Skip to main content
K
KL_1133825310-Marble
10-Marble
February 17, 2026
Question

Can Google Workspace as the primary Identity Provider (IdP) for Windchill SSO implementation.

  • February 17, 2026
  • 2 replies
  • 73 views

Version: Windchill 13.1

 

Use Case: Implement Windchill with Single Sign-On using **Google Workspace** as the primary Identity Provider to enable secure, centralized user authentication.


Description:

1. Does Windchill support Google Workspace as a SAML 2.0 IdP directly?
2. Are there any known limitations or compatibility issues?
3. What Windchill version/modules support this configuration?
4. What attributes are required from Google IdP (email, name, groups, etc.)?
5. Can Windchill handle Just-In-Time (JIT) user provisioning from Google, or must users be pre-created?
6. Is there a fallback authentication method if Google SSO is unavailable?
7. Any additional components or licensing required for this setup?
 

2 replies

V
vnamboodheriCommunity Manager
Community Moderator
February 23, 2026

Hi @KL_11338253

Thank you for your question. 

Your post has not yet received any response. I am replying to raise awareness. Hopefully, another community member will be able to help.
Also, feel free to add any additional information you think might be relevant. It sometimes helps to have screenshots to better understand what you are trying to do.

Best Regards,

Vivek N
Community Moderation Team

jbailey
jbailey18-Opal
18-Opal
February 25, 2026

Description:

1. Does Windchill support Google Workspace as a SAML 2.0 IdP directly?
Windchill should support any IdP that supports SAML 2.0 (based on Shibboleth)
2. Are there any known limitations or compatibility issues?
Most issues with limitations or compatibility are configuration specific. If Windchill can reach the IdP, consume the IdP metadata, and trust the IdP certificates, there should be no/minimal issues.
3. What Windchill version/modules support this configuration?
Windchill supports SAML for all currently supported versions of Windchill
4. What attributes are required from Google IdP (email, name, groups, etc.)?
From an authentication standpoint, Windchill only cares about the username attribute defined in the shibboleht2.xml file and mapped with other xml files. There is no current functionality to map additional attributes from the SAML assertion. Additionally, the username attribute needs to match the unique user attribute mapped in adapterservise.josn in <wthome>\ieconf\
5. Can Windchill handle Just-In-Time (JIT) user provisioning from Google, or must users be pre-created?
JIT / SCIM is not supported for Windchill, but I understand it may be on the roadmap for future implementation
6. Is there a fallback authentication method if Google SSO is unavailable?
Windchill is either configured for Basic, Form Based or IdP based SSO uniquely. Failback authentication would be a manual process where you would have to reconfigure for the desired failback.
7. Any additional components or licensing required for this setup?
For SAML & SAML IdP's following SAML 2.0, no licensing is required from PTC. It is up to the customer to provide an IdP.
    V
    vnamboodheriCommunity Manager
    Community Moderator
    February 25, 2026

    Hello @KL_11338253

     

    It looks like you have a response from a PTC community expert. If it helped you answer your question, please mark the reply as the Accepted Solution. 
    Of course, if you have more to share on your issue, please let the Community know so other community members can continue to help you.

    Thanks,
    Vivek N.
    Community Moderation Team.

    Terms & ConditionsCookie settingsAccessibility statement