Business Continuity Disaster Recovery

Business Intelligence

Privacy

Project Hosts Security

Project Management Cloud Family

Single Sign-On and Active Directory Integration

SSRS Report Enabler for Project Online

CRM Custom Cloud

PPM Custom Cloud

BrightWork (PPM) Online

Hosting Services Options

SharePoint Custom Cloud

Tours-Trials-Demos

Azure Managed Services Pricing

PPM 2016 Upgrade

Project Server Admin Services

SharePoint Admin Services

Remote SP Admin Pricing

SharePoint 2016 Upgrade

SharePoint Azure Services

Administration Services

Person-2-Person™ Support

Microsoft Project Server 2013 Cloud Choices

Microsoft Project Online

CRM User Types

This document describes ways that Project Hosts can integrate a customer's online solution with a corporate Active Directory in order to enable single sign-on for users and to simplify user administration. The costs quoted here are in addition to any other hosting costs associated with a deployment. The four methods described here are


Definitions:

A Single Sign-On (SSO) solution allows users to access online applications with their corporate credentials - no new credentials for the online service are needed.

Automated Provisioning means that when a new user is added to the customer's Active Directory, an account for that user will automatically be created in the online solution. Without Automated Provisioning, SSO still requires an admin to set up an account for a new user in the online solution (e.g. SharePoint, Project Server, CRM)

Feature Credential Manager ADFS SAML ARGON
SSO access to SharePoint and SharePoint apps: Project Web Access, Excel Services, SQL Reporting Services, etc.) ✓*
Access to Project Server from Project Professional on user's PC ✓**
SharePoint People-picker functions as expected ✓*** ✓***
SSO for Remote Desktop (e.g. for developing reports)    
Automated provisioning of new users      
SSO solution must be deployed by customer's IT dept.  
 
Setup fee $0 $1,000 $1,000 $1,000
Monthly fee $0 $250 $250 $250

* Credential Manager is not true SSO since it does not use a customer's corporate credentials. But it allows a user to store their online credentials upon first login, then not have to enter them again.

** Using ARGON, access from PC-based applications like Project Pro or Excel requires an additional logon using a Project Hosts-provided password. This can be saved in Credential Manager to avoid future logins

*** SharePoint People Picker has well-documented strange behavior when used with claims-based authentication solutions like ADFS or SAML. SiteMinder has a SharePoint add-on piece that fixes this behavior, and ADFS similarly has a Codeplex solution to fix it. Other SSO tools may come out with fixes in the future.



Windows Credential Manager

Universal single sign-on after first login.


Description:

There are a number of single sign-on (SSO) solutions that enable access to online applications using a user's existing corporate credentials. These solutions have the advantage that a user does not have to remember or manage another username and password in order to access the online application. The disadvantage is that all of them require a customer's IT department to deploy some software inside their corporate network. That software might be Active Directory Federation Services (ADFS), a SAML solution like SiteMinder or PingFederate, or even Project Hosts' own ARGON solution. If a customer has not already deployed one of these SSO solutions, Windows Credential Manager (WCM) is a great alternative that still allows users to avoid all authentication prompts after their first login.

WCM does require us to issue a username and password for each user, but the first time a user logs in, he or she can simply check the box "Remember my password" to store those credentials in the Credential manager on their Windows PC. As long as users have trusted our site in their browsers, they never have to log in again from that PC. They can connect using a browser, they can view an Excel Services report online then open it in Excel on their PC, they can launch Project Professional on their PC and have it automatically connect in the background to Project Server - it provides a completely seamless experience with no additional logins necessary.


User requirement:

Users must have a Windows PC (XP or higher) and the ability to trust a site in their browser (enabling the option "logon with current username and password").


Customer IT requirement:

None.


Project Hosts cost:

$0. This is the default authentication method.



ADFS or SAML SSO solutions

True SSO solutions that use SharePoint claims-based authentication.


Description:

ADFS or a SAML SSO solution resides on a server in a customer's corporate network and generates a "claim" to authenticate users directly into SharePoint in the online solution. ADFS or SAML SSOs also provide Single Sign-On to applications that are integrated to SharePoint (or in SharePoint Integrated mode) like Project Server, Excel Services, and SQL Reporting Services.

By default, each new user must first be set up with an account in SharePoint (and in each SharePoint application) before they can access anything online. However, if the customer has also deployed the PHSync functionality of ARGON in their corporate network, automated provisioning can occur.

One limitation of ADFS and SAML SSO solutions is that report developers will probably need to have their own separate login credentials provided by Project Hosts. The reason is because in order to create reports, developers may need access to Remote Desktop, OLAP cubes, database tables, or other resources that are not directly integrated with SharePoint.

Another limitation is that the SharePoint People Picker functionality that is used for example to assign an owner to a risk, issue or deliverable has strange, unintuitive behavior when ADFS or SAML SSO solutions are used. Another white paper on this topic is available upon request. SiteMinder has an add-on for SharePoint that fixes this issue, and ADFS has a Codeplex fix to it, but we are not aware of fixes for other SAML SSO solutions. The SiteMinder add-on has a piece that must be deployed on the customer side and another piece that must be deployed in the online environment.


Customer IT requirement:

Customer must configure an ADFS 2.0 federation server or SAML SSO server that is accessible by HTTPS from the internet and provide a copy of the Token Signing Certificate. Each user must add the ADFS Sign-in URL and the URL for their hosted SharePoint applications into the Local Intranet Zone of their IE browser.


Project Hosts cost:

$1,000 setup and $250/month.



ARGON Single Sign-On with PH Sync Automated Provisioning

Project Hosts' single-sign on solution.


Description:

Project Hosts' Authorization Reconciliation Gateway Online (ARGON) system is a single sign-on solution for hosted web applications that use Windows Integrated Authentication.

ARGON has a disadvantage relative to ADFS and SAML SSO solutions: SSO does not work from Project Professional on a user's PC connecting to Project Server. Project Professional users must login using credentials provided by Project Hosts. However, Windows Credential Manager can be used by these users to avoid future login prompts after their first login.

ARGON has three main advantages over ADFS and SAML SSO solutions. First, in addition to providing SSO for SharePoint, it provides SSO to applications such as Remote Desktop that are not integrated to SharePoint. As a result, with ARGON, report developers do not need their own separate online credentials.

A second advantage is that SharePoint People Picker functions as expected.

Third, ARGON is usually deployed together with PH Sync code that provides the Automated Provisioning services as defined at the beginning of this white paper.


Detailed Description:

Single sign-on is achieved by running the ARGON Validation Service on a corporate intranet site and the ARGON Authorization Service on the hosted web application server. The ARGON Validation Service validatesthat the user is a valid corporate user and then uses a Pre-Shared Security Key to securely communicate the Authorization Key to the ARGON Authorization Service. Once the Client is authorized, the ARGON Authorization Service automatically logs the Client in to the Target Application using Windows Integrated Authentication. Once the Client is authenticated, all future requests proceed directly between the Client and the Target Application imposing no addition overhead on the application traffic. The security of the ARGON Authorization Service is maintained by validating the Pre-Shared Security Key from the ARGON Validation Service and also by validating the Client IP address range. Please see the diagram below.

The Client experience is completely seamless. The client clicks on a link on the corporate intranet site and is automatically directed into the hosted application without any prompts. The entire Client authentication for the hosted application is handled behind the scenes by the ARGON Seamless Application Logon system.

In addition to the ARGON Validation Service, the customer could provide an intranet based landing page for the application that could provide customer specific guidance for the application users.


User requirement:

Each user must have a browser that has Javascript enabled. This is true for most browsers out-of-the box.


Customer IT requirement:

The ARGON Validation Service must be deployed on a corporate Intranet Web Server that is authenticated and available to the Client. It is currently available as an .asp page that can be provided to the customer, but equivalent code could be developed by the customer on any platform. For the PH Sync AD Integration, customer must also provide a domain account to log into the customer domain, periodically read allowed AD information, then call a secure web service to pass that information to the Project Hosts domain.


Project Hosts cost:

$1,000 setup and $250/month.



ARGON Seamless Application Logon



"…many organizations have needs for deep customization, white-glove services, or support for complex models like hybrid hosting. For these customers, Project Hosts' PPM Custom Cloud offers a great option."

Ludovic Hauduc, General Manager of the Microsoft Project Business Unit
Some of Our Clients
Microsoft Partner
Gold Cloud Platform certification
Gold Hosting
Gold Project and Portfolio Management
Silver Collaboration and Content
Silver Data Analytics
Project Hosts twitter    Project Hosts Linkedin    Project Hosts Google+    Project Hosts Blog