Jeanne_Gaskill_CA_Clarity_Support

CA Clarity Tuesday Tip:  XOG, OWB, and MSP login failures with SSO

Discussion created by Jeanne_Gaskill_CA_Clarity_Support Employee on Jun 17, 2014
Latest reply on Jun 18, 2014 by Georgy N Joseph

Customers who have SSO (Single Sign-On) set up on their Clarity system often have problems with login failures when they start trying to use non-browser clients like XOG, OWB (Open WorkBench), or MSP (Microsoft Project).  The password that needs to be used to log in via any of these products may be different than the one the end-user uses to log into Clarity via SSO.

 

When you configure Clarity to work with SSO, you have a choice to make about whether or not to configure Clarity to work with the same LDAP server that your SSO server interfaces with.  When a user logs into Clarity via SSO, the SSO server communicates with the LDAP server to verify that the user's credentials are correct.  If the credentials are correct, the SSO server redirects the user to the Clarity server and Clarity allows the user in without ever checking the credentials itself.  Clarity never communicates directly with the LDAP server for login purposes.  Consequently, you do not have to configure LDAP at all in the Clarity CSA/properties.xml in order for login to work.  However, if you want to use the LDAP jobs provided by Clarity to synchronize your users in Clarity with the LDAP server, you do need to configure LDAP in order for those jobs to get information directly from the LDAP server.

 

What many people do not realize is that whether or not LDAP is configured on the Clarity server and whether they configure LDAP to allow non-ldap users or not affects how their users will log into the non-browser clients.

 

When a user logs in via XOG or any other non-browser client, they bypass SSO and log directly into the server.  Here are three possible setups for SSO/LDAP/Clarity and how they will affect login to non-browser clients:

 

1.     LDAP is not configured in Clarity

 

Users will need to log into non- browser clients with their Clarity password (the one set under Administration, Resources in the user's properties page) nstead of the one they use to log into Clarity via SSO.  Since most SSO end users do not know their Clarity passwords, the admin will almost always have to go into Clarity and manually reset the users passwords to something they know.  Another alternative is to set all user's passwords to something generic, click the option to force the user to change their password, and communicate this information to their users.

 

NOTE:  @Clarity Hosted customers - This is how you are set up.

 

2.     LDAP is configured in Clarity and the allow non-ldap users option is checked.

 

If you want the user to be able to use the same password  they use to log into Clarity via SSO, go to Administration, Resources, locate your user and ensure that the External Authentication option at the bottom of the page is checked.  If you want them to log in with the Clarity password, uncheck the External Authentication option and make sure the customer knows what their Clarity password is set to.

 

NOTE:  @Clarity On Demand (SAAS) customers - This is how you are set up in most cases.

 

3.     LDAP is configured in Clarity and the allow non-ldap users option is not checked.

 

End-users will always use the same password to log into non-browser clients that they use to log into Clarity via SSO.

Outcomes