cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Windchill CAC authentication using Shibboleth

Highlighted
Participant

Windchill CAC authentication using Shibboleth

Shibboleth instructions can be found at http://support.ptc.com/help/windchill/wc110_hc/whc_en/index.html#page/Windchill_Help_Center%2FWCAdvD....

Step 1: Install Shibboleth 

https://shibboleth.net/downloads/service-provider/latest/


Step 2:

Edit Shibboleth.xml <shibboleth_install_directory\etc\shibboleth\shibboleth2.xml>

    <!--
    The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined.
    With IIS, resource requests are mapped by the RequestMapper to an applicationId that
    points into to this section (or to the defaults here).
    -->
    <ApplicationDefaults entityID=https://something.organization.com/shibboleth 
        REMOTE_USER="nameid"
Spoiler
(This can be anything you want it to be; you will map it in the next file.)
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
 
        <!--
        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
        Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
        and should be a relative path, with the SP computing the full value based on the virtual
        host. Using handlerSSL="true" will force the protocol to be https. You should also set
        cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
        "false", this makes an assertion stolen in transit easier for attackers to misuse.
        -->
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">
 	
Spoiler
If you are using https then you want to set these values otherwise leave them at their defaults.
            <!--
            Configures SSO for a default IdP. To properly allow for >1 IdP, remove
            entityID property and adjust discoveryURL to point to discovery service.
            You can also override entityID on /Login query string, or in RequestMap/htaccess.
            -->
            <SSO entityID="https://something.organization.com/idp"
Spoiler
You can find this on the metadata .xml file provided by the IDP it should look like this ->https://something.organization.com/idp
                 discoveryProtocol="SAMLDS" discoveryURL="http://www.w3.org/2000/09/xmldsig#">
              SAML2
            </SSO>
 
            <!-- SAML and local-only logout. -->
            <Logout>SAML2 Local</Logout>
 
            <!-- Administrative logout. -->
            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
 
            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
 
            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>
 
            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
 
 
        </Sessions>
 
        <!--
        Allows overriding of error template information/filenames. You can
        also add your own attributes with values that can be plugged into the
        templates, e.g., helpLocation below.
        -->
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
 
        <!-- Example of locally maintained metadata. -->
        
        <MetadataProvider type="XML" validate="true" path="C:\...\..."/>
Spoiler
File Path to the .xml metadata file provider by the IDP
       

 

Step 3: Edit attribute-map.xml file <shibboleth_install_directory\opt\shibboleth\sp\etc\shibboleth\attribute-map.xml>

 

<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
    <!--
    The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
    community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
    few exceptions for newer attributes where the name is the same for both versions. You will
    usually want to uncomment or map the names for both SAML versions as a unit.
    -->
  
    <!-- New standard identifier attributes for SAML. -->
 
    <Attribute name="nameid" id="nameid">
        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
    </Attribute>
  
Spoiler
(The name= needs to match the attribute that you want to capture from the IDP metadata
The id= needs to match the value you have in Shibboleth2.xml for REMOTE_USER)

(This is how ours looked <saml:Attribute NameFormat="urnSmiley Surprisedasis:names:tcSmiley FrustratedAML:2.0:attrname-format:unspecified"
Name="nameid">)

 

Step 4: Try to load the metadata file
Open CMD.exe

 cd <shibboleth_install_directory>\opt\shibboleth-sp\sbin\

Then run the command:

shibd.exe -check

We had to remove a section from the IDP metadata file in order to load it.
We removed:

 

isDefault=”true”
Example:
ResponseLocation="https://<IDP>/saml/idp/profile/post/slr" isDefault="true"> </SingleLogoutService>

 

Step 5:
Generate your metadata file to give to the IDP.  We had to edit it.
Go to https://<URL>/Shibboleth.sso/Metadata
This will automatically download your auto-generated metadata template.

 

<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
 -->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_84bd9ad18d0fbc9c2b89e3ff32220bcc31ba9982" entityID="entityID you supplied in shibboleth2.xml (not the IDP entityID)">
 
  <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
    <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
  </md:Extensions>
 
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:Extensions>
      <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://localhost/Shibboleth.sso/Login"/>
      <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://localhost/Shibboleth.sso/Login" index="1"/>
    </md:Extensions>
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName><computer’s name></ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=<computer’s name></ds:X509SubjectName>
          <ds:X509Certificate>(**REMOVED**)</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName><computer’s name></ds:KeyName>
        <ds:X509Data>
          <ds:X509SubjectName>CN=<computer’s name></ds:X509SubjectName>
          <ds:X509Certificate>(**REMOVED **)</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
      <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/Artifact/SOAP" index="1"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SLO/SOAP"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SLO/Redirect"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SLO/POST"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SLO/Artifact"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SAML2/Artifact" index="3"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://<URL (NOT LOCALHOST)/Shibboleth.sso/SAML2/ECP" index="4"/>
 
 
<md:AttributeConsumingService index="1">
    
         <!-- example for the required attribute: nameID -->
         <md:RequestedAttribute FriendlyName="nameid"
            Name="nameid"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
            isRequired="true" />
    
    
      </md:AttributeConsumingService>
 
  </md:SPSSODescriptor>
 
</md:EntityDescriptor>

 

 

 

1 REPLY 1

Re: Windchill CAC authentication using Shibboleth

Good Post.

I am going to do something similar Shibboleth Service Provider with Windchill to our Identity Provider Microsoft Azure.

 

Q1: PTC Help gives example with "uid", how did you determine to use "nameid"

Q2: You did not add any additional attributes... did the Attribute Mapping File provide enough information to Windchill?  Meaning if you look at user in Windchill you see First Name, Last Name, Email Address?

Announcements

Thingworx Navigate content has a new home! Click here to access the new Thingworx Navigate forum! ______________________________ Check out the Windchill Tips Board! We're talking about Whirlpool's use of digital twin, augmented reality, and data-driven design!

The NAVIGATE WORKING GROUP is here! Come innovate with PTC!

Sign up for a Working Group