Integrating with Single Sign-On Software

Like any other PPM Web components, PPM Web services integrate with most industry standard single sign-on (SSO) systems, such as CA SiteMinder, Oracle® Identity Management, RSA Sign-On Manager, and IBM Tivoli Access Manager. Integration is accomplished through a pluggable authentication framework (similar to JAAS) and relies on the authentication framework described in Web Service Security.

This section includes the following parts:

SiteMinder

The following figures show how SiteMinder is used to process authentication requests for PPM.

Figure 4-1. Web client single sign-on authentication scenario shows the steps when a user logs onto PPM through the standard interface.

  1. An HTTP or HTTPS logon request is made to PPM.

  2. The SiteMinder Web Agent intercepts the "protected" user request and redirects it to the Policy Server.

  3. The Policy Server prompts for the username and password, validates the information, and then forwards the request to the PPM Web server module.

  4. The Web server module forwards the validated logon request to the SiteMinder SSO module, after which the user is logged onto PPM.

Figure 4-1. Web client single sign-on authentication scenario

Figure 4-2. Web service client single sign-on scenario shows the steps when a Web service uses SiteMinder to log onto PPM.

  1. A SOAP request is passed to PPM.

  2. The SiteMinder Web Agent passes the "unprotected" Web service request to the SiteMinder Login Module (through the PPM Web server module).

  3. The SiteMinder Login Agent extracts the username and password from the SOAP header and forwards the information to the SiteMinder Policy Server.

  4. The Policy Server validates the information and returns the validated logon request to the Login Module, after which the Web service is logged onto PPM.

Figure 4-2. Web service client single sign-on scenario

SiteMinder Configuration

To configure the SiteMinder for PPM support, complete the following steps:

  1. In SiteMinder, add the following sub realms under the PPM main protection realm so that the Web service URLs are unprotected. (The Web service URL would be protected by the custom SiteMinder agent created in the next step.)

    • ppmservices

    • services

  2. Create a new Web agent.

    • Make sure that the 4.x compatibility flag is set.

    • Enter the server name of the PPM Center instance.

    • Enter a secret password.

    Caution: Remember the agent name and the password since these values are used elsewhere.

  3. Create a new Agent Config Object.

  4. Create a new realm for /itg. Choose the agent created in step 2 for this realm.

PPM Server Configuration

To configure the PPM Server for single sign-on support, complete the following steps:

  1. Install the SiteMinder Java Agent API for PPM product. Refer to System Administration Guide and Reference for details.

    # Allow SiteMinder Login Module to be invoked for Web service user authentication. com.kintana.core.server.ENABLE_WEBSERVICE_SSO=false
    # If SiteMinder is chosen as the only authentication mode, individual user’s authentication mode #set through workbench’s user page would be overwritten by this mode. com.kintana.core.server.authentication_mode=SiteMinder
    # PPM Web application would use single sign-on mode if this parameter is set. com.kintana.core.server.SINGLE_SIGN_ON_ PLUGIN=com.kintana.sc.security.auth.SiteMinderSingleSignOn

    The authentication mode could be set as Mixed, if needed:

    com.kintana.core.server.authentication_mode=ITG, SiteMinder

    For Web service operations, the Authentication Mode for the Web service user account(s) should be set to SiteMinder. (This is configured from the PPM Workbench Sys Admin > Users menu.)

  2. To configure PPM Web service to authenticate using SiteMinder, add following parameters to the server.conf file.

  3. Set the SiteMinder parameters as detailed in the Installation and Administration Guide.

    Caution: Use the values for the agent name and the password (established in Create a new Web agent.) for the for SM_AGENT_NAME and SM_SHARED_SECRET parameters in the <PPM_Home>/integration/siteminder/siteminder.conf file.

    A limitation of the solution is that the user is authenticated to SiteMinder for every Web service call.

Other Single Sign-On Software

To integrate with single sign-on software other than SiteMinder, additional customization might be involved depending on the SSO software deployed.

PPM Web service clients support HTTP basic authentication. Therefore, if the SSO system can be configured to support HTTP basic authentication, this would be the simplest solution. In this case, no customization would be needed, simply pass the users' credential through the HTTP basic authentication header to SSO systems for authentication. Refer to the Web Services Programmer's Guide for Web service client configuration details.

The integration can also happen at PPM server side by developing a custom login module (JAAS-like) that can be plugged into PPM. Refer to the Web Services Programmer's Guide to learn about developing custom authentication modules.