HP ERM 8.3 and SDK on different networks

Hi All,

I'm trying to create a custom client for HP ERM system. For the same I will be developing on my local network.

But due to policy issues I cannot have a ActiveDirectory instance in my network.

I was thinking of adding the ActiveDirectory and HP ERM server on a VM in a isolated network which my development environment can access using HTTP/HTTPs or RDP.

If I do this, I guess I will have issues in authentication as my local users (intranet users) will not be having rights in HP ERM as HP ERM will be configured with users and roles present in the isolated networks AD. 

Have you guys ever implimented such scenario. If so did you face any issues especially with security ?



  • Digging a bit more,

    I feel a simple way of doing this will be using a seperate ADFS server in the isolated network.

    So now the flow will be as such:

    1. User will log-in to custom web application

    2. His credentails will be sent to ADFS 

    3. ADFS will validate it against the AD

    4. Token will be returned to client & hence validated

    5. While starting conversation with HP ERM, this token will be send to HP ERM for initial handshake ****

    6. Search methods are called to get records from HP ERM.

    Am i missing something also is the 5th step appropriate ?


    Rohan Wadiwala

  • I imagine you will configure the Relying Party Trust in ADFS to send you the network name of the user which, in turn, will need to be in the user's Location profile in RM.

  • I think I would have to yes.

    Just one things on the same, Will there be any difference in the code (apart from connection string) if production environment does not have ADFS but is directly talking to AD. ?

    thanks again for all the help.


    Rohan W. 

  • Verified Answer

    Not sure which code you are talking about, but if you are using IIS to host your HTTP app then there is not much in the way of code to write for integrated windows authentication, you just do something like:

    database.TrustedUser = System.Web.HttpContext.Current.Identity.Name;
  • If this is just for development and your org has a VPN, why not VPN your VM to your local intranet?

  • Hi,

    Thanks for the reply, you are correct, I was actually reffering to the code you have mentioned.

    You are correct, I will be hosting my custome app in IIS. I guess if my ADFS is set properly then I dont' have to worry about it.


    Just on a side note, does HPRM need to know we are using ADFS during configurarion ? I was going through the install document and in one of its steps we have to mention if the authentication is integrated or ADFS ? 


    So if my Dev environment will be using ADFS but productions does not... wll it affect my configuration/coding of custom app ?

    (from your previous answer I think not.. but just wanted to confirm my assumptions is correct)

  • Hi Jan,

    thanks for the reply,

    You are correct. this is for Dev but I would like to move whatever I code to Prod too.

    The issue is my prod HPRM and the prod IIS will be on same network so they would baiscally be using the same AD.

    But my Dev environment does not have an AD and am only abls to setup one in isolated network; I would be setting up my Dev HPRM in the same isolated environemt and will be accessing it from outside the isolated environment (via. SDK).

    Also, the company policy does not allow VPN to this isolated network :(


  • What auth do users use to get in to your application?

    You could configure the remote app to authenticate to TRIM with a service account, and then pass in the user's username in to the Database.TrustedUser property. As long as the usernames match the location logins in TRIM it seems to work.

Reply Children
No Data