Purpose

This document describes authentication methods available for Clarity PPM based on Rego Consulting SaaS infrastructure.

Overview

Rego Consulting SaaS offering will provide you with a single login experience for its Clarity PPM flexible enough to support and properly secure the application.
You will be able to login to Rego's SaaS offering by using one of the following methods:

1. Authenticate against Rego's AWS based sign-in solution.

2. Use Federated SSO integration with your identity management provider (IdP) with either SAML or OpenID.

By default, all customers will be set up to use Rego's AWS based solution. Your usernames (email or Clarity PPM Usernames) will be configured as the username, and all environments will be secured by a solution provided login mechanism. Customers will need to raise a request with Rego Technical Support, to enable federated SSO integration and to use your IdP as the authentication method.
Federated SSO integration allows you to create a trusted relationship with Clarity PPM and your identity management solution. This relationship delivers the following benefits:

• Seamless integration between networks and environments: You and other users can move easily between your intranet and Clarity PPM.

• Simplified password management: You do not have to manage user passwords separately from Clarity PPM because your existing user management system handles password management.

• Rego Supported: A dedicated support organization provides technical support.

Note: Customers previously using the CA On-Demand Portal to manage users, security, and federated SSO will now use the AWS based solution as the new solution to set up federated SSO.

SaaS Authentication Components

Open

Rego leverages the following components to support the different authentication methods in the Clarity PPM infrastructure.

1. AWS Cognito: The IdP solution used to support federated SSO for Clarity PPM and non federated environments.

2. Customer Provided Identity Management Provider (IdP): The identity provider used by customers within their organization.

3. Clarity PPM Cognito Service: A new web application that will be installed in the Clarity PPM infrastructure as a separate service to accept HTTP requests containing an OAUTH response from AWS Cognito.

4. Cognito User Sync Job: A new Clarity PPM Service to sync the users seamlessly into AWS Cognito.

5. Clarity PPM: The target application for customers.

User Management

Creating a New User

Broadcom uses AWS Cognito as the system of record for users that access Rego's products. Every user that accesses Clarity PPM must be a user in Rego's AWS managed Cognito Service. In addition, user groups within AWS Cognito determine the instances a user can access. A user may be a member of one or more user groups depending on the instances they can access.
Clarity PPM administrators in your organization can create and manage users, within Clarity PPM. When defining users in Clarity PPM, the username can be set to a specific username or their email address.

Syncing Users Between Clarity PPM and AWS Cognito

After defining a user in Clarity PPM, administrators can use the Cognito User Sync job to synchronize the users in AWS Cognito and assign them to the appropriate security groups. Administrators should manually schedule this job to run regularly.
The Cognito User Sync job will only be available in Clarity PPM 15.2 and higher versions of Clarity PPM.
The Cognito User Sync job uses the following parameters:

• Start Date:

  1. When provided, it will look for Users modified since the provided date or rolling date and sync accordingly.

  2. When not provided it will perform a full sync

The job will perform the following actions:

1. Read all users from Clarity PPM that have not been synced and have been modified within the time frame. If the job is started with the full sync parameter, then all users from Clarity PPM will be read.

2. Determine the user group based on the Clarity PPM instance.

3. Check if the Clarity PPM user exists in AWS Cognito.

   1. If the user exists and is in the appropriate group, then the job will not do anything for that user.

   2. If the user exists but is not in the appropriate user group, the job will add the user to the appropriate user group.

   3. If the user does not exist in AWS Cognito, the job will create the user and add them to the appropriate user group.

   4. If the user is inactive or locked in Clarity PPM:

      1. If it's a lower environment it will be removed from the group

      2. If it's a production environment it will be removed from the group and deactivated

1. When added to the user group, the user is automatically assigned to the appropriate Clarity PPM application.

Understanding AWS Cognito User Groups

The Rego team will create user groups in AWS Cognito to map to a provisioned Clarity PPM environment. A single user could be part of multiple user groups, thus allowing them to access multiple Clarity PPM environments.
The User groups have the following nomenclature:
<Company Name><Service><Instance Type>
Consider an example where a tenant called MyBank is provisioned to use Clarity PPM.
MyBank needs two types of Clarity instances, namely dev and prod. The provisioning process assigned MyBank the tenant domain. In this scenario, the provisioning process would create two user groups for MyBank:

• MyBank-ClarityPPM-PROD

• MyBank-ClarityPPM-DEV

These user groups correspond to the two instances of Clarity that will be running for MyBank. Clarity PPM administrators will need to define users in each instance of Clarity PPM. The administrator would then use the job on each instance to sync users with the relevant groups in AWS Cognito.

Enable Federated SSO in Clarity PPM through AWS Cognito

To enable the federated SSO service, you need to create a Rego Technical Support ticket with the following information :

1. The SAML metadata URL for your IdP, so that a connection can be established with AWS Cognito.

2. The IdP URL and returnUrl so that that deep linking can be configured.

3. The logout URL, so that users can be redirected there after logging out of Clarity PPM.

Authentication Flows in AWS Cognito infrastructure

Let's review some of the typical flows to authenticate users in the Rego Clarity PPM infrastructure:

1 - Authentication using AWS Cognito

This is the default login flow in Clarity PPM unless the customer has enabled federated SSO integration between their IdP and Rego's AWS Cognito. This authentication method is used when users navigate directly to the Clarity PPM URL.

Let's review the steps for this flow using the above image:

1. The user navigates to the Clarity URL either via the browser or a deeplink

2. The user is redirected to the Cognito Login screen

3. After entering credentials, AWS Cognito and Clarity PPM exchange authentication requests

4. Clarity PPM validates the user group and if the user is active

5. Clarity PPM responds with the requested resource.

2 - Authentication using Customer's Identity Management Provider (Federated SSO)

An IdP initiated flow is followed when a customer has enabled federated SSO integration between their IdP and Rego's infreastructure.

Let's review the steps for the IdP initiated flow by using the above image:

1. The user navigates to the Clarity URL either via the browser or a deeplink

2. The user is redirected to their IdP login screen

3. After entering credentials or automatically login in, the SAML request is echanged with AWS Cognito

4. If the SAML is validated and contains the proper information, AWS Cognito and Clarity PPM exchange authentication requests

5. Clarity PPM validates the user group and if the user is active

6. Clarity PPM responds with the requested resource.

4 – Excluded Endpoints

The following endpoints are mainly used to import and/or export data, configuration and other details from one system to another. This services are excluded from AWS Cognito and therefore will require a Clarity based user and password:

• XML Open Gateway (XOG)

• Rest API

• ODATA

Note: XOG will not support SSO. The XOG transaction is achieved by specifying the Clarity PPM user name and password of the user who has authorization to perform the requested XOG. The user will be authenticated using Clarity PPM authentication.

Key Points to Remember

• Clarity PPM is using a new SSO solution, which includes Rego's AWS Cognito solution. Which is applied to all environments.

  • If a customer is using their IdP for SSO, they will continue to manage passwords in their IdP.

• All customers that do not use SSO integration between Clarity PPM and their IdP will need to log in by using AWS Cognito login page.

Commonly Asked Questions

1. Our organization currently uses a job/process from Clarity PPM to the CA On-Demand Portal. How will this process work in the new environment?

Answer: Users are managed by using the Resources page in Clarity PPM or by XOG. Clarity PPM includes the new job to synchronize users from Clarity to AWS Cognito.

1. Our organization uses the On-Demand portal to process the AD file and process new non-licensed users and agency users that would bypass the portal. How will this be supported?

Answer: In the new service, Administrators can manage (create, update, and delete) licensed users directly within Clarity PPM. Administrators can work with Rego to configure licensed users to access Clarity PPM.

1. Our partners do not have a user account with our organization. Can they still work in Clarity PPM?

Answer: Yes, the AWS Cognito service will sync all user names, it doesn't have domain or email specific requirements.

1. We currently use the ODUM tool to provision users into Clarity PPM via the portal. How will we do this in the new environment?

Answer: Clarity PPM administrators can use the XOG utility to make bulk changes to users.

1. What data will AWS Cognito Store?

Answer: AWS Cognito will store:

•  

  • User details:

    • User name

    • Email address

    • First name

    • Last name

    • Password (Encrypted)