What's New in PPM 9.51

This section provides an overview of the features that were introduced or enhanced in PPM 9.51.

Portlet enhancements

The portlet user experience has been overhauled:

  • Only the major legends are now displayed by default. You can show more or less legend categories.
  • The portlets automatically resize to adapt to the screen size.
  • The preview page now displays on every print operation.

These changes apply to all chart types, except bubble and Gantt charts.

Back to top

Support OpenJDK for Workbench

To support OpenJDK on windows client, we developed the “Workbench App”. The Workbench App is a desktop application that you need to install on your computer. You can open the app from the PPM web page, or from the installation folder.

To install the workbench application:

  1. Select Open > Administration > Workbench > Open workbench App.
  2. In this page, click the download link and save the Workbench bundle to computer.
  3. Unzip the downloaded zip file.
  4. Double click install.bat to register Workbench.

To open workbench application from installed folder:

  1. Double click Startup.bat.
  2. Enter the PPM URL and user credential information.

To open workbench application from the PPM web page:

  1. Select Open > Administration > Workbench > Open workbench App.
  2. Accept the browser's prompt to open Workbench smoothly next time.

Note: If SSO is enabled, exclude the Workbench URL from SSO’s protection.

http://<PPM _Base_URL>/itg/wbservices

Back to top


OIDC Authorization Code Flow and Implicit Flow are supported.

For more information about OIDC, visit https://openid.net/connect/

To set up OIDC SSO with PPM:

  1. Register PPM as Relaying Party (RP) in OpenID Provider (OP) with parameters:

    Callback URI: <PPM_BASE_URL>/itg/web/sso/oidc_callback.jsp

    Post Logout URI: <PPM_BASE_URL>/itg/web/sso/loggedout.jsp

    Remember the oAuth Client Key and oAuth Client Secret

  2. Edit the PPM server.conf file as follows:

    Add or change


  3. Edit <PPM_HOME>/integration/sso/oidc_sso.conf:

    1. Add discovery_file=<path to OP metadata file> or discovery_uri=<URI of OP metadata file>
    2. Add client_id=<oAuth Client Key for PPM>
    3. If PPM cannot access OP directly, configure the proxy: proxy=<proxy_dns or proxy_ip>:<proxy_port>
    4. If OP uses self-signed certification for https, add: disable_ssl=true

      Only use this option in development or test environments. Never use it in a production environment.
  4. Restart PPM user instances.


  • To troubleshoot SSO, check the <ppm_server>/log/serverLog.txt file.
  • For more debug information, in <PPM_HOME>/conf/logging.conf:

    Set com.kintana.core.logging.SYSTEM_THRESHOLD = DEBUG

    Add com.kintana.core.logging.PRODUCT_FUNCTION_LOGGING_LEVEL = com.kintana.sc.authentication, DEBUG

Advanced Configuration

You can override the default settings or parameters for RP metadata in the oidc_sso.conf file:

Override OP metadata in discovery_file or discovery_uri (see above):

Parameter name



The issuer identifier for the OpenID Provider.


The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application.


The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an id token.


Jwks_uri is a metadata entry expressed as a URI for the OpenID Connect Identity Provider (IDP)'s JWK Set which contains a JSONArray of the JSON Web Keys (JWK) used for JSON Web Signature.

If empty, id token’s signatures are not verified.


The end session endpoint can be used to trigger single sign-out.

If empty, sign-out is disabled.

Override default settings:

Parameter name




Default value: PPM automatically choose the most appropriate flow.


The audience of ID Token issued by OP.

Default value: aAuth Client ID of PPM Application.


The claim in ID Token used for user id in PPM.

Default Value: sub


Specify a leeway window in which the ID Token should still be considered valid.

Default Value: 0


The redirect URI after OP successfully logs out

Default Value: <PPM_BASE_URL>/itg/sso/loggedout.jsp


The authentication method when the client application (PPM) exchanges the authorization code, client ID and client secret, for an id token from OP token endpoint.

Allowed values: client_secret_basic or client_secret_post

Default value: client_secret_basic


  • Only AUTHORIZATION CODE flow or IMPLICIT flow are supported.
  • token_endpoint_auth_method can only be either client_secret_basic or client_secret_post

Back to top

See also: