cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Enterprise LDAP - Microsoft Azure AD

BrianSullivan
8-Gravel

Enterprise LDAP - Microsoft Azure AD

PTC has a well documented (Tech Support Articles) on how to integrate Windchill with an on-premise Microsoft Active Directory Server.  What needs to Change in Apach Auth Files, Command to update Apache, Site.xconf, Windchill JNDI  Adapter.  What Values are needed.

 

I am investigating, researching  and eventually documenting the procedure to use a common Web Based AD.  Its my education for the summer.

 

But I do not see any coordinated Document for connecting to a Web Based Active Directory.  

Q: Is it the Same?  (Assuming going to use LDAPS and Port 636, to Encrypt Passwords)  Would anyone be willing to send documentation if they have done so?  Or just explain if it is no different and you set up same as Microsoft ADS.

 

Next

Understanding SSO (Single Sign on)  with a CAD to Microsoft Azure being the Identity Provider to the CAS(Authroization Server); as different but the Articles from PTC focus on ThingWorks integration not Windchill Integration... more as ThingWorks it was a requirement. 

In that case, again the Apache/Windchill changes are not defined in an article.  Or again is it the same as a normal AD Integration just URL is to the CAS (Ping Federation)

 

Any Assistance appreciated.

 

6 REPLIES 6

We have decided on Shibboleth as the Windchill Service Provider and Microsoft Azure as the Identity Provider.

System is Linux.

 

The PTC Help is fairly generic.

Would anyone be willing to send me their Configuration Files so I can see what a proper configuration looks like?

Specifically entries for:

shibboleth2.xml 

attribute-map.xml

 

Brian Sullivan

[email address removed for privacy]

 

 

 

 

We were able to Configure Windchill/Shibboleth Service Provider to Azure Identity Provider.

 

Fundamental Issue:

Once SSO is configured using the PTC Help Instructions, there does not seem to be a method to connect without SSO for WIndchillDS Users.  For Example: The Site Administrator or CAD Worker user.

 

Has Anyone changed Apache to allow Access as Admin? 

 

In general appears all users including Application Administration accounts would need to be in the Identity Provider. 

Have talked to Larger Customer who uses a Windchill Cluster, in their case they keep one Node configured OOTB for Administrators and the Other Nodes are in Load Balancer and End Users configured for SSO.

bt
4-Participant
4-Participant
(To:BrianSullivan)

Hi Brian,

         We are planning to implement the Azure LDAP with Windchill as well. As you mentioned we also usually have a local apache running for cluster which can still have the wcadmin/DS users perform their administrative tasks.

        If you do have any recommendations for implementation/documentation would help us a lot.

 

Regards

Baalajee

bsullivan
5-Regular Member
(To:BrianSullivan)

I have Single Sign On (SSO) Configured for two Different Environments.

It is the Basic Configuration:

* Working From Chrome/Edge/IE11 with Creo View

* CAD WGM

* DTI 

 

However, a request to Use eSignatures in Workflow was made.  Which requires a modification to Shibboleth/Apache/Microsoft Azure and a Windchill Property.  

PTC Help does have a Section "eSignature Validation for SSO Configurations" that is supposed to layout all the changes.  Running into issues trying to follow the Help.

 

Does anyone have a Shibboleth2.xml configured to allow the Re-Authentication Workflow Tasks Require.

Specifically the Help says to Add a "Host" Tag Section.  As Well as "Application Override".  Open a call with Support but I think seeing a working example would be much faster.

 

Brian Sullivan

 

bsullivan
5-Regular Member
(To:bsullivan)

Back on Investigating eSignature with SSO in a Shibboleth Environment.

PTC Help

* States the concept of a Host Section which is not needed normally

* Reauthenticate SSO with forceAuthn="true", etc.

 

Has anyone successful configured their Shibboleth2.xml?  I would appreciate an example.

 

bsullivan
5-Regular Member
(To:bsullivan)

Started with a functional: WIndchill 11.0 M030/Shibboleth/Microsoft Azure

Stared with PTC Help "eSignature Validation for SSO Configuration"

 

Current Progress:

Shibboleth Service Running (Configured Shibboleth); Apache Entries, New Entries in MS Azure (Configure IdP) and Update Wt.Property via Site.Xconf

 

Current Error:  Is actually when a User has connected via SSO (Single Sign On) and Goes to the Change Notice Audit Task (Signature Required)  User Selects Complete Task, the SSO Box Opens, enter Username, Password, MFA via Phone, then Windchill returns:  "This task cannot be completed becasue the additional verification was incorrect"

Nothing of Use in shibd.log, Apache Log or Windchill Logs (Windchill Log is a standard error you get if searching the error"

 

My assumption is it must be my shibboleth2.xml file. 

 

The Help Document is Incomplete:

#1 I made RequestMapper around Host

*****************************************

<RequestMapper type="Native">
<RequestMap>
<Host name="acme-dev.tristar.com">
<Path name="secure" authType="shibboleth" requireSession="true"/>
<Path name="reauthsecure" authType="shibboleth" requireSession="true" forceAuthn="true" applicationId="reauthsecure" />
</Host>
</RequestMap>
</RequestMapper>

 

#2 Help does not explain so I used the same information that is in the Default Session Section...

I've tried different values for the entityID.... but not had any success.

I've reviewed the handlerURL="/reauthsecure/Shibboleth.sso" and Apache and New Entries in Azure have same information*

 

<ApplicationOverride id="reauthsecure"
entityID="https://acme-dev.tristar.com/shibboleth"
REMOTE_USER="userprincipalname"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

<Sessions lifetime="10" timeout="10" checkAddress="false" relayState="ss:mem" handlerURL="/reauthsecure/Shibboleth.sso" maxTimeSinceAuthn="20" handlerSSL="true" cookieProps="https" consistentAddress="false" >

<SSO entityID="https://sts.windows.net/5d12345678901234567890/" discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" forceAuthn="true" >
SAML2
</SSO>

<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>

<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="true"/>

<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

</Sessions>

</ApplicationOverride>

 

If anyone can send me a working example (if its the shibboleth2.xml) or if you know a way I can find a useful error message. Or if you ran into same thing? Going to Company IT to check Azure Logs next.

 

Thanks for Review

Brian Sullivan

 

Top Tags