attribute-map.xml is used to match an incoming attribute name from the IdP (Entra in your case) to an attribute name that Shibboleth will use to match to user ID.
From the IdP you will need:
- IdP Entity ID
- IdP metadata - either URL (preferred) or static file
- SAML Discovery URL for the IdP
- Attribute name that will hold your username attribute
- SP Entity ID configured in IdP for your Windchill implementation (this is the unique Entity ID - basically a name that the IdP and Shibboleth both know and can use to validate - if you ask your Entra folks for the entity ID for the Windchill SP - they will know what to give you)
On the IdP side, they need to set up at least one endpoint - /Shibboleth.sso/SAML2/POST. If your Windchill implementation uses PTC electronic signatures in Workflows, you will need a second endpoint set up... /reauthsecure/Shibboleth.sso/SAML2/POST
The shibboleth2.xml file is where you configure the SP (Shibboleth) to connect to the IdP and configure security/validation
I do recommend looking over the PTC documentation, it does give you a straight forward set of instructions. Once the IdP is configured, you should be able to configure Windchill for SSO in a couple of hours including documenting what you did.
Other considerations for SSO
- if you use an attribute other than UID and use electronic signatures, you have to modify a jsp file (see my earlier comment)
- If you use desktop integration, additional files need modified to use WIZARD for auth
- Depending on your version of Windchill - WGM and CreoView clients may show a script error when trying to do auth, in that case additional files may need to be modified to ignore the script error that os shown because of poor PTC coding 🙂
Oh, and use SAML tracer... it will save you from a lot of headaches in trying to track down what you configured wrong
