cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Technically what is the difference between windchill authentication and sso with ping federate?

Go to solution
Vinay_S
15-Moonstone
15-Moonstone
‎Jan 10, 2020 08:12 AM
‎Jan 10, 2020 08:12 AM

Technically what is the difference between windchill authentication and sso with ping federate?

I am in a dilemma as to why exactly I should configure SSO with ping federate for production server when Windchill authentication itself does the work? Can anyone here who have successfully implemented SSO with ping federate tell the exact difference between Windchill authentication and SSO configuration while installing navigate with Ping federate.

Vinay S.
CADOpt Technologies Private Limited
Bengaluru.
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
barko
16-Pearl
16-Pearl
(To:Vinay_S)
‎Jan 14, 2020 08:42 AM
‎Jan 14, 2020 08:42 AM

Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.

 

From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.  

View solution in original post

Notify Moderator
4 REPLIES 4
barko
16-Pearl
16-Pearl
(To:Vinay_S)
‎Jan 13, 2020 08:56 AM
‎Jan 13, 2020 08:56 AM

Windchill Authentication provides SSO for Windchill only, while PingFederate provides SSO across most PTC products. PingFederate is considered by IT Security people to be the “most secure”, while Windchill Authentication security is considered “adequate” for most situations including Production environments. Windchill Authentication is much simpler to configure, which in many cases has been the deciding factor.

 

Technically, Windchill Authentication uses SSL 2-way certificate authentication meaning that the ThingWorx application authenticates as a client to Windchill using specially configured SSL certificates and keystores. Once ThingWorx has a connection to Windchill, permissions are established for each request by (automatically) providing the name of the user. In PingFederate, SAML is used to obtain an “assertion” from the LDAP Identity Provider that the user is authenticated, and then OAuth is used to obtain a token with delegated permissions from the user that ThingWorx is authorized to act on his behalf when requesting data from Windchill. The OAuth token is validated between Windchill and PingFederate for each data request without further interaction with the user.

Notify Moderator
Vinay_S
15-Moonstone
15-Moonstone
(To:barko)
‎Jan 13, 2020 11:28 PM
‎Jan 13, 2020 11:28 PM

Hi Barko,
So basic difference is when we have multiple applications like ADS which actively or passively participate SSO process we need SSO configuration for Navigate with Windchill. When we are using Windchill with Navigate alone Windchill authentication or two way security authentication is sufficient.
In scenarios where advanced security measure is mandatory we require ping federate.

Is this correct? Also are there any other differences apart from this?
Vinay S.
CADOpt Technologies Private Limited
Bengaluru.
0 Kudos
Notify Moderator
barko
16-Pearl
16-Pearl
(To:Vinay_S)
‎Jan 14, 2020 08:42 AM
‎Jan 14, 2020 08:42 AM

Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.

 

From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.  

Notify Moderator
PreetiGupta
14-Alexandrite
14-Alexandrite
(To:barko)
‎Jan 17, 2020 07:47 PM
‎Jan 17, 2020 07:47 PM

We enabled Windchill SSO for one of the custom Navigate App roll out. 

0 Kudos
Notify Moderator
Top Tags