Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X
I am in a dilemma as to why exactly I should configure SSO with ping federate for production server when Windchill authentication itself does the work? Can anyone here who have successfully implemented SSO with ping federate tell the exact difference between Windchill authentication and SSO configuration while installing navigate with Ping federate.
Solved! Go to Solution.
Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.
From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.
Windchill Authentication provides SSO for Windchill only, while PingFederate provides SSO across most PTC products. PingFederate is considered by IT Security people to be the “most secure”, while Windchill Authentication security is considered “adequate” for most situations including Production environments. Windchill Authentication is much simpler to configure, which in many cases has been the deciding factor.
Technically, Windchill Authentication uses SSL 2-way certificate authentication meaning that the ThingWorx application authenticates as a client to Windchill using specially configured SSL certificates and keystores. Once ThingWorx has a connection to Windchill, permissions are established for each request by (automatically) providing the name of the user. In PingFederate, SAML is used to obtain an “assertion” from the LDAP Identity Provider that the user is authenticated, and then OAuth is used to obtain a token with delegated permissions from the user that ThingWorx is authorized to act on his behalf when requesting data from Windchill. The OAuth token is validated between Windchill and PingFederate for each data request without further interaction with the user.
Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.
From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.
We enabled Windchill SSO for one of the custom Navigate App roll out.