Absent Member.. jdmumper Absent Member..
Absent Member..
1576 views

HP PPM 9.13 - SSO and separating admin access

We would like to implement the SSO feature of HP PPM using an Apache front-end proxy that can provide the REMOTE_USER HTTP header. This works fine when HP PPM is configured as documented.  However, we do not want Administrators to have Administrative privileges associated with their regular network accounts, since they are also standard IT users as well.  Is there a way to configure a separate entry point where they could use the normal login screen to enter Administrator credentials and not invoke SSO?

 

Thanks!

Tags (1)
0 Likes
6 Replies
Absent Member.. rodrilima Absent Member..
Absent Member..

Re: HP PPM 9.13 - SSO and separating admin access

Good afternoon, I am preparing the tool to use the SSO. Where did you get this documentation?

 

Thanks

0 Likes
Neumator Regular Contributor.
Regular Contributor.

Re: HP PPM 9.13 - SSO and separating admin access

We were facing the same problem. Before SSO, we had so called "key users" that had special access grants to do admin work. These users worked with 2 user accounts: their standard account with basic rights and the key user account with admin rights.

To make this scenario work with HP PPM and SSO, we created our own SSO mechanism (own implementation of interface com.kintana.sc.security.auth.SingleSignOn). With our mechanism SSO works as with GenericSingleSignOn if no parameters are used on the URL. If our implementation detects the URL parameter SSO_ALTERNATIVE_USER, then it checks whether the SSO user is allowed to switch to an alternative user and if so the user is logged into PPM using the alternative user account.

Examples:

http://my-ppm-url.com   takes the SSO user 'user1' to the HP PPM account 'user1'
http://my-ppm-url.com?SSO_ALTERNATIVE_USER=admin takes the SSO user 'user1' to the HP PPM account 'admin'

We implemented the "allowing" function by using User user data fields.

Let me know if you are interested in the solution (works with HP PPM 9.32).

Tags (1)
bcramer Contributor.
Contributor.

Re: HP PPM 9.13 - SSO and separating admin access

My team and I are interested the solution you described. Could you please share it?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: HP PPM 9.13 - SSO and separating admin access

Hi,

When using Generic Web SSO (with REMOTE_USER Header), it is required to prevent any direct HTTP access to the PPM servers from the standard client's web browsers, otherwise they could easiy fake the HTTP header and impersonate any user.

However, if someone were to be able to directly access the PPM Servers without first passing through the Web Server, they could get the standard PPM login page and authenticate using normal PPM login/password (different from SSO). 

So what is commonly done is that admins users will remotely connect to the PPM server machine or to a machine that's in the same sub-network as the PPM Server (i.e. where you can connect directly to the PPM server without having to go though the Web Server first), and then log in directly in the PPM server by entering the PPM Server machine host name in their browser.

This is good enough for starting the workbench and doing some work in the Admin Console, however this may not work with other PPM pages as you may have some redirects that will send you to BASE_URL where you'll hit the Web Server again. 

By the way, PPM 9.13 is not supported for ages, please upgrade to get better support. Hopefully, a future version of PPM may include some SSO improvements that would render the Generic Web SSO solution obsolete. 

Kind Regards,

Etienne.

0 Likes
New Member.. RajM
New Member..

Re: HP PPM 9.13 - SSO and separating admin access

Hello, we are trying to do similar stuff and am interested in your solution can you please let me know how did you implement it?

0 Likes
MIF Super Contributor.
Super Contributor.

Re: HP PPM 9.13 - SSO and separating admin access

Hello,

What we do is simply, to use seperate domain accounts for admin like ppmadmin@company.local.

 

--Remember to give Kudos if you like the solution.

Murat Akbar
MIF Software & Consultancy - Istanbul
http://www.mif.com.tr
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.