Re: Single Sign-On for Windchill with Apache, Shib...

bsindelar · ‎May 17, 2016

I am picking up an in-process project of configuring SSO with the software mentioned in the question, and as I dive in I wanted to put out a question to the user community here to see if anyone has implemented this within their environment, and if so, could provide any helpful details/information as I go forward. Even if not the exact same software environment, but configuring SSO in general, that would be a significant help.

Thanks in advance!

doehr · ‎May 20, 2016

First question: Do you have a multi-organization deployment of PDM? That answer will define if it's even a good idea for you to try what you mentioned.

Please advise,

Daryl

bsindelar · ‎May 20, 2016

Yes, this is a multi-organization deployment as far as organization containers are concerned, though I do believe that strategy is being used for data separation/access permission only and all user information is ultimately stored in one corporate LDAP (this is a system I am working with that has been inherited - I have not been involved from the ground up).

Have you done this before, Daryl?

doehr · ‎May 20, 2016

Not quite yet but I've been asked to explore the option of a multi-org setup and very quickly discovered a problem when it comes to accounts when you have the possibility of one user helping deal with data in multiple in-system organizations.

The key issues:

Every user account has to be set to an organization. If you don't the access they have to data inside the organization is quite crippled.
A user account in one organization has little to no access to data in the other organization pretty much no matter what you do to their Profiles, policy administrator access rules, etc...the fundamental framework forces separation.

EASIEST SOLUTION: do not have automated SSO and let users have multiple accounts, one per organization (a quick way to ID which is which is to put the organization name after their username. Everything else including the email address and even password can be the same), and then if the users set their browsers to not remember usernames and passwords when they go to login to PDM-Link they can just pick the account they need based on which Organization they need to do heavy work in. On this basis alone I have aggressively halted any conversation on getting our login LDAP linked; our engineers need to be able to help the other potential organizations do their main design work.

BineshKumar1 · ‎May 23, 2016

If you want to share data between multiple organization, an approach to follow is

Create a group at site level, assign the org1 as the domain of the group
Go to the product team or policy admin for any containers in Org2 and add the group created in step#1 to context roles.

This way one can grant a non organization member access to business objects and make the user participate in workflow as well.

Now coming back to the original question about SSO. I have experience in implementing SSO using site minder and NetScaler. I had some issues with the embedded browser in WGM and Pro/E ,also in DTI. You need to browse to the portal/form before you register the session.

If I understand correctly, shibboleth provides form based login authentication (portal services) and ADFS acts as identity provider. I am sure Shibboleth will have an agent/module for Apache(Agent in terms of SSO),load this module. From a configuration perpective, you need to first do the idp integration part for Shibboleth, second you need to configure Shibboleth for Apache (google for basic authentication set up using Shibboleth ). Any request to the protected URLs in Windchill should get redirected to Shibboleth for authentication Anonymous URL should be accessible anonymously - https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS199295.

Once authentication is done, Shibboleth should set the REMOTE_USER variable with the userid or samaccountname. On the Windchill side you can either create JNDI adapter/s or decide to create users locally. If you don't have plans for CFR Part 11 dual authentication, I would highly recommend this approach. In this way you can keep the WTuser and relate Windchill tables clean. If your requirement is to have Windchill integrated with AD, then you can even create multiple JNDI adapters pointing to different OUs in your AD and have organization mapping for each of the JNDI adapters. If you want, I can send more info on this setup.

Regards

Binesh Kumar

Medtronic - MITG

BrianSullivan · ‎Jul 18, 2016

Hello Kumar

I would like information on your setup. I need to setup SSO with ADFS to Windchill 10.2 M020; Single Organization.

Brian Sullivan

BrianSullivan · ‎Jul 21, 2016

Hello Bob, Kumar.

Note

ust an update that a colleague and I implemented mod_auth_sspi in Apache. This module support Single Sign on using NTLM.

It was working in Testing for IE (In Intranet Zone); Mozilla when Trusted; And Creo Parametric when homepage starts by pointing at Windchill as Default Page. As well as DTI. (Left to test is WGM and Cad Worker Publishing). Also it is using our Group Filter in AD to properly determine if a user can Log into Windchill.

Unfortunately we have Users in AD as well as WindchillDS.

Researching the internet shows that the SSPI Module can only point at one domain (i.e Active Directory) and not multiple Authentication Sources with Apache 2.2 (which Windchill Uses). We did internet research that shows this was a change in behavior for Apache from Apache 2.1 to 2.2 for Security Reasons and no settings support Multiple AuthTypes for a Single Location. Online Workarounds suggest pointing to two different URLs with One Authenticating to SSPI and one Authenticating to Basic, however all Windchill addresses point to /Windchill and we do not believe we could easily create an alias address for a sub set of users.

This Means while very easy to set up mod_auth_sspi

All Users must be in Active Directory to use SSO with Apache. (So Administrative and External Users need a User in AD)
Windchill will not look at WindchillDS for Users.

Question: Does your Solution with a Shibboleth Module allow you to Authenticate against Multiple Authentication Types? Meaning if your Operating System user is not in the Primary SSO AD, then the Login Prompt would appear, allowing you to enter a User/Password in a Secondary location like WIndchillDS?

Seem to be stuck between Basic Authentication which allows Multiple entries (LDAP AD, WindchillDS Adminstrative, WindchillDS Enterprise, or Multiple other LDAP ADs from other Divisions) and Single Sign On with SSPI that only allows a Single Choice.

Brian Sullivan

rsutherland · ‎Dec 08, 2016

Brian,

Great post. Did you ever get the CAD Worker Publishing working? We are testing double authentication using crypto cards and Shibboleth. Did you manage to get the CAD Worker to run? Did you get Creo 3.0 to use a basic authentication and how?

Thanks.

Robert.

mduffy-2 · ‎May 22, 2017

we have the cad workers all publishing now. Creo was the outlier and it took us a while to figure out that it authenticates differently than the wgm.

BrianSullivan · ‎Jul 18, 2016

Hello Bob,

I have been tasked this week to implement SSO (Single SIgn On) with ADFS (Active Directory Federation Services) which I have never used.

PTC itself does not directly support Single Sign On which is a Problem as SAP and the other 3 Applications they integrated apparantly supply the Step by Step commands required within the ADFS interface.

All I have found at ptc.com is Help which mentions which Authentication Methods Windchill Supports.

Have you or anyone implemented SSO with ADFS and would you be willing to provide your Installation Procedure. (ADS side and changes to Apache/Windchill)

Brian Sullivan

Windchill 10.2 M020

We will implement SSL (Https) as IT Department requires for Integration to ADFS

mduffy-2 · ‎Aug 25, 2016

We have exactly this configuration working in production at my site. We have windchill 10.2 m030 with shibboleth installed in front of Apache, talking to an adfs server for authentication.

We can confirm that this works as a single sign on and the remote_user variable is what the windchill LDAP uses to identify the windchill user.

Both desktop integration and the cad work group managers work with this. So far the only solution that doesn't work is the arbortext integration but that's a back burner for us.

tchao · ‎Nov 16, 2016

We have implemented the SSO in our Test environment using Shibboleth and ADFS. Everything works well, except the following:

1. SSO will only works for IE 11 and Chrome. It will not work for Firefox.

2. Command-line Bulk Upload command will no longer working. (including any customization of bulk upload in WC UI that use the bulk loading command in the background).

3. Running Query report with Excel link will fail.

3. Creo Parameter connecting to your Windchill will also not work with SSO.

The workaround solution we have is to write a SSO Turn On and Turn Off script at Apache level, but it is not perfect! (and it defect the original purpose).

If you can live with the above, you can use the SSO.

Sincerely,

Thomas Chao

mnalla · ‎Jun 12, 2018

hi ,

We are configuring Windchill sso with PingFederate as Identity Provider.

Can anyone please describe the steps to accomplish the task.

ThankYou,

madhu

BrianSullivan · ‎Aug 19, 2019

Hello Thomas,

"The workaround solution we have is to write a SSO Turn On and Turn Off script at Apache level, but it is not perfect! (and it defect the original purpose)."

I have configured SSO Shibboleth SP/Windchill 11.1 to Azure Idp. What I see with SSO set up is that all users must be in the Idp. Meaning Loaders, etc.. or just logging in as a windchillDS user such as wcadmin is impossible.

Would you be able to provide your workaround? Or did you come up with a better solution?

Brian Sullivan

KarDehal · ‎Jun 19, 2020

Thanks for all the helpful information about the path and issues that you've run into.

I'm currently trying to setup a windchill environment use shibboleth to talk to Azure's Active directory.

i've been able to setup shibboleth to talk to azure, but i get the following error:

Single Sign-On for Windchill with Apache, Shibboleth, and ADFS - Has Anyone Done This Before?

Single Sign-On for Windchill with Apache, Shibboleth, and ADFS - Has Anyone Done This Before?