cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Windchill 10.2 Single Sign On

Billy_Johnson
10-Marble
10-Marble
‎Aug 14, 2017 02:43 PM
‎Aug 14, 2017 02:43 PM

Windchill 10.2 Single Sign On

I was asked to look into moving to a sso for Windchill PDMLink 10.2 with Active Directory.

I found information suggesting that JNDI adapter would make this possible.

Does anyone know of issues that would prevent us from moving towards sso in this configuration?

Is anyone curently using this configuration in their enviroment?

 

Thank you,

 

 

Labels:
0 Kudos
Notify Moderator
2 REPLIES 2
BineshKumar1
12-Amethyst
12-Amethyst
(To:Billy_Johnson)
‎Aug 15, 2017 10:58 PM
‎Aug 15, 2017 10:58 PM

Integration with Active Directory is a two part configuration.

  1. Add active directory as an auth provider in the web server so that it authenticates the user against AD.
  2. Configure JNDI adapter to talk to Active Directory to retrieve user attributes(Full name, email and so on) after the user is authenticated.  Windchill keeps this data in a database table and synchronizes this information periodically.  If the user is removed or disabled, the user is marked as disconnected in Windchill.

Best practice is to create an LDAP group for all the Windchill users and filter user access to Windchill by LDAP filter against this group. This will keep the Windchill user table clean as well.

If you are okay managing user accounts both in AD and in local LDAP, you can implement just part#1. It is a hybrid approach many companies follow where they leverage AD for authentication where the rest of the information will be manually loaded in local LDAP.  Both approaches have its own pros and cons. I assume you are already using Windchill with local ldap, so this might be something which you can consider.

 

In any case, I can't think of any thing that will prevent you from proceeding with  AD integration unless the users wanted to have dedicated user name and password for Windchill

0 Kudos
Notify Moderator
Billy_Johnson
10-Marble
10-Marble
(To:BineshKumar1)
‎Aug 21, 2017 04:57 PM
‎Aug 21, 2017 04:57 PM

Hello BineshKumar,

 

Thank you for the reply.

 

Yes I am currently working with WDS and was asked to evaluate the Pros and Cons of SSO.

I am unclear about one thing, if you dont mind me asking.

Will i still be required to create the use in Windchill or will the account be created when the AD account is created?

My thinking is if an account is created in AD this would create the Windchill account? I know that just because they have an account in Windchill that this does not give them access to content in Windchill untill they are assigned to roles but how does that work with licensing?  

 

Thank you for your help.

Notify Moderator
Top Tags