cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X

SSO configuration error (Thingworx Navigate1.8+Windchill+Pingfederate)

Go to solution
weli
12-Amethyst
12-Amethyst
‎Jan 04, 2019 02:03 AM
‎Jan 04, 2019 02:03 AM

SSO configuration error (Thingworx Navigate1.8+Windchill+Pingfederate)

Hi,

 

I am using automated script for pingfederate , after configured my thingworx and windchill.When starting thingworx , I got the following error:

 

2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.SignatureValidationFilter] [I: ] [U: ] [S: ] [T: Metadata-reload] Signature trust establishment failed for metadata entry tom.wcserver.com
2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.AbstractReloadingMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Error filtering metadata from D:\THINGW~1\THINGW~2\SSOSEC~1\PF_IDP_metadata.xml
2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.AbstractReloadingMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Error occurred while attempting to refresh metadata from 'D:\THINGW~1\THINGW~2\SSOSEC~1\PF_IDP_metadata.xml'
2019-01-04 14:32:14.594+0800 [L: ERROR] [O: o.o.s.m.p.AbstractMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Metadata provider failed to properly initialize, fail-fast=true, halting

tom.wcserver.com is the FQDN of my  vmware environment , I installed pingfederate, thingworx navigate and Windchill in the same machine. Both thingworx and windchill using http instead of https.

 

Could you please tell me where I am wrong? Which direction should I look for?  Honestly, I don't truly understand the ssl trust relationship between CAS, SP and RP, after reading all kinds of related documents I am still confusing. 

 

Thanks for your help.

Tom

 

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
barko
16-Pearl
16-Pearl
(To:weli)
‎Jan 07, 2019 08:55 AM
‎Jan 07, 2019 08:55 AM

When a user first requests access from a web server using a browser, the web server sends the familiar log in page as a pop up asking for credentials. The browser displays the pop up page and waits for a human user to respond to it. An application like ThingWorx is not a browser, so it cannot respond to a pop up like that, and needs to establish the trust relationship with the Windchill server in some other way that does not involve the intervention of a user. The mechanism that ThingWorx uses for this is known as 2-way authentication. This involves the server (Windchill) and the client (ThingWorx) exchanging SSL certificates. The ThingWorx certificate must have a specific attribute, Extended Key Usage (EKU), set with a value of “clientAuthentication”. When ThingWorx submits its certificate, Windchill validates it and based upon the results of the validation, either grants access to resources (most often a search of the Windchill database or index), or if the validation fails Windchill denies access. A successful validation establishes the trust relationship between Windchill and ThingWorx.

 

To access the certificate validation functionality, Windchill (and HTTPServer) must be “configured for SSL”, so it can use the HTTPS protocol. The HTTP protocol will not invoke certificate validation. So, at a minimum Windchill must be configured for SSL. PingFederate complicates the process, and also uses certificates in a similar manner. I suggest that you first try to configure Windchill Authentication in ThingWorx before attempting to configure PingFederate. That will give you some experience using certificates, which will help when you attempt to introduce PingFederate into the infrastructure.

 

Navigate 1.8 introduced an installer for fresh installs on a server that does not have Tomcat, ThingWorx and Navigate already installed on it. This installer sets up Fixed Authentication, but does not complete the configuration necessary for Windchill Authentication or for PingFederate, and manual steps are required to complete those configurations. The steps are detailed in the installation guide, and are the same general steps that were required for configuring Navigate 1.7, if you are familiar with those.

View solution in original post

0 Kudos
Notify Moderator
2 REPLIES 2
barko
16-Pearl
16-Pearl
(To:weli)
‎Jan 07, 2019 08:55 AM
‎Jan 07, 2019 08:55 AM

When a user first requests access from a web server using a browser, the web server sends the familiar log in page as a pop up asking for credentials. The browser displays the pop up page and waits for a human user to respond to it. An application like ThingWorx is not a browser, so it cannot respond to a pop up like that, and needs to establish the trust relationship with the Windchill server in some other way that does not involve the intervention of a user. The mechanism that ThingWorx uses for this is known as 2-way authentication. This involves the server (Windchill) and the client (ThingWorx) exchanging SSL certificates. The ThingWorx certificate must have a specific attribute, Extended Key Usage (EKU), set with a value of “clientAuthentication”. When ThingWorx submits its certificate, Windchill validates it and based upon the results of the validation, either grants access to resources (most often a search of the Windchill database or index), or if the validation fails Windchill denies access. A successful validation establishes the trust relationship between Windchill and ThingWorx.

 

To access the certificate validation functionality, Windchill (and HTTPServer) must be “configured for SSL”, so it can use the HTTPS protocol. The HTTP protocol will not invoke certificate validation. So, at a minimum Windchill must be configured for SSL. PingFederate complicates the process, and also uses certificates in a similar manner. I suggest that you first try to configure Windchill Authentication in ThingWorx before attempting to configure PingFederate. That will give you some experience using certificates, which will help when you attempt to introduce PingFederate into the infrastructure.

 

Navigate 1.8 introduced an installer for fresh installs on a server that does not have Tomcat, ThingWorx and Navigate already installed on it. This installer sets up Fixed Authentication, but does not complete the configuration necessary for Windchill Authentication or for PingFederate, and manual steps are required to complete those configurations. The steps are detailed in the installation guide, and are the same general steps that were required for configuring Navigate 1.7, if you are familiar with those.

0 Kudos
Notify Moderator
weli
12-Amethyst
12-Amethyst
(To:barko)
‎Jan 09, 2019 09:24 AM
‎Jan 09, 2019 09:24 AM

Thanks for your explain.

 

After a several times trying, I  successfully configured my SSO environment.

 

0 Kudos
Notify Moderator
Top Tags