Showing results for 
Search instead for 
Did you mean: 
Showing results for 
Search instead for 
Did you mean: 

Enterprise LDAP - Microsoft Azure AD

Regular Member

Enterprise LDAP - Microsoft Azure AD

PTC has a well documented (Tech Support Articles) on how to integrate Windchill with an on-premise Microsoft Active Directory Server.  What needs to Change in Apach Auth Files, Command to update Apache, Site.xconf, Windchill JNDI  Adapter.  What Values are needed.


I am investigating, researching  and eventually documenting the procedure to use a common Web Based AD.  Its my education for the summer.


But I do not see any coordinated Document for connecting to a Web Based Active Directory.  

Q: Is it the Same?  (Assuming going to use LDAPS and Port 636, to Encrypt Passwords)  Would anyone be willing to send documentation if they have done so?  Or just explain if it is no different and you set up same as Microsoft ADS.



Understanding SSO (Single Sign on)  with a CAD to Microsoft Azure being the Identity Provider to the CAS(Authroization Server); as different but the Articles from PTC focus on ThingWorks integration not Windchill Integration... more as ThingWorks it was a requirement. 

In that case, again the Apache/Windchill changes are not defined in an article.  Or again is it the same as a normal AD Integration just URL is to the CAS (Ping Federation)


Any Assistance appreciated:



Re: Enterprise LDAP - Microsoft Azure AD

We have decided on Shibboleth as the Windchill Service Provider and Microsoft Azure as the Identity Provider.

System is Linux.


The PTC Help is fairly generic.

Would anyone be willing to send me their Configuration Files so I can see what a proper configuration looks like?

Specifically entries for:




Brian Sullivan

[email address removed for privacy]





Re: Enterprise LDAP - Microsoft Azure AD -SSO -Shibboleth

We were able to Configure Windchill/Shibboleth Service Provider to Azure Identity Provider.


Fundamental Issue:

Once SSO is configured using the PTC Help Instructions, there does not seem to be a method to connect without SSO for WIndchillDS Users.  For Example: The Site Administrator or CAD Worker user.


Has Anyone changed Apache to allow Access as Admin? 


In general appears all users including Application Administration accounts would need to be in the Identity Provider. 

Have talked to Larger Customer who uses a Windchill Cluster, in their case they keep one Node configured OOTB for Administrators and the Other Nodes are in Load Balancer and End Users configured for SSO.

Re: Enterprise LDAP - Microsoft Azure AD -SSO -Shibboleth

Hi Brian,

         We are planning to implement the Azure LDAP with Windchill as well. As you mentioned we also usually have a local apache running for cluster which can still have the wcadmin/DS users perform their administrative tasks.

        If you do have any recommendations for implementation/documentation would help us a lot.




Re: Enterprise LDAP - Microsoft Azure AD

I have Single Sign On (SSO) Configured for two Different Environments.

It is the Basic Configuration:

* Working From Chrome/Edge/IE11 with Creo View


* DTI 


However, a request to Use eSignatures in Workflow was made.  Which requires a modification to Shibboleth/Apache/Microsoft Azure and a Windchill Property.  

PTC Help does have a Section "eSignature Validation for SSO Configurations" that is supposed to layout all the changes.  Running into issues trying to follow the Help.


Does anyone have a Shibboleth2.xml configured to allow the Re-Authentication Workflow Tasks Require.

Specifically the Help says to Add a "Host" Tag Section.  As Well as "Application Override".  Open a call with Support but I think seeing a working example would be much faster.


Brian Sullivan


LiveWorx Call For Papers Happening Now!