Multiple Customer's IDPs to access single GCP Clarity PPM instance

book

Article ID: 209461

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

Customers may want to use multiple IDPs to access a single Clarity Instance. The following two scenarios require this setup.

  • When different Business Units (with different user stores or IDP Setup) need to access the same Clarity instance
  • When two companies are going through merger and their systems are not fully integrated.

Customers need to specify the primary IDP. Broadcom OKTA will setup redirection from Clarity for this IDP to trigger SP-initiated flow.

Cause

Informational Document 

Environment

Release : Clarity GCP All Supported release 

Component : CA PPM SAAS OPERATIONS SSO

Resolution

Tasks for Broadcom SSO Team

  1. Create 2 IDP Configurations from customer's IDPs. Share the metadata for both IDPs with customer.
  2. Update IDP configuration as needed
  3. Setup IDP filters if needed
  4. Map both IDPs to 1 OKTA group. Group assignment should be setup similarly for both IDPs. As shown in the following illustration, the same ClarityPPM group is mapped in both IDPs. 
  5. On Clarity PPM, setup the primary IDP in errorUrl, externalUrl for redirection for SP initiated flow. 

Tasks for Customer

  1. Provide metadata for both IDPs.
  2. Once the Broadcom team  sets up Service Provider configuration and shares SP metadata, update the IDPs with the Broadcom SSO Metadata and Relaystate Information
  3. Provide end users an interface (Portal or Dashboard) to access Clarity with IDP initiated flow.

Additional Information

EndUser Experience

Primary IDP Users: Users that are using primary IDP can access Clarity using the following 2 options.

Access PPM URL

User access PPM URL directly. Ex: https://cppmxxx.ondemand.ca.com). The user will be redirected to the Primary IDP Login Screen. In this illustration, the user is redirected to a Azure IDP which is primary.

Access dashboard, portal, or customer interface in the Customer Environment

User starts the login process from the customer environment by accessing an IDP URL (Either a bookmarked URL or a dashboard interface setup on the customer side)

Secondary IDP Users

Users that are using the other IDPs cannot access Clarity directly as it will redirect the user to the primary IDP. Users need to access Clarity from their environment with IDP initiated flow.

Access dashboard, portal, or customer interface in the Customer Environment

User starts the login process from the customer environment by accessing an IDP URL (Either a bookmarked URL or a dashboard interface setup on the customer side)

 

Deeplink Notifications

Deeplinks are generated using the externalUrl setting in Clarity. The link contains the IDP URL of the customer. If there are multiple IDPs for the customer,  then deep links will only work for end-users who can authenticate with the IDP setup in the deeplink setting. In this set up only Primary IDP users will able to use the deep link URL which is generated via Process/Action Item/Notifications etc 

 

Attachments