Clarity

 View Only
  • 1.  Clarity PPM SaaS Transition: GCP Authentication Methods - Part 2

    Broadcom Employee
    Posted Mar 23, 2020 02:20 PM

    Welcome to the Clarity PPM SaaS Transition Blog series. This blog series provides customers updates regarding the Clarity PPM SaaS transition to the Google Cloud Platform™ (GCP).  In the first four blogs, Broadcom provided updates on various aspects of the migration including the overview, pre-transition activities, the actual transition process, and the various authentication methods available in GCP. 


    In this post, Broadcom will focus on continuing the discussion on Clarity PPM authentication methods, and flows, in GCP platform. Prior to reading this blog, we recommend you read entitled "Clarity PPM SaaS Transition: GCP Authentication Methods - Part 1

    Some key points you should remember about the GCP platform:


    • In GCP, Clarity PPM is using a new SSO solution, which includes Broadcom's Okta.

    o   The legacy CA on demand Portal, used in the legacy data center, will be deprecated.

    •   All users that exist in CA On Demand Portal today will be transitioned to Broadcom's Okta, but any passwords defined in the portal will need to be reset.
    o  If a customer is using their IdP for SSO, then we will need to establish deep linking between their IdP and our SaaS platform again.
    o User will continue to manage passwords in their IdP.
    o   If a customer had users defined in Clarity PPM, the following updates are required:
                                The username will need to be changed to their email address.

    •   All customers that do not use SSO integration between Clarity PPM and their IdP will need to log in by using Okta's login page.

    Authentication Flows in GCP

    1. Authentication using Broadcom's Okta

    This is the default login flow in Clarity PPM SaaS unless the customer has enabled federated SSO integration between their IdP and Broadcom's Okta. This authentication method is used when users navigate directly to the Okta page and can access Clarity PPM from the Okta tiles page.

    Authentication Flows in GCP


    Let's review the steps for this flow using the above image:

    1. The user navigates to the Broadcom Okta page and enters credentials.
    2. The Okta tiles page is displayed to the user.
    3. The user selects the Clarity PPM SaaS application.
    4. The user is redirected to the PPM SSO service.
    5. The PPM SSO service parses the SAML metadata to determine the login credentials and groups associated with the user. If the user has access to multiple Clarity PPM environments, they can select the desired environment.
    6. PPM SSO creates a Java Web Token and forwards the information to Clarity PPM.
    7. Clarity PPM responds with the requested resource.

    2. Authentication using Customer's Identity Management Provider (Federated SSO)

    An IdP initiated flow is followed when a customer has enabled federated SSO integration between their IdP and Broadcom's Okta.

    Authentication using Customer's Identity Management Provider (Federated SSO)

    Let's review the steps for the IdP initiated flow by using the above image:

    1. The IdP requests credentials from the user logging into Clarity PPM SaaS.
    2. The user provides the credentials to the IdP.
    3. The IdP sends a SAML request to Okta with the login information.
    4. Okta authenticates the user against its user store and sends a new SAML request to the PPM SSO service.
    5. The PPM SSO parses the SAML metadata to determine the login credentials and groups associated with the user.
    6. If the SAML is validated and contains the proper information, the PPM SSO service creates a Java Web Token and forwards the information to Clarity PPM.
    7. Clarity PPM SaaS responds with the requested resource.

    3. Authentication using Customer's Identity Management Provider (Federated SSO) with Access to Multiple Clarity PPM Environments

    An IdP initiated flow is followed when a customer has enabled federated SSO integration between their IdP and Broadcom's Okta. If the end-user has access to multiple Clarity PPM environments, then a PPM SSO service page is displayed, asking the user to select which Clarity PPM instance they want to access. 

     Authentication using Customer's Identity Management Provider (Federated SSO) with Access to Multiple Clarity PPM Environments

    Let's review the steps for this flow using the above image:

    1. The IdP requests credentials from the user.
    2. The user provides credentials to the IdP.
    3. The IdP sends the SAML request to Okta with login information.
    4. Okta authenticates a user against its user store and sends a new SAML request to the PPM SSO service.
    5. The PPM SSO service parses the SAML metadata to determine the login credentials and groups associated with the user.
    6. If the SAML is validated, PPM SSO service displays a landing page with all the Clarity instances if a user is a member of more than one user group.
    7. PPM SSO creates a Java Web Token and forwards the information to Clarity PPM.
    8. Clarity PPM SaaS responds with the requested resource.

    4. XOG Initiated Events

    The XML Open Gateway (XOG) is a Clarity PPM web service interface that integrators and system administrators can use to import data, export data, and move configuration data from one system to another. XOG uses XML and web services to perform these actions.

    This flow is used when XOG interacts with Clarity PPM SaaS. 

    XOG Initiated Events

    Note: XOG will not support SSO. The XOG transaction is achieved by specifying the Clarity PPM user name and password of the user who has the authorization to perform the requested XOG transaction. The user will be authenticated using Clarity PPM authentication.

    Let's review the steps for this flow using the above image:

    1. The user initiates the XOG event and specifies the Clarity PPM username and password.
    2. Clarity PPM SaaS validates the password.
    3. The XOG initiated event is processed if the username and password are valid.

    5. Authentication Using OKTA - User Directly Accesses the Clarity PPM URL


    In scenarios where the user directly accesses the Clarity PPM URL from a bookmark, a hyperlink, or by directly typing it in, they would be redirected to OKTA if their organization does not use federated SSO. 

    Authentication Using OKTA - User Directly Accesses the Clarity PPM URL

    Let's review the steps for this flow using the above image:

    1. The user tries to access the Clarity PPM URL directly.
    2. The user is redirected to the Broadcom OKTA page.
    3. The user enters their login credentials.
    4. Okta validates information with the PPM SSO service.
    5. The PPM SSO service parses the metadata to determine login credentials. If the user has access to multiple Clarity PPM environments, they can select the desired relevant environment..
    6. PPM SSO creates a Java Web Token and forwards the information to Clarity PPM.
    7. Clarity PPM responds with the requested resource.

    6. Authentication Using IdP (Federated) - User Directly Accesses the Clarity PPM URL

    In scenarios, where the user directly accesses the Clarity PPM URL from a bookmark, a hyperlink, or by directly typing it in, they would be redirected to their IdP if their organization uses federated SSO. 


    Authentication Using IdP (Federated) - User Directly Accesses the Clarity PPM URL


    Let's review the steps for this flow using the above image:

    1. The user tries to access the Clarity PPM URL directly.
    2. The user is redirected to the Broadcom Okta page.
    3. The user enters their IdP username. 
    4. Okta validates the information and triggers the IDP routing rules based on username.
    5. The IdP requests credentials from the user.
    6. The user provides credentials to the IdP which forwards a SAML request to the PPM SSO service.
    7. The PPM SSO service parses the SAML metadata to determine the login credentials and groups associated with the user.
    8. PPM SSO creates a Java Web Token and forwards the information to Clarity PPM.
    9. Clarity PPM SaaS responds with the requested resource.

    This concludes Part 2 of the GCP Authentication Methods post. Thank you for being a part of the Clarity PPM community. Please write to clarityppm.saas@broadcom.com in case you have any specific questions for us. The next blog will be published on March 30th

    #ca_clarity_ppm #gcp #clarityppmsaas


    ------------------------------
    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division
    Broadcom
    ------------------------------


  • 2.  RE: Clarity PPM SaaS Transition: GCP Authentication Methods - Part 2

     
    Posted Mar 23, 2020 02:37 PM
    Thank you for sharing this update with the community Suman!

    ------------------------------
    Chris Hackett
    Community Manager, Broadcom Enterprise Software Division
    Broadcom Inc.
    ------------------------------