Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ppeeters

Pages: [1] 2
PCS General Board / Re: Repository authentication through PCS
« on: April 23, 2024, 06:53:31 pm »

In our company we use a specialized AD group for externals who need to consult PCS
We deliberately chose not to engage in OpenID as apparently according to our security team it is possible to hijack access validation via simple scripts.

Interesting! Do you have any references ?
BTW, our repo is not open to people outside our organization. OpenID authentication relies on our corporate IdP using dedicated groups.

PCS General Board / Re: Repository authentication through PCS
« on: April 22, 2024, 04:35:26 pm »
Hi all,

Thanks for the precision. I have collected the log from the "System Output"

Using Sparx EA 16.1.1625 (64bits)

PCS is hosted and managed by prolaborate (AWS)

Connect from corporate network :

Attempting to log in Windows SSO user: 'my login name'
Checking for user's Windows linked groups
User is a member of Windows groups: followed by the list of 70+ AD groups I'm member of
User's Windows groups linked to Enterprise Architect groups: the AD group authorized to use the repository <-> Authors
User's Windows groups not linked to any Enterprise Architect group: list AD groups not mapped to any repository group
Login: Logged in as Windows user 'my login name'.

Now connecting from a home using public network (same PCS endpoint, same repository security configuration)

Attempting to log in Windows SSO user: 'my login name'
Failed to get current user from Active Directory.
The specified domain either does not exist or could not be contacted.

Login: Non-Domain users are not allowed (username: my upn login)
Attempting to log in OpenID SSO user
and the OpenID dialog shows up.

Configuration is:
  • accept windows authentication
  • accept OpenID authentication
  • automatically create and modify windows or openid users
  • One AD group is mapped to one repository group both for windows authentication and openid

Should I autorise non-domain users ?

PCS General Board / Repository authentication through PCS
« on: April 19, 2024, 10:07:29 pm »
Hi all,

We recently moved our on-premise DB repository where Windows authentication was activated to a cloud-based repository using PCS for Sparx EA access. We keep the Windows authentication settings but add an OpenID option using our Azure AD (now Entra ID) IdP synchronized with our on-premises AD.
I'm not an expert in Windows domain security therefore I'm not sure I'm using the correct wording.
Connecting from within on-premise, the Windows authentication is "propagated" to PCS and authentication succeeds as usual using the AD group mapping defined.
However, if we try to connect from home (without any VPN), windows authentication fails and Sparx EA proposes an OpenID authentication (which succeeds).
Not being familiar with the Windows ID propagation, is it the expected behavior? Does Sparx EA try to negotiate with the on-premise AD and fail? If yes, this means then that OpenID is the only authentication method available remotely. This is not a problem but our users might be surprised by this behaviour.

Thanks for your clarification.


I've just filled in a bug report. We'll see...

Hi all,

I'm using EA v16.1 (64bits) with a repository where security is activated and user lock required.
I have a problem restoring a baseline due to a locking issue together with the presence of a 'Annotions' type package '...{}' in the package I want to restore.
Initially, I have a package with some diagrams and elements but no 'annotations' (Notes, boundary...). I take a lock on that package and its content and make a v1.0 baseline.
Next I add a note to one diagram. This create an annotation '...{}' package containing the note element.
If I try to restore my original v1.0 baseline, it fails with the message
"One or more item under the current package are security locked, all items must be unlocked before performing this action"
This happens as soon as an annotation sub-packaged is present in the model.

Note that if I move the note out of the baselined package, restoring works.
Any idea ?

There is no problem with v15.2

I submitted a bug report for the slow connection, wait and see...
Concerning the UPN switch, I have checked with the latest v15.2 release (1560) and it is already implemented there. We still have the release 1554 deployed here and it was not yet implemented.
We still want to keep both v15.2 and v16 64bits available to ease the transition to the new QEA local repo format.
In any case, it looks like we should wait for the next v16 release.

Thanks for your feedback, Geert

Yes, I closed the model and reopened it : it is still slow to connect displaying the same very verbose  AD related system output.
The duplicate UserLogin is really annoying too. Should I submit a bug report ?

I was not aware of the browser bug you mentionned.
Apparently EA16 is still not ready for deployment here...

Ok, here is what I tried:

I update the schema to 1558 using the 'EASchema_Alter1220to1558_SQLServer.sql' script
I deleted my user

I reconnect using EA16 : same result : 20 seconds to connect (same system output) and my user is recreated using the email. The locks are indeed lost.
I reconnect using EA15 : 3 seconds to connect BUT a new user is created using 'DOMAIN\uid' as UserLogin !

System output EA15
Login: Logged in as Windows user 'Philippe Peeters (STIB-MIVB\peetersp)'.
Login: Added Windows user 'Philippe Peeters (STIB-MIVB\peetersp)' to model.
Login: Added Windows user 'Philippe Peeters (STIB-MIVB\peetersp)' to group 'Authors'.
Login: Logged in as Windows user 'Philippe Peeters (STIB-MIVB\peetersp)'.

Now have 2 different users in t_secuser depending on the version used to connect !

Thanks Geert, I'll try that but what will happen to the author of existing objects in the model ?


We are testing EA v16 64bits (1605). We are connecting to DB repositories (SQLServer) and the models are configured with Windows user security and authentication. A specific AD group is also linked to the "Authors" group and populated with authorized users.
With EA v15.2, the connection to the model takes a couple of second while using EA v16 64bits it takes several tens of seconds. When connecting remotely through the enterprise VPN it might even takes a couple of minutes to connect !

I note in the System output that EA15 only displays
Login: Logged in as Windows user 'userid (DOMAIN\userid)'.

while EA16 display:

Attempting to log in Windows SSO user: 'userid, DOMAINN\userid'
Checking for user's Windows linked groups
User is a member of group: 'XXXX'


then a list of 69 AD groups I'm member of is slowy dumped on the console

User is a member of 69 groups

then, for each AD group :
User's Windows group 'DOMAIN\GROUPNAME' is not linked to any Enterprise Architect group

69 times

and eventually:

Login: Windows user 'Firstname Lastname (mail address)' is not a member of the model.
Login: Logged in as Windows user 'Firstname Lastname (mail address))'.

This behaviour is quite new to me. Is this an expected behaviour and, if yes, can it be disable ? Is it a bug ? Users won't definitely be happy...

Note :
the SQLServer schema is pre-1558
"Automatically create or modify Windows or OpenID users" is checked.

I got the answer from Sparx and, as expected, it works as designed : only Archimate2 and 3 stereotype are exported.

Thanks for your reply Geert.
That's what I did. Wait and see...


I've create a custom MDG where, for instance, I've a stereotype specializing an "Archimate3::Archimate_ApplicationComponent" by defining a set of Tagged value.
I noticed however that any instance of that stereotype in an archimate model is not exported at all using the Archimate "Model Exchange File" ; all other "native" archimate objects are present while my custom stereotype are just missing (they do appear when exporting as an XMI of course).
Is this the expected behaviour ? If yes, is there any "trick" to make them exportable using Model Exchange ?

PCS General Board / Re: EA on Cloud, WebEA and integration
« on: February 09, 2022, 01:37:49 am »
Prolaborate sales support provides me with some detail about the "EA SaaS" solution (with EA streaming). EA SaaS only provides a "PCS free" setup, i.e. no integration or SSO by default. I was referring to the "EA Cloud" and "Prolaborate Cloud" ( where you have the option to bring (or buy) your own PCS Team license but there is few words about the technical integration options.

PCS General Board / EA on Cloud, WebEA and integration
« on: February 08, 2022, 07:58:37 pm »
Hi All,

We are looking into the cloud offering of Sparx. In "EA on Cloud", it is not clear whether the WebEA interface and integration with other systems (ServiceNow, Jira...) is still technically available to the customers (assuming we have the required licenses). Does anyone have experience with this SaaS solution ? Same question with Prolaborate on Cloud


Pages: [1] 2