The Primavera Portfolio Management application can be integrated with 3rd party Single Sign-On (SSO) products, such that a user, who has been authenticated by a 3rd party SSO product, will automatically be authenticated with PPM as well. By enabling this functionality users will not be prompted for their usernames and passwords by PPM, but will be automatically logged into thePPM application without the need to use the login dialog screen.
Note: This feature works only for users who have logged in using the 3rd party SSO product and whose 3rd party SSO product user name is identical to their login name in PPM. If these do not match exactly, when accessing PPM the user will be presented with the regular PPM login dialog screen, together with the message “invalid username/password”.
This chapter outlines possibilities for enabling integration with 3rd party SSO products for PPM. For the exact procedure to follow, please refer to the 3rd party SSO product manuals.
Note: You can enable and configure Web SSO login for the following PPM server utilities:
- Action Queue Viewer
- Database Cleanup Utility
- Import Portfolio Management Package
- Export Portfolio Management Package
- Schedule Portfolio Management Tasks
To learn about configuring Web SSO, see Enabling Web SSO for Server Utilities
Third Party SSO Product Requirments
In order to be able to integrate with PPM, the 3rd party SSO product must be able to fulfill the following requirements:
- Ability to intercept access to PPM web server through your browser.
- Ability to set a HTTP header variable to a fixed value
- Ability to set another HTTP header variable to the name of the authenticated user
Note: PPM does not accept “cookies” as an authentication method.
PPM Configuration for Integration with Third-Party SSO Product
PPM can be configured to accept any HTTP header variables. The following registry values control the names and values of the HTTP header variables used for integration:
Note that all registry values discussed below may be inserted into the Registry under the key: HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\Primavera Portfolio Management\Portfolios\Server\UI
Registry Value "SSO Authentication Type HTTP Header Name" (String). Data: name of the HTTP header variable containing the authentication type.
Default: "AUTH_TYPE"
Explanation: The type of SSO Authentication is carried in the HTTP header variable called "AUTH_TYPE". If an SSO product is unable to use this particular header variable, then this registry entry can be used to cause PPM to look at a different HTTP header variable.
Note: PPM uses the "raw" HTTP header interface. However, it is recommended to also configure PPM with an "HTTP_" prefix.
Registry Value "SSO Authentication Type HTTP Header Value" (String). Data: value to be assigned to the "SSO Authentication Type HTTP Header", which indicates that the SSO product will perform user authentication.
Default: "Negotiate"
Explanation: The "Negotiate" value in the HTTP header variable "AUTH_TYPE" is interpreted by PPM to mean that a SSO product is responsible for user authentication. If an SSO product assigns a different value to the HTTP header variable, then this registry entry can be used to cause PPM to accept the value which the SSO product assigns.
Registry Value "SSO Authenticated User HTTP Header Name" (String). Data: name of the HTTP header variable containing the user name of the user authenticated by the SSO product.
Default: "LOGON_USER"
Explanation: The name of the user authenticated by the SSO product. It should be placed in a HTTP header variable called "LOGON_USER". If an SSO product is unable to use this header variable, then this registry entry can be used to cause PPM to accept the name of the authenticated user in a different HTTP header variable.
Note: PPM uses the "raw" HTTP header interface. However, it is recommended to also configure PPM with an "HTTP_" prefix.
Registry Value "SSO Logout URL" (String). Data: The value to be assigned to the "SSO Logout URL",which indicates that the PPM should be redirected to the SSO Logout screen.
Default: "Logout URL of SSO"
Explanation: The value of SSO Logout URL in the HTTP header variable is interpreted by PPM to redirect it to the Logout screen.
Example
SSO products such as OAM and Netgrity SiteMinder can be configured to set up custom HTTP headers. In Netegrity SiteMinder see the SiteMinder log file. These "custom HTTP headers", when seen by PPM, are prefixed by "HTTP_". Therefore, a typical Netegrity SiteMinder setup is as follows:
- Configure Netegrity SiteMinder to create a custom HTTP header called "AUTH_TYPE", whose value is set to "Negotiate". Also configure Netegrity SiteMinder to create a “Response Attribute” custom HTTP header called "AUTH_USER", and set its value to the login name (id) of the authenticated user.
- Configure the appropriate Netegrity SiteMinder policy to send.
- Configure PPM accordingly by creating the following registry string values:
- SSO Authentication Type HTTP Header Name should have a value of
HTTP_AUTH_TYPE - SSO Authentication Type HTTP Header Value should have a value of
Negotiate - SSO Authenticated User HTTP Header Name should have a value of
HTTP_AUTH_USER - SSO Logout URL should have a value of
SSO Logout URL
- SSO Authentication Type HTTP Header Name should have a value of