Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X
HI
Anybody out there managed to do the integration? If so anyone willing to share their experiences.
In particular around the # in the url.
Herman
# in the URL is also called URL Fragments.
The fragments functions differently than the rest of the URL: namely, its processing is exclusively client-side with no participation from the web. When an agent (such as a Web browser) requests a web resource from a Web server, the agent sends the URL to the server, but does not send the fragment. Instead, the agent waits for the server to send the resource, and then the agent processes the resource according to the document type and fragment value.
However, in case of SSO there are multiple redirection happening at SP, Ping and IdP, so the fragments by their nature are not sent in the initial requests and thus after the authentication when the URL comes back to SP like Windchill, it only have the URL before the fragment, which usually redirects to the
Windchill Home Page.
By adding %23 the URL converts from fragment to an absolute encoded URL and is sent as is in the initial request and thus finally it redirects to the page where we started with.
For time being as there are below options:
We have same issue and attempted solutions as mentioned in second bullet by URL rewrite. But it does not work at Apache level as Anchor part is not sent to server. Arpit/all could you please provide some more information about the customization mentioned in first bullet. Is this customization of extra landing page done at the IDP (Okta) side?
If not is it done at SP side and how?
We don't have instructions to do this customization. However this needs to be done on Windchill, where it encodes the # before it redirects the URLs.
Please note that officially PTC does not support any of those workarounds mentioned there.
Hello,
Also Looking for assistance/example for Okta (Identity Provider) to Shibboleth (Service Provider) with Windchill 12.0.
I followed the Steps from Help Center for a normal connection. I am used to MS Azure Integration.
The IT Setup Okta Configuration and Sent Metadata and the URL for Metadata. I did move and confirm the backup XML was being read but get a standard Error. Unknown or Unusable Identity Provider./Unable to locate metadata for identity provider.
If someone can provide what their Okta Confiugration Looks like. The Metadata file provided also smaller than a MS Azure XML File.
*****!
Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.
.........
EntityID: https://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357/sso/saml
opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (https://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357/sso/saml)
*****!
Background Info:
Attribute Mapping ---> IT person made a custom variable to base user info:
<Attribute name="NameID" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="uid">
<AttributeDecoder xsi:type="StringAttributeDecoder"/>
</Attribute>
Shibboleth File:
<RequestMapper type="Native">
<RequestMap>
<!--
The example requires a session for documents in /secure on the containing host with http and
https on the default ports. Note that the name and port in the <Host> elements MUST match
Apache's ServerName and Port directives or the IIS Site name in the <ISAPI> element above.
-->
<Host name="zzzz-app-27-dev.yy.xxxx.net">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
<!-- Example of a second vhost mapped to a different applicationId. -->
<!--
<Host name="admin.example.org" applicationId="admin" authType="shibboleth" requireSession="true"/>
-->
</RequestMap>
</RequestMapper>
<ApplicationDefaults entityID="http://zzzz-app-27-dev.yy.xxxx.net/shibboleth"
REMOTE_USER="uid" sessionHook="/Windchill/sso/shibboleth/sessionHook"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http"
consistentAddress="false">
<SSO entityID="https://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357/sso/saml" postArtifact="true" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
<MetadataProvider type="XML" validate="true"
url="https://xxxx.okta.com/app/exkok73p40EGjxy1p357/sso/saml/metadata"
backingFilePath="metadatawindchill.xml" maxRefreshDelay="7200">
<!-- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/> -->
<MetadataFilter type="Signature" certificate="okta.cer" verifyBackup="false"/>
<!-- <DiscoveryFilter type="Exclude" matcher="EntityAttributes" trimTags="true"
attributeName="http://macedir.org/entity-category"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="http://refeds.org/category/hide-from-discovery" /> -->
</MetadataProvider>
Note: Commented out Required Valid and Signature Section since they through errors in Shibbolth Log.
Obviously this is my incorrect configuration.
Hello.
Current Status:
#1 Corrected Shibboleth2.xml File SSO Entity ID so that Okta IDP Page Appears, Log in to Okta.
<SSO entityID="http://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357l" postArtifact="true" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
#2 SAML Tracer showing both NameID and a New Attribute we made called "username" passing my username (which matches Windchill username. I have attribute-map.xml current set to new New "username" attribute
<Attribute name="username" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="uid">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
#3 CURRENT ERROR
The current error is a bit confusing since it references Shibboleth.sso/SLO/POST and not sure why it would be asking about Log out (SLO) when we are in Log In process.
Currently Windchill System configured based on PTC Help Center (web.xml, config.xml configuration corrected with missing /) OOTB Binding Template (PTC Template Binding also attempted); Apache Updated. Shibboleth2.xml. Attribute-map.xml
The system encountered an error at Wed Jan 11 17:14:41 2023
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (https://usd-am-app-27-dev.am.trimblecorp.net/Shibboleth.sso/SLO/POST)
Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse.
Thanks to one person willing to send their Shibboleth - Will update this thread when it is Received.
If anyone has gotten Okta to Shibboleth to Windchill working information directed to brian.sullivan@tristar.com appreciated
Current Error>
* No errors in Shibboleth with Logs set to Debug
* No errors in Windchill.
* Data sent from Okta looks Good.
Hello
Okta/Shibboleth/Windchill
Last Error Resolved
Issue was that Okta IT person entered wrong value from provided Metadata into Okta Application. Was updated to Appropriate Info so SAML Tracer now shows
Destination="https://xxxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SSO/POST
Error Resolved
#4 NEW Error - Generic Something is wrong Message
Can see NameID in SAMLTrace not sure why its not getting to Shibboleth. So many changes testing maybe I have typoed.
The system encountered an error at Thu Jan 12 15:20:20 2023
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
shibsp::ConfigurationException at (https://xxxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SSO/POST)
Shibboleth handler invoked at an unconfigured location.
Attribute-Map.xml
Currently Set to:
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" id="NameID">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
Okta - Shibboleth - Windchill Integration
#1 Thanks to Scott for offering his Configuration and to Jing who did end up providing sample Metadata from an Okta Integration.
This led to change in the shibboleth2.xml
ApplicationDefaults entityID="https://xxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/Metadata" Those SSO Knowledgeable will recognize that is the URL to Download the SP Metadata.
Learn a lot about Okta
It has an inability to Import Metadata.
Okta really only expects to populate two Fields manually from the provided Metadata.
IT updated entries; (As well as defined NameID Format to be sent)
The ACS (Single Sign-On URL) to
https://xxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SAML2/POST
and
The Audience URL (SP Entity ID) to
https://xxx-am-app-27-dev.yy.zzzz.net/Shibboleth.sso/Metadata
So Shibboleth2.xml
<ApplicationDefaults entityID="https://xxx-am-app-27-dev.yy.zzzz.net/Shibboleth.sso/Metadata"
REMOTE_USER="NameID" sessionHook="/Windchill/sso/shibboleth/sessionHook"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https"
consistentAddress="false" >
<SSO entityID="http://www.okta.com/XXXXXXXXXXXXXXX" postArtifact="true" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
Attribute-Mapping.xml
The NameID Attribute Map took a couple tries but worked with:
<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" id="NameID">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
Painful Week of Searching Internet so hopefully this helps another implementer. Validation Next week with CAD Users, hopefully proves this to be a workable solution. So use to MS Azure where the Entity ID means Nothing really and you Import SP Metadata into IdP. Such an unusual way to have this work. Thanks again to Jing for providing Metadata from a working integration.