Re: Configure Windchill SSO with shibboleth, stuck...

shlcm · ‎Nov 17, 2025

As configure Windchill SSO by following the manual: Security Assertion Markup Language (SAML) Authentication , now we are able to open the SSO login page and login with username/password successfully. But when the browser tries to jump into Windchill home page, it showes error message like 'Failed to process the request, Contact your administrator...'. As checked the method server log, there're debug message like below:

2025-11-17 13:09:14,115 DEBUG [ajp-nio-127.0.0.1-8011-exec-1] sso.shibboleth.sessionHook wcadmin - Query Parameter - return = https://plmdev.xxxx.com:4443/Shibboleth.sso/SAML2/POST?hook=1
2025-11-17 13:09:14,115 DEBUG [ajp-nio-127.0.0.1-8011-exec-1] sso.shibboleth.sessionHook wcadmin - Query Parameter - target = null
2025-11-17 13:09:14,116 DEBUG [ajp-nio-127.0.0.1-8011-exec-1] sso.shibboleth.sessionHook wcadmin - Windchill Domain Name = plmdev.xxxx.com

Just wondering where we can set the 'target' properly so that the sessionHook can handle the request successfully. Any advice will be appreciated...

shlcm · ‎Nov 17, 2025

Forgot adding the error page url:

https://plmdev.xxxx.com:4443/Windchill/sso/shibboleth/sessionHook?return=https%3A%2F%2Fplmdev.xxxx.com%3A4443%2FShibboleth.sso%2FSAML2%2FPOST%3Fhook%3D1

avillanueva · ‎Nov 17, 2025

out of curiousity, was wcadmin using basic authentication? You mentioned that you have it working with both SSO and username/password. I am wondering if its crossing over which would suggest a webserver misconfiguration.

shlcm · ‎Nov 17, 2025

Thanks for the response. No basic authentication now. Now we login using SSO's login page and username/password are also provided by SSO team. What do you mean webserver misconfiguration, we configured Apache following the official document that mentioned in the original post.

avillanueva · ‎Nov 18, 2025

When you mentioned username/password, I thought it might be a hybrid setup. Do you have your shibboleth configuration that you can share? Please obfuscate any sensitive information. I suspect something is getting dropped in the redirect. I also had issues in the past:

https://community.ptc.com/t5/Windchill/Session-Hook-reverse-proxy-and-shibboleth/m-p/1040537#M87168

In your log, the target is not set.

shlcm · ‎Nov 20, 2025

In your log, the target is not set.

=======================================

Yes, this is a big problem. Just not figure out how to set the target correctly.

Here I attach the shibboleth configuration files below:

shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
    clockSkew="180">

    <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
  
    <!--
    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
    -->

    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
    <ApplicationDefaults entityID="https://plmdev.xxxx.com:4443" sessionHook="/Windchill/sso/shibboleth/sessionHook"
        REMOTE_USER="username"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
        and should be a relative path, with the SP computing the full value based on the virtual
        host. Use of TLS is now assumed because browsers are enforcing it due to SameSite
        restrictions. Note that while we default checkAddress to "false", this makes an assertion
        stolen in transit easier for attackers to misuse.
        -->
       <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https"
                  redirectLimit="exact">

            <!--
            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="IDaaS" postArtifact="true" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2
            </SSO>

            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>

            <!-- Administrative logout. -->
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
          
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add your own attributes with values that can be plugged into the
        templates, e.g., helpLocation below.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

        <!-- Example of locally maintained metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
        -->
        <MetadataProvider type="XML" validate="true" path="idpMetadata1755501296579.xml"/>

        <!-- Example of remotely supplied batch of signed metadata. -->
        <!--
        <MetadataProvider type="XML" validate="true"
	      url="http://federation.org/federation-metadata.xml"
              backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
            <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true" 
              attributeName="http://macedir.org/entity-category"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="http://refeds.org/category/hide-from-discovery" />
        </MetadataProvider>
        -->

        <!-- Example of remotely supplied "on-demand" signed metadata. -->
        <!--
        <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
	            baseUrl="http://mdq.federation.org" ignoreTransport="true">
            <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
            <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
        </MetadataProvider>
        -->

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <!-- Simple file-based resolvers for separate signing/encryption keys. -->
        <CredentialResolver type="File" use="signing"
            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
        
    </ApplicationDefaults>
    
    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>

bindingTemplate.html

<html>
	<head>
		<title>Shibboleth Authentication Request</title>
	</head>
        <!-- PTC Recommended Customization(1) Start  -->
	<!-- SHA-256 encoding for 'bindingTemplate.html' is a891be6b892aae62a98c82206444295c252c16622c1a386c5b0fbc293e376745  -->
	<!-- keep the content, needed to handle some use cases -->
	<body onload="submit();">
	<!-- PTC Recommended Customization(1) End  -->

		<h1>Shibboleth Authentication Request</h1>
		
		<script type="text/javascript">
		<!--	
		document.write("<p>You are automatically being redirected to the authentication service. ");
		document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
		document.write("the page before contacting the technical support staff in charge of the ");
		document.write("authentication service you are trying to access.</p>");
		document.write("<h2>Redirecting...</h2>");
		// -->
		<!-- PTC Recommended Customization(2) Start  -->
		if (document.body != null && typeof document.body.onload !== 'function' && window.location != null) {
			window.location.reload();
		}
		<!-- PTC Recommended Customization(2) End  -->
		</script>
		
		<!-- PTC Recommended Customization(3) Start  -->
		<script type="text/javascript">
		/**
		 * Saves the URL fragment to session store, if it is available in browsers address bar
		 */
		function saveURLFragment(){
			var URL_FRAGMENT_KEY = 'WINDCHILL_SSO_URL_FRAGMENT';
			var windchillStore = window.sessionStorage;
			if(windchillStore){
				var hash = document.location.href.split('#')[1];
				if(hash && hash.length > 0 ){
					windchillStore.setItem(URL_FRAGMENT_KEY , hash);
				}else{
					// clean-up, if left by previous incomplete login attempt.
					windchillStore.removeItem(URL_FRAGMENT_KEY);
				}
			}
		}
		function submit(){
			saveURLFragment();
			document.forms[0].submit();
		} 
		</script>
		<!-- PTC Recommended Customization(3) End  -->
		<noscript>
		<p>
		<strong>Note:</strong> Since your browser does not support JavaScript, you must press the
		Continue button once to proceed to the authentication service.
		</p>
		</noscript>
	
		<form method="POST" action="<shibmlp action/>">
		<shibmlpif TARGET>
			<input type="hidden" name="TARGET" value="<shibmlp TARGET/>"/>
		</shibmlpif>
		<shibmlpif RelayState>
			<input type="hidden" name="RelayState" value="<shibmlp RelayState/>"/>
		</shibmlpif>
		<shibmlpif SAMLRequest>
			<input type="hidden" name="SAMLRequest" value="<shibmlp SAMLRequest/>"/>
		</shibmlpif>
		<shibmlpif SAMLResponse>
			<input type="hidden" name="SAMLResponse" value="<shibmlp SAMLResponse/>"/>
		</shibmlpif>
		<shibmlpif SAMLart>
			<input type="hidden" name="SAMLart" value="<shibmlp SAMLart/>"/>
		</shibmlpif>
		<shibmlpif SigAlg>
			<input type="hidden" name="SigAlg" value="<shibmlp SigAlg/>"/>
		</shibmlpif>
		<shibmlpif Signature>
			<input type="hidden" name="Signature" value="<shibmlp Signature/>"/>
		</shibmlpif>
        <shibmlpif KeyInfo>
            <input type="hidden" name="KeyInfo" value="<shibmlp KeyInfo/>"/>
        </shibmlpif>
		<noscript>
		<div>
		<input type="submit" value="Continue"/>
		</div>
		</noscript>
		</form>
	</body>
</html>

attribute-map.xml

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!--
    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
    few exceptions for newer attributes where the name is the same for both versions. You will
    usually want to uncomment or map the names for both SAML versions as a unit.
    -->
  
    <!-- New standard identifier attributes for SAML. -->

    <Attribute name="username" id="username"/>

    <!--Attribute name="username" id="uid">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute-->

    <Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>
  
    <Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <!-- The most typical eduPerson attributes. -->

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>

    <!--
    Legacy pairwise identifier attribute / NameID format, intended to be replaced by the
    simpler pairwise-id attribute (see top of file).
    -->
    
    <!-- The eduPerson attribute version (note the OID-style name): -->
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

    <!-- The SAML 2.0 NameID Format: -->
    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>
    
    <!-- Other eduPerson attributes (SAML 2 names followed by SAML 1 names)... -->
    <!--
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>    
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>

    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>

    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
    -->
    
    <!-- Older LDAP-defined attributes (SAML 2.0 names followed by SAML 1 names)... -->
    <!--
    <Attribute name="urn:oid:2.5.4.3" id="cn"/>
    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
    <Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.12" id="title"/>
    <Attribute name="urn:oid:2.5.4.43" id="initials"/>
    <Attribute name="urn:oid:2.5.4.13" id="description"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.1" id="carLicense"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.2" id="departmentNumber"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.4" id="employeeType"/>
    <Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
    <Attribute name="urn:oid:0.9.2342.19200300.100.1.10" id="manager"/>
    <Attribute name="urn:oid:2.5.4.34" id="seeAlso"/>
    <Attribute name="urn:oid:2.5.4.23" id="facsimileTelephoneNumber"/>
    <Attribute name="urn:oid:2.5.4.9" id="street"/>
    <Attribute name="urn:oid:2.5.4.18" id="postOfficeBox"/>
    <Attribute name="urn:oid:2.5.4.17" id="postalCode"/>
    <Attribute name="urn:oid:2.5.4.8" id="st"/>
    <Attribute name="urn:oid:2.5.4.7" id="l"/>
    <Attribute name="urn:oid:2.5.4.10" id="o"/>
    <Attribute name="urn:oid:2.5.4.11" id="ou"/>
    <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
    <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>

    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
    -->

    <!-- SCHAC attributes... -->
    <!--
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" id="schacPersonalUniqueCode">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.15" id="schacPersonalUniqueID"/>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.19" id="schacUserStatus">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.20" id="schacProjectMembership">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.21" id="schacProjectSpecificRole">
        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
    </Attribute>
    -->

</Attributes>

below is the metadata provided by IDP

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="IDaaS">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7DCCAdSgAwIBAgIIVPnTaAz7XpowDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAwwM5pm25r6z5rWL6K+VMCAXDTI1MDgxODA2MzYzOVoYDzMwMjMxMjIwMDYzNjM5WjA1MQswCQYDVQQGEwJDTjEPMA0GA1UECAwG5YyX5LqsMRUwEwYDVQQDDAzmmbbmvrPmtYvor5UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCft2UrMGEuYRIkMtDdFzYxhMkT24GEJ3FAnSC7EOpiuSBjlt4Pdiz+9Zte/963DEtkBGa/tPyANC79obGpDCPXlROojRsNoN417O9v3EJQR9K5G4i1Qe2x5jBjN530fmmH8hZLFWB9i5N5hPwiB4Y6x8rCfcXAhEwTQ442wy39H3QdrvKLO5tX8LUyEo3tM5CziUJPHTp/ESzXOY5ivjpVgSykzHUFKDgSq5UA6OsPgj9/bRGhpIk/YrVs52VZgmijPWTHIqB70r9tFKwJmZ+T9DbojUuF+3GgjZrfbAtfCfB3AOEpJwvofVJxV5WewtBVSADlO2gPorskYjP6O6FlAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBABKHc/t0QKRQ8Fli51vw2Ak4LRmPJeJl2cscfFFfxdw+9oANP7BNoEQNCnUroWJuBgkTb6H5MhVK8yn/hSsXJ1mm/c7+ryCUVumyI0Fi/By8/ZkrTaWW/rB1LOcXAF23ft7Eyx+3m1YKGSVNLCl2G5hQmcMGjJb/2vbQeluN63VDwNsPJmxApN38FL9oFj7a05YiIytD4TBYOSELEChuydNhZ83qLj/dYIn3AUhEi85VKh59qvh6zuDhTnrellX0QMGGfgXwBVpbkEhQWS061irUGbSDb+4sj4INk9/7HLR/AotxEB5pDvpLVX9EAsN0T+Pf6BH3iaJA7JFvORVZqI8=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC7DCCAdSgAwIBAgIIVPnTaAz7XpowDQYJKoZIhvcNAQEFBQAwNTELMAkGA1UEBhMCQ04xDzANBgNVBAgMBuWMl+S6rDEVMBMGA1UEAwwM5pm25r6z5rWL6K+VMCAXDTI1MDgxODA2MzYzOVoYDzMwMjMxMjIwMDYzNjM5WjA1MQswCQYDVQQGEwJDTjEPMA0GA1UECAwG5YyX5LqsMRUwEwYDVQQDDAzmmbbmvrPmtYvor5UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCft2UrMGEuYRIkMtDdFzYxhMkT24GEJ3FAnSC7EOpiuSBjlt4Pdiz+9Zte/963DEtkBGa/tPyANC79obGpDCPXlROojRsNoN417O9v3EJQR9K5G4i1Qe2x5jBjN530fmmH8hZLFWB9i5N5hPwiB4Y6x8rCfcXAhEwTQ442wy39H3QdrvKLO5tX8LUyEo3tM5CziUJPHTp/ESzXOY5ivjpVgSykzHUFKDgSq5UA6OsPgj9/bRGhpIk/YrVs52VZgmijPWTHIqB70r9tFKwJmZ+T9DbojUuF+3GgjZrfbAtfCfB3AOEpJwvofVJxV5WewtBVSADlO2gPorskYjP6O6FlAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBABKHc/t0QKRQ8Fli51vw2Ak4LRmPJeJl2cscfFFfxdw+9oANP7BNoEQNCnUroWJuBgkTb6H5MhVK8yn/hSsXJ1mm/c7+ryCUVumyI0Fi/By8/ZkrTaWW/rB1LOcXAF23ft7Eyx+3m1YKGSVNLCl2G5hQmcMGjJb/2vbQeluN63VDwNsPJmxApN38FL9oFj7a05YiIytD4TBYOSELEChuydNhZ83qLj/dYIn3AUhEi85VKh59qvh6zuDhTnrellX0QMGGfgXwBVpbkEhQWS061irUGbSDb+4sj4INk9/7HLR/AotxEB5pDvpLVX9EAsN0T+Pf6BH3iaJA7JFvORVZqI8=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idaas.xxxx.com:9092/public/api/application/plugin_saml/testplugin_saml3/sp_logout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idaas.xxxx.com:9092/public/api/application/plugin_saml/testplugin_saml3/sp_logout"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idaas.xxxx.com:9092/enduser/api/application/plugin_saml/testplugin_saml3/sp_sso"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idaas.xxxx.com:9092/enduser/api/application/plugin_saml/testplugin_saml3/sp_sso_post"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

And metadata shibboleth generated as below:

<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
 -->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b3d0345887c14d5984c51eec2bb968437e4ad4fa" entityID="https://plmdev.xxxx.com:4443">

  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/Login"/>
      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/Login" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>dev-plm-app</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=dev-plm-app</ds:X509SubjectName>
          <ds:X509Certificate>MIID8zCCAlugAwIBAgIUGK4y/d2gHhDtPXUleePLtK9W82QwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZGV2LXBsbS1hcHAwHhcNMjUxMTEyMDYxODQyWhcNMzUx
MTEwMDYxODQyWjAWMRQwEgYDVQQDEwtkZXYtcGxtLWFwcDCCAaIwDQYJKoZIhvcN
AQEBBQADggGPADCCAYoCggGBAJSk/L6diswf43wS7bIPi8RUGnPSQy7F7mBEzG5R
l3rmpcW3RZSmanCCQwJQcs1NFSRi8XSnnDlcbDr+FDKjnbM8vj3jz2upW57N48dd
PICgcnBv6EJAx40ryv/3ippR221Vf/Do3gP0SpY/WgNtqjJIIY8es41bn8yrY6BR
3eYmFd+wIn95vQO6O1euojG9sNcuSE/d1zDU5Qb/O15ErrOPdU5nAPTu4+YzT4L+
mYCmhzNTYYzFnumpWpmj70GE5ThJu1GN+yGfVy+Gw7jTWFBeVb5j01Q26iALy+2C
IhNxzHDDuwm8Xnv38i7Mfr8PZQUhdTEe/m6CMJVoUhV3cktXVzpm9EK44GO7D2g4
uMb4xRpEJlDev6Wnu22tsR1/PILqDVdyiJbm3R6Bl2RlXXZ9Imnm6BOJ++mWvN3P
XABKDy4/CG+Vj4vvSaOEj0JcsnBP3o6RLnwgM2835sxha4sUV8k7HiNtFlOXnabG
gituROsGcAl0R5he73bxK5VG3wIDAQABozkwNzAWBgNVHREEDzANggtkZXYtcGxt
LWFwcDAdBgNVHQ4EFgQUbfdAOCDOy91nFtAHFT9Jf+nJ+4kwDQYJKoZIhvcNAQEL
BQADggGBACC4VH5+qFHcbJXQo9CyC14EdzUYuc45nwMyCgYdRAuhfXo+GUjBRX6q
2mhG5nNf3TYyYpRD520sjdXb/BqsSeM0cw+66miBPDmOxy0W8CKMTAM/y+FVlgjq
HYPibJWA+ddSHuqMi7PzFix9UOWyBeLVc0wwy3PsCAV19Yfg6jlcUqifQ8zyDgWk
MtDZ+hoCVOxrS6NPzeK1r9jVpKXCfneq1uiGtV4JFAZmExoSWHs5DlOxVlGlKFkU
+suTUXDen5w1qVXHNC7hpWdxUq9n8IGbws3JppcSsxgrdfFYPq3SJv3SlrKsBmyO
wstGwzXSqmjLursfQziyRwlmzzvfhavpb/QoXVfU3m87kt95SkF3tQKtPt6lU8VX
U29cBklJIs1UffqAx8xZpB+fNTCpJDX+fGyauPcEo6GJ8ibbhLVibEj1daoTXmWG
Q3tm3bIrtKhHhvmLz9vHjRn909RNOF1Ngnmo76I1JJxTjCoXzSUIgZPX4bMKokFN
NSMBGyhLPQ==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>dev-plm-app</ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=dev-plm-app</ds:X509SubjectName>
          <ds:X509Certificate>MIID8zCCAlugAwIBAgIUZ/kr9UD73LycPPOmUUwpdzh0Mo0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZGV2LXBsbS1hcHAwHhcNMjUxMTEyMDYxODQyWhcNMzUx
MTEwMDYxODQyWjAWMRQwEgYDVQQDEwtkZXYtcGxtLWFwcDCCAaIwDQYJKoZIhvcN
AQEBBQADggGPADCCAYoCggGBAKsafpH/OIagFjSTpnIMcYXM8KhNp0SzZZA/BUVD
Fxy/DTs4RhRNhLsd3gpG8ePchuf65nmXJvPGHpRQZsJQlrGtlNLkJIPHRJC98Wnz
olbb3zDuU5iBqyeKKCBFxKY5uMqawSndPlq0/Ql+lLo/6A6J6+X7M5fcznptrzJG
PSs0hCnBCqGlANTnEiNVTcFD7ttV58baC96F/+Eh9a8OIxzWNwZA9kTkzdhrqmew
bks4SQg+FKje3LXjSvITZ05DXt02oibF59Zutf4IktcHnz6cmC1UJOE3YeeCt3T/
hlXIyIXoJJibeWisq754MTHyPYAbx9UwUro9bsa3jlRWgXx4B45xZwYl3JFoombe
6+1tqjUogFcpPDMGbZMNLQTl5dsKy8IV1XkChwc2/fO1uEkncZdKfC0wUJXsqXbb
wlE7djnjyvkRoodA+dayDgoP9hW7nQVYAVKzrPYUKfNT1Anv39RBKJJ2V3hi5MJM
y4oULBbB2gRqXeFV0m6TlStb4QIDAQABozkwNzAWBgNVHREEDzANggtkZXYtcGxt
LWFwcDAdBgNVHQ4EFgQUp5VsXzKRHDjIDpBbK61qkJgfp7kwDQYJKoZIhvcNAQEL
BQADggGBAH4woyW8NXxugWyqUiHEzO4Vp/PSeM93z39qaCxAT9lHvWNU5xz9x/6U
uhd/4zzxQAzrEOrKe+mEQalabnuS29mHZDV/MOzFFeXZQTY8dt6fvX/K54K5lWwN
9/5CrcMwSgv76TpKQVW/uSR3wYrmw81Ha5c+/EFTnmMdVU+rsSbLaIIr/EuDLOB1
OVHaK7ZO2RvmHDa7TAbf1KIgZ6jIUvLj+uFz2OFkgutR2CTLnIeHeLRMJ4FfxsKv
qyoD5yN5NNrmszLJB1pEGoJZxj7JXJbc9JOghiKqoZGPs8D6x1+m7pK613UdvnWy
bd0EnwiSVASrd40m1yAXAF8SGpPyKTR6uTsQV2/9K2ZWSJ27s9zDpNZI/f3rkne5
YjQXi9DZQBgcR7ea6Ut5gin+u4x3n4cq0jOA55aNerF4KAnaAqm3P7/ZFlAu4NNx
k6VsYmpt4tnwibfDmjs6oSYUxHSYy9drnjJlTx+H7pF8SUPVYPS2L7yIm/u4lagP
GaReSaCgUQ==
</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/Artifact/SOAP" index="1"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SLO/Artifact"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://plmdev.xxxx.com:4443/Shibboleth.sso/SAML2/ECP" index="4"/>
  </md:SPSSODescriptor>

</md:EntityDescriptor>

Thanks a lot...

shlcm · ‎Nov 20, 2025

After set

sessionHook="/Windchill/sso/shibboleth/sessionHook?target=https%3A%2F%2Fplmdev.xxxx.com%3A4443%2FWindchill%2F"

in shibboleth2.xml, the error message is gone after login. but now it redirected to the Apache welcome page instead while we want the Windchill home page actually. Have any idea?😂

As checked the browser network info, it shows the Location header of /Shibboleth.sso/SAML2/POST is set as Apache home page.

Temporary solution is by modifying the OOTB javascript file: codebase/netmarkets/javascript/sso/shibboleth/sessionHook.js

------------------------------------------------------------------

this.submit = function (){

…

restoreTo(params["target"]);

isInvalid = false;

…

-----------------------------------------------------------------

Will go on finding the real final solution...

avillanueva · ‎Nov 20, 2025

Ok, this is progress. What's being lost is the redirect URL which should take it to the specific Windchill URL you asked for before you did the SSO redirect dance. It is supposed to encode that and extract it later when done. Let me review what's you've posted, compare to my setup and check notes.

avillanueva · ‎Nov 20, 2025

Here is a thread on this topic: https://community.ptc.com/t5/Windchill/Configuring-SAML-SSO-with-Reverse-Proxy/td-p/960421

Are you using a reverse proxy? Is the PTC HTTP Server have the same server name as what you see from user's side?

shlcm · ‎Nov 20, 2025

Not using reverse proxy and server name is same...

Just wondering if the 'target' should be set in any place at IDP side?

avillanueva · ‎Nov 21, 2025

I check my settings and for the sessionHook, it should be just this:

sessionHook="/Windchill/sso/shibboleth/sessionHook"

By putting the target attribute there, that is why its forcing to Apache page. This should be getting parameterized for you somewhere but does not need to be forced.

Also, I noticed that your entityId was different than mine. Not sure if this matters:

entityID="https://<my FQDN>/shibboleth"

The issue lies somewhere else. Its not in the attributes mapping.

vnamboodheri · ‎Nov 27, 2025

Hello @shlcm,

It looks like you have some responses from some community members. If any of these replies helped you solve your question please mark the appropriate reply as the Accepted Solution.

Of course, if you have more to share on your issue, please let the Community know so other community members can continue to help you.

Thanks,
Vivek N.
Community Moderation Team.

Configure Windchill SSO with shibboleth, stuck with the 'target' url

Configure Windchill SSO with shibboleth, stuck with the 'target' url