Clarity

  • Private Community

  • 1.  Does Clarity On Demand support Service Provider Initiated Single Sign On ?

    Posted Sep 01, 2015 05:59 AM

    We are new to Clarity On Demand and and accessing it via SAML federated single sign on.

     

    We have been advised by CA Support that Clarity On Demand does not support Service Provider Initiated Single Sign On.

    However, the On Demand Portal Admin Guide states one of the parameters available is "Identity Provider SSO Service URL: The Identity Provider's Web Service used in case of time-outs, log-outs, and Service Provider Initiated SSO".

    We also suspect the On Demand Portal is built with CA SiteMinder which I understand supports Service Provider Initiated SSO.

     

    Being limited to Identity Provider SSO means we need to construct links to Clarity in the form https://<identity provider url>?PartnerSpid=<service provider id>TargetResource=<Clarity URL>

    Clarity URL's contain "#" and the single sign on interaction between the identity provider, the On Demand Portal and Clarity application results in everything after the # being stripped from the URL.

    This means every link to Clarity takes you to the Home page.

     

    We can achieve deep linking by replacing the # with %23 in URL's we generate or publish ourselves.  But we cannot do that for URL's generated by Clarity, such as those included in email notifications.

    When a user receives an email from Clarity containing a link to a project, dashboard or action, clicking the link always takes them to the home page - unless they have their browser open and have previously accessed Clarity to create a session.

    This is clunky and will impact user adoption.

     

    Has anyone got Service Provider Initiated SSO working with Clarity On Demand ?

     

    Or solved the above problem with a work around ?



  • 2.  Re: Does Clarity On Demand support Service Provider Initiated Single Sign On ?

    Broadcom Employee
    Posted Sep 09, 2015 08:40 PM

    Hi Matt,

     

    I am a member of the Product Support team.  On Demand supports a number of different types of Single Sign On Implementations.  Unfortunately, I can't answer the question about whether or not they support both IDP and Service Provider Initiated SSO is supported by On Demand.

     

    However, the On Demand Team should be able to help you with the problem with the # symbol that you are facing.  Just open a ticket asking them to help you configure deep links in Clarity.

     

    They should be able to construct an external URL for Clarity once they get the information they need from you that can be added to your Clarity configuration files.  The external url in the configuration files will allow the notification and export to excel links to be converted to a format that will not be truncated by your SSO server and that can be read by Clarity.

     

    I hope this helps.

     

    Sincerely yours,

     

    Jeanne Gaskill

    Senior Support Engineer

    CA Clarity PPM



  • 3.  Re: Does Clarity On Demand support Service Provider Initiated Single Sign On ?

    Posted Sep 10, 2015 10:09 AM

    This discussion thread has been taking place in the following: Clarity URL issue with '#' symbol  ( https://communities.ca.com/message/241821112#241821112 specifically).

     

    There's also a related Support issue ticket where this is being progressed.  Requests have been made from Matt's organization for the appropriate IDP information (url's, parameters, etc.) necessary for the OnDemand team to configure the SSO deep linking.



  • 4.  Re: Does Clarity On Demand support Service Provider Initiated Single Sign On ?

    Posted Sep 10, 2015 02:32 AM

    Hi Matt

     

     

    For Ondeamnd . We support Idp Initiated set up . To get the the deeplinks enabled we update the external URL parameter in properties.xml file with the required URl which would be like the below . The Process/job which generates the notification should pick URL from external URL .

     

     

    https://<IDPURL>?RelayState=encode(https://ondemand.ca.com/fedsso?targetUrl=encode(replace(/niku/nu#action:,/niku/app?action=,${entryurl}))&amp;returnUrl=encode(<URL after logout happens>)))

     

     

    RelayState marked here (in green )depends on your SSO implementation(PING/OKTA/ADFS ),  it can be TaregetReSource as well . This parameter usually after authenticating the user at your end passes the location where he needs to be taken on clarity .

    If you have a case raised OD team would help you getting this done .

     

     

     

    We established deeplinks for notifications mostly in this way .

     

    Regards

    Anil



  • 5.  Re: Does Clarity On Demand support Service Provider Initiated Single Sign On ?

    Posted Sep 15, 2015 11:46 PM

    Thanks for the responses.   From the above I take away:

     

    - Clarity On Demand does not support Service Provider Initiated single sign on.

     

    - Deep linking is possible and requires use of URL's that point to the Identity Provider, pass the desired Clarity URL within a "target" parameter (the parameter name depending on your Identity Provider application), and use the pattern "/niku/app?action=" instead of "/niku/nu#action:"

     

    - This pattern is required for links in notifications generated by Clarity - otherwise they all resolve to the Clarity home page because the browser ignores everything after the "#"

     

    - To make links in notifications work requires a configuration setting to be changed by the On Demand support team

     

    We are progressing a support ticket with the solution proposed above for deep linking - I can't confirm it works as the first attempt to apply the change last weekend has not worked.