Questions often come up about how re-authentication works with PPM Pro. To understand re-authentication we first have to understand authentication. PPM Pro offers several choices about how to authenticate. These often involve trade-offs between higher security and a better user experience, so the implications of each option should be carefully considered to determine what's best for your organization.
For more information, please see the attached PPM Pro SSO Data Sheet.
Methods of Authentication
There are currently three supported methods of authenticating with PPM Pro. Depending on customer configuration, some of these methods may not be available in a particular customer instance:
Form-Based Login with username / password - a user enters a username / password into the PPM Pro login page
Browser-Based Login (Basic HTTP Authentication) - in this mode the user enters a username and password in a browser popup. The browser then caches this information until it is restarted and will send it on the user's behalf when requested by the PPM Pro server. This is often a good end-user experience as they won't be prompted to re-authenticate until they restart their browsers, but may not be secure in situations where browsers are shared between individuals. Also note that despite the name, cached credentials are always sent to PPM Pro securely over HTTPS, not HTTP.
Single-Sign On via SAML - PPM Pro establishes a trust relationship with a SAML Identity Provider. User authentication is delegated to that Identity Provider (which can, in turn authenticate by a variety of means and often ties in directly with an on-premise Active Directory or LDAP system). Use of SSO wherever possible is PPM Pro's recommended best practice.
How to Configure
If SSO/SAML is enabled:
Browser-Based Login is automatically disabled.
Form-Based Login is disabled except for individual users that have "Local Authentication Override" selected in their user records.
The "Inactivity Timeout" setting in Admin/Organization/Info controls how long a period of inactivity is allowed before PPM Pro will redirect a user to the SAML Identity Provider to check if the user is authenticated. Note that when such a redirect is done, the user may not be aware it's happening in the case where they're still authenticated with the Identity Provider and immediately get redirected back to PPM Pro. The default setting of "0" will be treated as "30 minutes".
If SSO/SAML is not enabled:
If "Inactivity Timeout" is set to 0 (the default setting), then Browser-Based Login is enabled. After 30 minutes of inactivity the PPM Pro server will request authentication from the browser. If the user has previously cached their username/password with their browser by filling in the browser's authentication dialog, the user will not notice this process. If the user has not previously cached their username/password with the browser, they will be presented with the browser's authentication dialog. If they press "cancel" on this dialog, they will be redirected to the form-based login page.
If the "Inactivity Timeout" setting in Admin/Organization/Info is set to a number greater than 0 (negative values are not supported), then Browser-Based Login is disabled. After the specified number of minutes of inactivity, the user will be redirected to the form-based login page. Note that unsaved data present on the current page may be lost in this process.