View Only
  • 1.  Clarity PPM SaaS Transition: GCP Authentication Methods - Part 1

    Broadcom Employee
    Posted Mar 16, 2020 07:03 AM

    Welcome to the Clarity PPM SaaS Transition Blog series. This blog series provides customers updates regarding the Clarity PPM SaaS transition to the Google Cloud Platform™ (GCP). This is the fourth post of the series.  In the first post, Broadcom provided an overview of the transition process and discussed the benefits of transitioning to GCP. In the second post, Broadcom focused on pre-transition activities customers and Broadcom will perform before any of the Clarity PPM environments are transitioned to GCP. In the third post, Broadcom focused on the transition activities customers and Broadcom will perform during the transition to the GCP platform. 

    In this blog post, the focus will be on authentication methods available for Clarity PPM SaaS in Broadcom's Google CloudPlatform (GCP) based SaaS infrastructure.


    Broadcom's SaaS offering will provide you with a single login experience for its SaaS-based products. You will be able to access Broadcom products that you subscribed to, in a single location.  

    You will be able to login to Broadcom's SaaS platform by using one of the following methods:

    1. Authenticate against Broadcom's Okta based sign-in solution.
    2. Use Federated SSO integration with your identity management provider (IdP). 

    By default, all customers will be set up to use Broadcom's Okta-based solution. Your email address will be configured as the username. You will need to raise a request with Broadcom support if you want to enable federated SSO integration to use your IdP as the authentication method.

    Federated SSO integration allows you to create a trusted relationship with Clarity PPM SaaS and your identity management solution. This relationship delivers the following benefits:

    • Seamless integration between networks and environments: You and other users can move easily between your intranet and Clarity PPM SaaS. 
    • Simplified password management: You do not have to manage user passwords separately from Clarity PPM SaaS because your existing user management system handles password management. 
    • Broadcom Supported: A dedicated Broadcom support organization provides technical support.

    SaaS Authentication Concepts

    Broadcom leverages the following components to support the different authentication methods in the GCP SaaS infrastructure.

    1. Okta: The IdP solution used by Broadcom to support federated SSO for Clarity PPM SaaS.
    2. Identity Management Provider (IdP): The identity provider used by customers within their organization. 
    3. PPM SSO Service: A new web application that will be installed in the Clarity PPM SaaS infrastructure as a separate service to accept HTTP requests containing a SAML request from a user's IdP. The PPM SSO service will support SP-Initiated as well as IdP initiated SSO flows.
    4. Clarity PPM: The target application for customers.

    User Management

    Creating a New User


    Broadcom uses Okta as the system of record for users that access Broadcom products in GCP based SaaS infrastructure. Every user that accesses Clarity PPM must be a user in the Broadcom's Okta tenant. In addition, user groups within Okta determine the products and instances of those products a user can access. A user may be a member of one or more user groups depending on the products and instances they can access.

    Clarity PPM administrators in your organization can create and manage users, within Clarity PPM.  When defining users in Clarity PPM, the username has to be set to the user's email address.  

    Syncing Users Between Clarity PPM and Okta


    After defining a user in Clarity PPM, administrators can use the Sync SaaS Users job to synchronize the users in Okta and assign them to the appropriate Okta groups. Administrators should manually schedule this job to run regularly. 

    The Sync SaaS Users job will only be available in Clarity PPM 15.8 and higher versions of Clarity PPM SaaS.

    The Sync SaaS Users job uses the following parameters:

    • URL to the Broadcom Okta tenant where users will be synced.
    • API token used to authenticate the "Sync SaaS Users" with Okta to execute REST API calls.
    • The User group associated with this Clarity instance. 
    • A flag to determine whether you want to perform full sync or partial sync.


    The Sync SaaS Users job first reads the parameters from the "System Options" page. Broadcom will specify the default parameters when they provide you with the GCP environment. Administrators can overwrite these parameters when they invoke the job and provide different values for the parameters.


    The "Sync SaaS Users" job will perform the following actions:

    1. Read all users from Clarity PPM that have not been synced previously. If the job is started with the full sync parameter, then all users from Clarity PPM will be read.
    2. Determine the Okta user group based on the Clarity PPM instance.
    3. Check if the Clarity PPM user exists in Okta.
      1. If the username is not in the form of an email address, the user is skipped.
      2. If the user exists and is in the appropriate Okta group, then the job will not do anything for that user.
      3. If the user exists but is not in the appropriate Okta user group, the job will add the user to the appropriate Okta user group.
      4. If the user does not exist in Okta, the job will create the user and add them to the appropriate Okta user group.


    1. When added to the Okta user group, the user is automatically assigned to the appropriate Clarity PPM application in Okta.
    2. If user status in Clarity PPM is "inactive," then the job removes the user from the Okta user group, thus revoking their access to the Clarity PPM instance. The user will be marked as not having been synced in case they are reactivated at a future date. 

    The Sync SaaS Users job will not deactivate or lock a user in Okta even if they are deactivated or locked in Clarity PPM. This is because the user could have access to other Broadcom products. The status of the user in Clarity PPM should not control their access to other products.

    Understanding Okta User Groups

    The Broadcom team will create user groups in Okta to map to a provisioned Clarity PPM environment. A single user could be part of multiple user groups, thus allowing them to access multiple Clarity PPM environments in SaaS.

    The User groups have the following nomenclature:


    Consider an example where a tenant called MyBank is provisioned to use Clarity in GCP.

    MyBank needs two types of Clarity PPM instances, namely dev and prod. The provisioning process assigned MyBank the tenant domain "cppm4758". In this scenario, the provisioning process would create two user groups for MyBank: 


    These user groups correspond to the two instances of Clarity that will be running for MyBank. Clarity PPM administrators will need to define users in each instance of Clarity PPM. The administrator would then use the Sync SaaS Users on each instance to sync users with the relevant groups in Okta. 

    The users defined in the dev environment will be added to the group and the users defined in the production environment would be added to the group.

    Managing Users - CA On-Demand Portal vs. Broadcom Okta

    The table below compares how users are managed in  Broadcom Okta (in GCP) versus CA On-Demand Portal (in the previous data center). The fundamental difference is that in the previous data center environment, tenant administrators managed users via the CA On-Demand Portal. 

    In the new GCP data center environment, Clarity PPM administrators will manage users directly within Clarity PPM by using either the native user management capabilities in Clarity PPM or by using XOG.


    Step No.

    CA On-Demand Portal

    Broadcom Okta


    The Broadcom team provisions a tenant and creates the requested instances. Customers may have separate instances of Clarity PPM for production, development, and testing associated with one tenant. 

    The Broadcom team provisions a tenant and creates the instances. Broadcom also creates groups in Okta that will be mapped to your various Clarity PPM instances. 


    Broadcom creates a single-tenant administrator and assigns it to the relevant resource in your organization.

    Broadcom creates a Clarity PPM administrator for all the Clarity PPM instances.


    The tenant administrator uses the On-Demand Portal to create users and assigns them to various application services.

    The Clarity PPM administrator creates users in Clarity by using the Resources page or by using XOG.


    The tenant administrator runs a portal job to synchronize users created in the On-Demand Portal with the relevant Clarity instance.

    The Clarity PPM administrator runs the SaaSUserSync job to synchronize users from Clarity to Okta.


    The tenant administrator can update user fields in the CA On-Demand Portal.

    The Clarity PPM administrator can update user information by using the Resources page or XOG.


    The tenant administrator can remove a user from application services or deactivate the user by using the On-Demand Portal. 

    The Clarity PPM administrator can deactivate or lock the user account by using the Resource page. They can then run the SaaSUserSync job to synchronize users from Clarity to Okta. 

    It's important to remember that tenant administrator used the On-Demand User Management utility (ODUM) in the previous data center environment to add or modify users and grant or withdraw access to any of the CA On-Demand application services. This functionality will not be available in GCP and  Clarity PPM administrators can use the XOG utility to make bulk changes to users.

    Enable Federated SSO in Clarity PPM SaaS in GCP

    To enable the federated SSO service in GCP, you need to create a Broadcom support ticket with the following information :

    1. The SAML metadata URL for your IdP, so that Broadcom can establish a connection with Okta. 
    2. The IdP URL and returnUrl so that that deep linking can be configured. 
    3. The logout URL, so that users can be redirected there after logging out of Clarity PPM.

    This concludes Part 1 of the GCP Authentication Methods post. Thank you for being a part of the Clarity PPM community. Please write to in case you have any specific questions for us. The next blog will be published on March 23rd will include authentication flow diagrams and some commonly asked questions on authentication mechanisms in GCP. 

    #ca_clarity_ppm #gcp #clarityppmsaas

    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division

  • 2.  RE: Clarity PPM SaaS Transition: GCP Authentication Methods - Part 1

    Posted Mar 18, 2020 11:08 AM
    Thank you for the update Suman!

    Chris Hackett
    Community Manager, Broadcom Enterprise Software Division
    Broadcom Inc.