set up so that users can log in via SSO from the customer's own SSO login page. SSO passwords are stored on the customer's SSO/LDAP system and not in the portal or PPM. The only way they can log in directly to ondemand.ca.com is if they know the password that was entered for them in the portal. This way end users are prevented from logging into the portal directly unless you want them to.
- What are the alternatives to load users from an human resource system/LDAP query and keep them updated?
Only a minimal amount of user information is stored in the portal (i.e. first name, last name, email address, active/inactive, which environment(s) the user is assigned to, and maybe 1 or 2 more items). There are three ways to add users to the portal:
1. Adding them manually while logged into the portal
2. ODUM - This requires creation of a flat file in the format specified by the On Demand team and a utility that can be installed on the admin's desk top. When the admin opens this utility, he can use it to upload the information in the flat file.
3. WSDL - You can have your developer, services or a partner create a WSDL interface between your HR System and the On Demand Portal. If you have additional information about your users that you want added to PPM, you can create a second WSDL interface between your HR System and the portal to add any required information to PPM.
Once users are added to the portal, activated, and assigned to your production, development, and/or test environment, the users will be automatically xogged into PPM by the portal. From then on all activation, inactivation and environment assignment of users should be done through the portal which will then xog the changes into ppm. Doing this will allow the two entities to remain in synch and prevent problems.
- If SSO is enable, how the user management is changed? I read somewhere in documentation that if PPM is behind On Demand portal all user configuration should be done in OD portal, it means that I won't be able to upload users through XOG or create them manually in PPM interface?
You should add new users, activate users, inactivate users, and assign them to your various environments through the portal. The portal will automatically XOG these changes into PPM. This will allow you to keep the portal and PPM in synch with each other and will prevent problems down the road.
You can xog users directly into PPM and then add them to the portal later. This is not a good practice because it increases the chances of accidentally creating duplicate users if the information is not matched up properly among other things.
If you have resources that will not log into PPM, but you want people to be able to add time for them, assign them to projects, etc, you can xog those resources directly into PPM.
The On Demand team should answer these questions in detail for you during your on boarding process.
I hope this helps.
Jeanne