HP PPM 9.13 - SSO and separating admin access
We would like to implement the SSO feature of HP PPM using an Apache front-end proxy that can provide the REMOTE_USER HTTP header. This works fine when HP PPM is configured as documented. However, we do not want Administrators to have Administrative privileges associated with their regular network accounts, since they are also standard IT users as well. Is there a way to configure a separate entry point where they could use the normal login screen to enter Administrator credentials and not invoke SSO?
We were facing the same problem. Before SSO, we had so called "key users" that had special access grants to do admin work. These users worked with 2 user accounts: their standard account with basic rights and the key user account with admin rights.
To make this scenario work with HP PPM and SSO, we created our own SSO mechanism (own implementation of interface com.kintana.sc.security.auth.SingleSignOn). With our mechanism SSO works as with GenericSingleSignOn if no parameters are used on the URL. If our implementation detects the URL parameter SSO_ALTERNATIVE_USER, then it checks whether the SSO user is allowed to switch to an alternative user and if so the user is logged into PPM using the alternative user account.
We implemented the "allowing" function by using User user data fields.
Let me know if you are interested in the solution (works with HP PPM 9.32).
When using Generic Web SSO (with REMOTE_USER Header), it is required to prevent any direct HTTP access to the PPM servers from the standard client's web browsers, otherwise they could easiy fake the HTTP header and impersonate any user.
However, if someone were to be able to directly access the PPM Servers without first passing through the Web Server, they could get the standard PPM login page and authenticate using normal PPM login/password (different from SSO).
So what is commonly done is that admins users will remotely connect to the PPM server machine or to a machine that's in the same sub-network as the PPM Server (i.e. where you can connect directly to the PPM server without having to go though the Web Server first), and then log in directly in the PPM server by entering the PPM Server machine host name in their browser.
This is good enough for starting the workbench and doing some work in the Admin Console, however this may not work with other PPM pages as you may have some redirects that will send you to BASE_URL where you'll hit the Web Server again.
By the way, PPM 9.13 is not supported for ages, please upgrade to get better support. Hopefully, a future version of PPM may include some SSO improvements that would render the Generic Web SSO solution obsolete.
What we do is simply, to use seperate domain accounts for admin like firstname.lastname@example.org.
MIF Software & Consultancy - Istanbul