Show TOC

Enabling Single Sign-On for PowerDesigner WebLocate this document in the navigation structure

In environments where X.509 client authentication is in place, an administrator can enable PowerDesigner Web to authenticate users by the user certificate stored on their client machine. The client browser sends a certificate issued by a trusted certificate authority to identify the user and they are logged in automatically, without the need to manually enter their credentials.


Note This procedure includes enabling SSL.


  1. Open a command prompt with administrator's privileges and navigate to JAVA_HOME/bin, where your keytool is located.
  2. Create a self-signed key pair to identify the server:

    keytool -genkeypair -alias serverkey -keyalg RSA -dname "CN=<ServerName>,OU=<OrgUnit>,O=<Org>,L=<Locality>,S=<State>,C=<Country>" -keypass <SecurePassword> -keystore "<InstallDir>\keystore\server.jks" -storepass <SecurePassword>

    • -dname "CN=<ServerName>,OU=<OrgUnit>,O=<Org>,L=<Locality>,S=<State>,C=<Country>" - should provide appropriate metadata to identify your server.
    • -keystore "<InstallDir>\keystore\server.jks" - is the path to the keystore which, by default will be at C:\Program Files\SAP\PowerDesigner Portal 16\keystore\server.jks. This command will create the keystore at this location if it does not already exist.
    • -keypass <SecurePassword> and -storepass <SecurePassword> - must be identical and are the secure password that you define for the server key and keystore.
    Note A self-signed key pair is sufficient for testing, but users accessing your server will receive a security warning. To securely identify your server, you must request a certificate signed by your certification authority (see published on non-SAP site ).
  3. Obtain the client certificate issuer key (*.cer) for your organization and import it into your keystore:
    1. In Chrome, select Start of the navigation path Menu Next navigation step Settings Next navigation step Show advanced settings End of the navigation path and then click Manage certificates.
    2. Select the certificate that you use to identify yourself in your organization and click View.
    3. Click the Certification Path tab to show the path from the selected certificate to the certification authorities that issue the certificate, select the root certificate and click View
    4. Click the Details tab and click Copy to File. Follow the instructions in the Certificate Export Wizard to save the certificate as a file.
    5. Execute the following command to import the certificate into your keystore:

      keytool -importcert -keystore "<InstallDir>\keystore\server.jks" -alias <cacertalias> -file <file>.cer -storepass <SecurePassword>

      • -alias <cacertalias> - defines the alias for your certification authority certificate in your keystore.
      • -file <file>.cer - specifies the path to the certificate authority certificate.
  4. Edit the Tomcat/conf/server.xml file to enable client authentication and configure the keystore/truststore.
    Create a <Connector> element with the following values:
    < Connector 
    	protocol ="org.apache.coyote.http11.Http11Protocol"
    	port ="8443"
    	SSLEnabled ="true"
    	scheme ="https"
    	secure ="true"
    	clientAuth ="want"
    	sslProtocol ="TLS"
    	keystoreFile ="<InstallDir>\keystore\server.jks"
    	keystoreType ="JKS" 
    	keystorePass ="<SecurePassword>"
    	truststoreFile ="<InstallDir>\keystore\server.jks"
    	truststoreType ="JKS" 
    	truststorePass ="<SecurePassword>"/>
    • port - can be set to any appropriate value.
    • clientAuth is set to want to allow a standard login if the certificate cannot be found.
    • keystoreFile and truststoreFile point to your keystore (by default at C:\Program Files\SAP\PowerDesigner Portal 16\keystore\server.jks).
    • keystorePass and truststorePass are the <SecurePassword> defined for your keystore.
    Note To restrict access to this port only, comment out any other connector elements.
  5. Restart the PowerDesigner Portal Server and direct your users to connect using https and the new port number. For example:

    Users connecting to PowerDesigner Web from a Windows client with an appropriate certificate and using a supported version of Internet Explorer or Chrome should be logged in automatically. Users with other browsers such as Firefox, which cannot read from the Windows certificate store, or on other operating systems, will require additional steps to enable single sign-on.

    Note Users can browse the repository without taking a license. If a user creates a diagram, or edits an existing diagram, they will automatically take a license if one is available. If their session times out (by default, after 15 minutes), they will silently return their license. If they then return to their browser and continue editing, they will silently reacquire a license if one is available.
  6. [optional] To customize the rights and permissions that users are granted, consider changing the default rights and permissions granted to the External users group or pre-creating user accounts for individual users (see Creating Externally-Authenticated Repository Users).