cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

OKTA SSO and Windchill

Highlighted

OKTA SSO and Windchill

HI

Anybody out there managed to do the integration? If so anyone willing to share their experiences.

 

In particular around the # in the url.

 

Herman

3 REPLIES 3
Highlighted

Re: OKTA SSO and Windchill

# in the URL is also called URL Fragments. 

 

The fragments functions differently than the rest of the URL: namely, its processing is exclusively client-side with no participation from the web. When an agent (such as a Web browser) requests a web resource from a Web server, the agent sends the URL to the server, but does not send the fragment. Instead, the agent waits for the server to send the resource, and then the agent processes the resource according to the document type and fragment value.

However, in case of SSO there are multiple redirection happening at SP, Ping and IdP, so the fragments by their nature are not sent in the initial requests and thus after the authentication when the URL comes back to SP like Windchill, it only have the URL before the fragment, which usually redirects to the
Windchill Home Page.

 

By adding %23 the URL converts from fragment to an absolute encoded URL and is sent as is in the initial request and thus finally it redirects to the page where we started with.

 

For time being as there are below options:

  • Worked around the issue by performing some customization to redirect Windchill accessing request to the landing page before authentication. On that landing page use javascript to convert '#' to '%23'. Then user should click 'OK' button to perform authentication via Shibboleth SP and other SSO components.
  • May be its possible through URL Rewrite, but this will need extensive testing.
Highlighted

Re: OKTA SSO and Windchill

We have same issue and attempted solutions as mentioned in second bullet by URL rewrite. But it does not work at Apache level as Anchor part is not sent to server. Arpit/all could you please provide some more information about the customization mentioned in first bullet. Is this customization of extra landing page done at the IDP (Okta) side? 

If not is it done at SP side and how?

Highlighted

Re: OKTA SSO and Windchill

We don't have instructions to do this customization. However this needs to be done on Windchill, where it encodes the # before it redirects the URLs.

 

Please note that officially PTC does not support any of those workarounds mentioned there.

Announcements