What's New in PPM 9.51

This section provides an overview of the features that were introduced or enhanced in PPM 9.51.

Portlet enhancements

The portlet user experience has been overhauled:

  • Only the major legends are now displayed by default. You can show more or less legend categories.
  • The portlets automatically resize to adapt to the screen size.
  • The preview page now displays on every print operation.

These changes apply to all chart types, except bubble and Gantt charts.

Back to top

Support OpenJDK for Workbench

To support OpenJDK on windows client, we developed the “Workbench App”. The Workbench App is a desktop application that you need to install on your computer. You can open the app from the PPM web page, or from the installation folder.

To install the workbench application:

  1. Select Open > Administration > Workbench > Open workbench App.
  2. In this page, click the download link and save the Workbench bundle to computer.
  3. Unzip the downloaded zip file.
  4. Double click install.bat to register Workbench.

To open workbench application from installed folder:

  1. Double click Startup.bat.
  2. Enter the PPM URL and user credential information.

To open workbench application from the PPM web page:

  1. Select Open > Administration > Workbench > Open workbench App.
  2. Accept the browser's prompt to open Workbench smoothly next time.

Note: If SSO is enabled, exclude the Workbench URL from SSO’s protection.

http://<PPM _Base_URL>/itg/wbservices

Back to top

OIDC SSO

OIDC Authorization Code Flow and Implicit Flow are supported.

For more information about OIDC, visit https://openid.net/connect/

To set up OIDC SSO with PPM:

  1. Register PPM as Relaying Party (RP) in OpenID Provider (OP) with parameters:

    Callback URI: <PPM_BASE_URL>/itg/web/sso/oidc_callback.jsp

    Post Logout URI: <PPM_BASE_URL>/itg/web/sso/loggedout.jsp

    Remember the oAuth Client Key and oAuth Client Secret

  2. Edit the PPM server.conf file as follows:

    Add or change

    com.kintana.core.server.SINGLE_SIGN_ON_PLUGIN=com.kintana.sc.security.auth.OIDCSingleSignOn

  3. Edit <PPM_HOME>/integration/sso/oidc_sso.conf:

    1. Add discovery_file=<path to OP metadata file> or discovery_uri=<URI of OP metadata file>
    2. Add client_id=<oAuth Client Key for PPM>
    3. If PPM cannot access OP directly, configure the proxy: proxy=<proxy_dns or proxy_ip>:<proxy_port>

    4. If OP uses self-signed certification for https, add: disable_ssl=true

      Only use this option in development or test environments. Never use it in a production environment.
  4. Restart PPM user instances.

Troubleshooting

  • To troubleshoot SSO, check the <ppm_server>/log/serverLog.txt file.

  • For more debug information, in <PPM_HOME>/conf/logging.conf:

    Set com.kintana.core.logging.SYSTEM_THRESHOLD = DEBUG

    Add com.kintana.core.logging.PRODUCT_FUNCTION_LOGGING_LEVEL = com.kintana.sc.authentication, DEBUG

Advanced Configuration

You can override the default settings or parameters for RP metadata in the oidc_sso.conf file:

Override OP metadata in discovery_file or discovery_uri (see above):

Parameter name

Description

issuer

The issuer identifier for the OpenID Provider.

authorization_endpoint

The authorization endpoint is the endpoint on the authorization server where the resource owner logs in, and grants authorization to the client application.

token_endpoint

The token endpoint is the endpoint on the authorization server where the client application exchanges the authorization code, client ID and client secret, for an id token.

jwks_uri

Jwks_uri is a metadata entry expressed as a URI for the OpenID Connect Identity Provider (IDP)'s JWK Set which contains a JSONArray of the JSON Web Keys (JWK) used for JSON Web Signature.

If empty, id token’s signatures are not verified.

end_session_endpoint

The end session endpoint can be used to trigger single sign-out.

If empty, sign-out is disabled.

Override default settings:

Parameter name

Description

flow

Allowed Values: AUTHORIZATION CODE or IMPLICIT

Default value: PPM automatically choose the most appropriate flow.

audience

The audience of ID Token issued by OP.

Default value: aAuth Client ID of PPM Application.

user_id_claim

The claim in ID Token used for user id in PPM.

Default Value: sub

leeway

Specify a leeway window in which the ID Token should still be considered valid.

Default Value: 0

post_logout_redirect_uri

The redirect URI after OP successfully logs out

Default Value: <PPM_BASE_URL>/itg/sso/loggedout.jsp

token_endpoint_auth_method

The authentication method when the client application (PPM) exchanges the authorization code, client ID and client secret, for an id token from OP token endpoint.

Allowed values: client_secret_basic or client_secret_post

Default value: client_secret_basic

Limitations

  • Only AUTHORIZATION CODE flow or IMPLICIT flow are supported.
  • token_endpoint_auth_method can only be either client_secret_basic or client_secret_post

Back to top

See also: