cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

Authenticate Third party application using Windchill SSO

Go to solution
prescient_rohit
7-Bedrock
7-Bedrock
‎Jun 20, 2023 08:41 AM
‎Jun 20, 2023 08:41 AM

Authenticate Third party application using Windchill SSO

I am using Windchill PDMLink Release 11.2 and Datecode with CPS 11.2.0.0

We have to integrate the Thirty party application with Windchill using SSO.

When login on Windchill is successful, the Third-party application is authenticated automatically with the same user.

is this possible using SSO? if not kindly please suggest any other way to do it.

if yes, how to configure Windchill SSO to authenticate Third-party applications automatically using the same user?

Labels:
0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
jbailey
17-Peridot
17-Peridot
(To:prescient_rohit)
‎Jun 20, 2023 08:55 AM
‎Jun 20, 2023 08:55 AM

The idea of Single Sign On isn't that you automatically are signed in to multiple things once you are authenticated to one, it is that you use one set of credentials to log into multiple things. Windchill can participate in Oauth to share the same credentials, but if you go to each application on its own - you would still need to log in.

 

A potential solution (not recommended) would be to authenticate to a proxy and have the applications trust the http header passing the username. This is insecure, as someone could spoof a header and the application wouldn't have any indication you are not the logged in user.

 

Another option (better) would be to have your IdP use a kerberos ticket to authenticate the user instead of username/password. This would essentially use your computer credentials to authenticate the user (Windows would be automatically set up for this, but some config for macs and linux machines would be required).

 

Note... if you want the third-party app to communicate to Windchill and act on the user's behalf - you would still have to configure your app(s) and Windchill for Oauth Delegated Authorization.

View solution in original post

0 Kudos
Notify Moderator
1 REPLY 1
jbailey
17-Peridot
17-Peridot
(To:prescient_rohit)
‎Jun 20, 2023 08:55 AM
‎Jun 20, 2023 08:55 AM

The idea of Single Sign On isn't that you automatically are signed in to multiple things once you are authenticated to one, it is that you use one set of credentials to log into multiple things. Windchill can participate in Oauth to share the same credentials, but if you go to each application on its own - you would still need to log in.

 

A potential solution (not recommended) would be to authenticate to a proxy and have the applications trust the http header passing the username. This is insecure, as someone could spoof a header and the application wouldn't have any indication you are not the logged in user.

 

Another option (better) would be to have your IdP use a kerberos ticket to authenticate the user instead of username/password. This would essentially use your computer credentials to authenticate the user (Windows would be automatically set up for this, but some config for macs and linux machines would be required).

 

Note... if you want the third-party app to communicate to Windchill and act on the user's behalf - you would still have to configure your app(s) and Windchill for Oauth Delegated Authorization.

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags