Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X
I am picking up an in-process project of configuring SSO with the software mentioned in the question, and as I dive in I wanted to put out a question to the user community here to see if anyone has implemented this within their environment, and if so, could provide any helpful details/information as I go forward. Even if not the exact same software environment, but configuring SSO in general, that would be a significant help.
Thanks in advance!
First question: Do you have a multi-organization deployment of PDM? That answer will define if it's even a good idea for you to try what you mentioned.
Please advise,
Daryl
Yes, this is a multi-organization deployment as far as organization containers are concerned, though I do believe that strategy is being used for data separation/access permission only and all user information is ultimately stored in one corporate LDAP (this is a system I am working with that has been inherited - I have not been involved from the ground up).
Have you done this before, Daryl?
Not quite yet but I've been asked to explore the option of a multi-org setup and very quickly discovered a problem when it comes to accounts when you have the possibility of one user helping deal with data in multiple in-system organizations.
The key issues:
EASIEST SOLUTION: do not have automated SSO and let users have multiple accounts, one per organization (a quick way to ID which is which is to put the organization name after their username. Everything else including the email address and even password can be the same), and then if the users set their browsers to not remember usernames and passwords when they go to login to PDM-Link they can just pick the account they need based on which Organization they need to do heavy work in. On this basis alone I have aggressively halted any conversation on getting our login LDAP linked; our engineers need to be able to help the other potential organizations do their main design work.
If you want to share data between multiple organization, an approach to follow is
This way one can grant a non organization member access to business objects and make the user participate in workflow as well.
Now coming back to the original question about SSO. I have experience in implementing SSO using site minder and NetScaler. I had some issues with the embedded browser in WGM and Pro/E ,also in DTI. You need to browse to the portal/form before you register the session.
If I understand correctly, shibboleth provides form based login authentication (portal services) and ADFS acts as identity provider. I am sure Shibboleth will have an agent/module for Apache(Agent in terms of SSO),load this module. From a configuration perpective, you need to first do the idp integration part for Shibboleth, second you need to configure Shibboleth for Apache (google for basic authentication set up using Shibboleth ). Any request to the protected URLs in Windchill should get redirected to Shibboleth for authentication Anonymous URL should be accessible anonymously - https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS199295.
Once authentication is done, Shibboleth should set the REMOTE_USER variable with the userid or samaccountname. On the Windchill side you can either create JNDI adapter/s or decide to create users locally. If you don't have plans for CFR Part 11 dual authentication, I would highly recommend this approach. In this way you can keep the WTuser and relate Windchill tables clean. If your requirement is to have Windchill integrated with AD, then you can even create multiple JNDI adapters pointing to different OUs in your AD and have organization mapping for each of the JNDI adapters. If you want, I can send more info on this setup.
Regards
Binesh Kumar
Medtronic - MITG
Hello Kumar
I would like information on your setup. I need to setup SSO with ADFS to Windchill 10.2 M020; Single Organization.
Brian Sullivan
Hello Bob, Kumar.
Note
ust an update that a colleague and I implemented mod_auth_sspi in Apache. This module support Single Sign on using NTLM.
It was working in Testing for IE (In Intranet Zone); Mozilla when Trusted; And Creo Parametric when homepage starts by pointing at Windchill as Default Page. As well as DTI. (Left to test is WGM and Cad Worker Publishing). Also it is using our Group Filter in AD to properly determine if a user can Log into Windchill.
Unfortunately we have Users in AD as well as WindchillDS.
Researching the internet shows that the SSPI Module can only point at one domain (i.e Active Directory) and not multiple Authentication Sources with Apache 2.2 (which Windchill Uses). We did internet research that shows this was a change in behavior for Apache from Apache 2.1 to 2.2 for Security Reasons and no settings support Multiple AuthTypes for a Single Location. Online Workarounds suggest pointing to two different URLs with One Authenticating to SSPI and one Authenticating to Basic, however all Windchill addresses point to /Windchill and we do not believe we could easily create an alias address for a sub set of users.
This Means while very easy to set up mod_auth_sspi
Question: Does your Solution with a Shibboleth Module allow you to Authenticate against Multiple Authentication Types? Meaning if your Operating System user is not in the Primary SSO AD, then the Login Prompt would appear, allowing you to enter a User/Password in a Secondary location like WIndchillDS?
Seem to be stuck between Basic Authentication which allows Multiple entries (LDAP AD, WindchillDS Adminstrative, WindchillDS Enterprise, or Multiple other LDAP ADs from other Divisions) and Single Sign On with SSPI that only allows a Single Choice.
Brian Sullivan
Brian,
Great post. Did you ever get the CAD Worker Publishing working? We are testing double authentication using crypto cards and Shibboleth. Did you manage to get the CAD Worker to run? Did you get Creo 3.0 to use a basic authentication and how?
Thanks.
Robert.
we have the cad workers all publishing now. Creo was the outlier and it took us a while to figure out that it authenticates differently than the wgm.
Hello Bob,
I have been tasked this week to implement SSO (Single SIgn On) with ADFS (Active Directory Federation Services) which I have never used.
PTC itself does not directly support Single Sign On which is a Problem as SAP and the other 3 Applications they integrated apparantly supply the Step by Step commands required within the ADFS interface.
All I have found at ptc.com is Help which mentions which Authentication Methods Windchill Supports.
Have you or anyone implemented SSO with ADFS and would you be willing to provide your Installation Procedure. (ADS side and changes to Apache/Windchill)
Brian Sullivan
Windchill 10.2 M020
We will implement SSL (Https) as IT Department requires for Integration to ADFS
We have exactly this configuration working in production at my site. We have windchill 10.2 m030 with shibboleth installed in front of Apache, talking to an adfs server for authentication.
We can confirm that this works as a single sign on and the remote_user variable is what the windchill LDAP uses to identify the windchill user.
Both desktop integration and the cad work group managers work with this. So far the only solution that doesn't work is the arbortext integration but that's a back burner for us.
We have implemented the SSO in our Test environment using Shibboleth and ADFS. Everything works well, except the following:
1. SSO will only works for IE 11 and Chrome. It will not work for Firefox.
2. Command-line Bulk Upload command will no longer working. (including any customization of bulk upload in WC UI that use the bulk loading command in the background).
3. Running Query report with Excel link will fail.
3. Creo Parameter connecting to your Windchill will also not work with SSO.
The workaround solution we have is to write a SSO Turn On and Turn Off script at Apache level, but it is not perfect! (and it defect the original purpose).
If you can live with the above, you can use the SSO.
Sincerely,
Thomas Chao
hi ,
We are configuring Windchill sso with PingFederate as Identity Provider.
Can anyone please describe the steps to accomplish the task.
ThankYou,
madhu
Hello Thomas,
"The workaround solution we have is to write a SSO Turn On and Turn Off script at Apache level, but it is not perfect! (and it defect the original purpose)."
I have configured SSO Shibboleth SP/Windchill 11.1 to Azure Idp. What I see with SSO set up is that all users must be in the Idp. Meaning Loaders, etc.. or just logging in as a windchillDS user such as wcadmin is impossible.
Would you be able to provide your workaround? Or did you come up with a better solution?
Brian Sullivan
Thanks for all the helpful information about the path and issues that you've run into.
I'm currently trying to setup a windchill environment use shibboleth to talk to Azure's Active directory.
i've been able to setup shibboleth to talk to azure, but i get the following error: