cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

Siteminder for Authentication to Windchill

KimMilton
1-Newbie
1-Newbie
‎Oct 11, 2012 12:51 PM
‎Oct 11, 2012 12:51 PM

Siteminder for Authentication to Windchill

I am trying to get siteminder to provide authentication to windchill since we require CAC authentication. I have installed siteminder and configured it, but I am unsure of what changes to make so that windchill gets the information and compares those users to the users in WindchillDS. So far the only information I have is to change the following files:

in the webAgent.conf file: EnableWenAgent="YES"

in the app-windchill.conf: #Include conf/extra/app-windchill-Auth.conf

I believe there is more changes to make since I am getting an authorization error when I enable the siteminder web agent. Does anyone know what other changes need to be made to enable windchill to use sitemnder?

Thanks!

Labels:
0 Kudos
Notify Moderator
2 REPLIES 2
rnoah
8-Gravel
8-Gravel
(To:KimMilton)
‎Oct 24, 2014 02:56 AM
‎Oct 24, 2014 02:56 AM

Hi Kim,

i hope this mail finds you well.

i'm having some issues with the same issue. can you, please, suggest how eventualy you overcome the issue ? how did you configured the system to work properly ?

Thanks,

Rami

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:KimMilton)
‎Oct 24, 2014 09:27 AM
‎Oct 24, 2014 09:27 AM

First off, I should note that form-based-authentication is only officially supported in Windchill starting at 10.1 M010 (and thus including 10.2). When configuring any form-based authentication in 10.1 M010 and higher, one should refer to the documentation on this topic in the Windchill help center.

Secondly, the appropriate way to disable Windchill authentication rules in Apache in such releases is via webAppConfig.xml and the disableAuthentication and protocolAuthOnly properties for the web apps in question. disableAuthentication disables all authentication constraints for the given web app (but leaves declarations of anonymously accessible resources/directories in place). protocolAuthOnly disables all authentication constraints for the given web app except for webAppName/protocolAuth/* URLs (and leaves the anonymous declarations as well) -- and is normally much more appropriate. In any cases these changes are most easily done by editing conf/extra/app-<webAppName>.properties files and then running "ant -f webAppConfig.xml regenAllWebApps" from the top-level Apache directory.

Note that in 10.2 the entire web app is configured to require "normal" end-user authentication with exceptions requiring anonymous access (and anonymous access must be allowed for those cases else functionality will break) and protocol-based (as opposed to form-based, for instance) authentication. By contrast, in 10.1 only the specific resources/directories within the web app that require authentication are authenticated. 10.1 and 10.2 were tested with these configurations, so requiring authentication on more of the web app in 10.1 may run into issues.

A more advanced usage would be to edit webAppAuthResToConf.xsl so as to modify the contents of the authentication block generated for each authenticated resource/directory, e.g. to generate some other directives than those for HTTP basic authentication. This is mostly of interest if one is trying to configure 10.1 with another form of Apache-based authentication and trying to require authentication only where it is required out-of-the-box.

Notify Moderator
Top Tags