CA PPM with Single Sign On - How can we track whether PPM has received the header or cookie from our SSO Solution?


Article ID: 39838


Updated On:


Clarity PPM On Premise



We are integrating CA PPM with a Single Sign On solution.  We are not sure if PPM is receiving the SSO Auth. token (header or cookie).

How can we troubleshoot?


Please note the following suggestions should only be enabled short term.

Application of PPM patches and/or PPM upgrades will revert the changes mentioned below.

First identify the name of the cookie or token being used for Single Sign On in the PPM CSA (NSA).

1.Login to the NSA and go to the security tab 

2.Confirm the value for token, for example: "SSO_TOKEN" 

3.Navigate to the following folder on the PPM Server 

cd <CLARITY HOME>/.setup/scripts 

4.Make a backup copy and then open commondeploy.xml file for editing 

Look for this section: 

<choose property="app.access.valve.configuration"> 

<when value="default"> 

<override name="" value="org.apache.catalina.valves.AccessLogValve"/> 

<override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c"/> 

Edit the line: 

<override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c"/>

Change it to read: 

<override name="app.access.valve.pattern" value="%h|%t|%r|%s|%b|%D|%{sessionId}c|%{User-Agent}i|%{SSO_TOKEN}i|%{SSO_TOKEN}c"/> 

Note: The "c" or "i" that appear after the token represent a "cookie" or "header" respectively.

Save the file  

5.Deploy the app and start the “app” service 

<clarity>/bin/service deploy stop start app  

6.Validate the change in /opt/clarity/tomcat-app-deploy/conf/server.xml 

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="/opt/clarity/logs" prefix="app-access-" suffix=".log" pattern="%h|%t|%r|%s|%b|%D|%{sessionId}c|%{User-Agent}i|%{SSO_TOKEN}i|%{SSO_TOKEN}c" resolveHosts="false" />

7.The <CLARITY_HOME>/logs/app-access* log files will now include the SSO header or cookie, for example:|[16/Mar/2016:09:19:30 -0700]|POST /niku/nu?uitk.logger&actionId=itl.incidentObject HTTP/1.1|200|-|1|5637607__873BB31C-754E-46F1-A00F-6E68FE4ED54A|Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; QAM; AuthQSWsystem; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; InfoPath.3)|[email protected]|-


In the example above, the "[email protected]" is the SSO header as it came in as an HTTP Header.



Release: ESPCLA99000-14.2-Clarity-Extended Support Plus