opensaml::FatalProfileException

HermanHaasbroek · ‎Nov 28, 2019

HI

Anybody out there managed to do the integration? If so anyone willing to share their experiences.

In particular around the # in the url.

Herman

Arpit-Singh · ‎Dec 02, 2019

# in the URL is also called URL Fragments.

The fragments functions differently than the rest of the URL: namely, its processing is exclusively client-side with no participation from the web. When an agent (such as a Web browser) requests a web resource from a Web server, the agent sends the URL to the server, but does not send the fragment. Instead, the agent waits for the server to send the resource, and then the agent processes the resource according to the document type and fragment value.

However, in case of SSO there are multiple redirection happening at SP, Ping and IdP, so the fragments by their nature are not sent in the initial requests and thus after the authentication when the URL comes back to SP like Windchill, it only have the URL before the fragment, which usually redirects to the
Windchill Home Page.

By adding %23 the URL converts from fragment to an absolute encoded URL and is sent as is in the initial request and thus finally it redirects to the page where we started with.

For time being as there are below options:

Worked around the issue by performing some customization to redirect Windchill accessing request to the landing page before authentication. On that landing page use javascript to convert '#' to '%23'. Then user should click 'OK' button to perform authentication via Shibboleth SP and other SSO components.
May be its possible through URL Rewrite, but this will need extensive testing.

PrashantKharche · ‎Jun 01, 2020

We have same issue and attempted solutions as mentioned in second bullet by URL rewrite. But it does not work at Apache level as Anchor part is not sent to server. Arpit/all could you please provide some more information about the customization mentioned in first bullet. Is this customization of extra landing page done at the IDP (Okta) side?

If not is it done at SP side and how?

Arpit-Singh · ‎Jun 02, 2020

We don't have instructions to do this customization. However this needs to be done on Windchill, where it encodes the # before it redirects the URLs.

Please note that officially PTC does not support any of those workarounds mentioned there.

BrianSullivan · ‎Jan 06, 2023

Hello,

Also Looking for assistance/example for Okta (Identity Provider) to Shibboleth (Service Provider) with Windchill 12.0.

I followed the Steps from Help Center for a normal connection. I am used to MS Azure Integration.

The IT Setup Okta Configuration and Sent Metadata and the URL for Metadata. I did move and confirm the backup XML was being read but get a standard Error. Unknown or Unusable Identity Provider./Unable to locate metadata for identity provider.

If someone can provide what their Okta Confiugration Looks like. The Metadata file provided also smaller than a MS Azure XML File.

*****!

Unknown or Unusable Identity Provider
The identity provider supplying your login credentials is not authorized for use with this service or does not support the necessary capabilities.

.........

EntityID: https://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357/sso/saml

opensaml::saml2md::MetadataException: Unable to locate metadata for identity provider (https://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357/sso/saml)

*****!

Background Info:

Attribute Mapping ---> IT person made a custom variable to base user info:

Shibboleth File:

<RequestMapper type="Native">
<RequestMap>

<Host name="zzzz-app-27-dev.yy.xxxx.net">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>


</RequestMap>
</RequestMapper>

Note: Commented out Required Valid and Signature Section since they through errors in Shibbolth Log.

Obviously this is my incorrect configuration.

BrianSullivan · ‎Jan 12, 2023

Hello.

Current Status:

#1 Corrected Shibboleth2.xml File SSO Entity ID so that Okta IDP Page Appears, Log in to Okta.

<SSO entityID="http://xxxx.okta.com/app/xxxx_windchill_1/exkok73p40EGjxy1p357l" postArtifact="true" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2

#2 SAML Tracer showing both NameID and a New Attribute we made called "username" passing my username (which matches Windchill username. I have attribute-map.xml current set to new New "username" attribute

#3 CURRENT ERROR

The current error is a bit confusing since it references Shibboleth.sso/SLO/POST and not sure why it would be asking about Log out (SLO) when we are in Log In process.

Currently Windchill System configured based on PTC Help Center (web.xml, config.xml configuration corrected with missing /) OOTB Binding Template (PTC Template Binding also attempted); Apache Updated. Shibboleth2.xml. Attribute-map.xml

opensaml::FatalProfileException

The system encountered an error at Wed Jan 11 17:14:41 2023

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

opensaml::FatalProfileException at (https://usd-am-app-27-dev.am.trimblecorp.net/Shibboleth.sso/SLO/POST)

Incoming message was not a samlp:LogoutRequest or samlp:LogoutResponse.

Thanks to one person willing to send their Shibboleth - Will update this thread when it is Received.

If anyone has gotten Okta to Shibboleth to Windchill working information directed to brian.sullivan@tristar.com appreciated

Current Error>

* No errors in Shibboleth with Logs set to Debug

* No errors in Windchill.

* Data sent from Okta looks Good.

BrianSullivan · ‎Jan 12, 2023

Hello

Okta/Shibboleth/Windchill

Last Error Resolved

Issue was that Okta IT person entered wrong value from provided Metadata into Okta Application. Was updated to Appropriate Info so SAML Tracer now shows

Destination="https://xxxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SSO/POST

Error Resolved

#4 NEW Error - Generic Something is wrong Message

Can see NameID in SAMLTrace not sure why its not getting to Shibboleth. So many changes testing maybe I have typoed.

shibsp::ConfigurationException

The system encountered an error at Thu Jan 12 15:20:20 2023

To report this problem, please contact the site administrator at root@localhost.

Please include the following message in any email:

shibsp::ConfigurationException at (https://xxxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SSO/POST)

Shibboleth handler invoked at an unconfigured location.

Attribute-Map.xml

Currently Set to:

BrianSullivan · ‎Jan 13, 2023

Okta - Shibboleth - Windchill Integration

#1 Thanks to Scott for offering his Configuration and to Jing who did end up providing sample Metadata from an Okta Integration.

This led to change in the shibboleth2.xml

ApplicationDefaults entityID="https://xxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/Metadata" Those SSO Knowledgeable will recognize that is the URL to Download the SP Metadata.

Learn a lot about Okta

It has an inability to Import Metadata.

Okta really only expects to populate two Fields manually from the provided Metadata.

IT updated entries; (As well as defined NameID Format to be sent)

The ACS (Single Sign-On URL) to

https://xxx-app-27-dev.yy.zzzz.net/Shibboleth.sso/SAML2/POST

and

The Audience URL (SP Entity ID) to

https://xxx-am-app-27-dev.yy.zzzz.net/Shibboleth.sso/Metadata

So Shibboleth2.xml

Attribute-Mapping.xml

The NameID Attribute Map took a couple tries but worked with:

Painful Week of Searching Internet so hopefully this helps another implementer. Validation Next week with CAD Users, hopefully proves this to be a workable solution. So use to MS Azure where the Entity ID means Nothing really and you Import SP Metadata into IdP. Such an unusual way to have this work. Thanks again to Jing for providing Metadata from a working integration.

OKTA SSO and Windchill

OKTA SSO and Windchill

opensaml::FatalProfileException

shibsp::ConfigurationException