cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X

Windchill SSO with Entra ID Application Proxy Approach

DeekshithV
2-Explorer
2-Explorer
‎Jun 26, 2024 04:35 AM
‎Jun 26, 2024 04:35 AM

Windchill SSO with Entra ID Application Proxy Approach

We are currently working to switch out Windchill systems from Basic authentication to Form Based (SSO) authentication. We are clear with the approach of using shibboleth as SP and Entra ID AD as IDP & CAS.

 

But our cyber security team suggested to use Entra ID Application Proxy method for the Windchill SSO which requires no changes to the Windchill application side.

Application Proxy - https://learn.microsoft.com/en-us/entra/identity/app-proxy/
https://learn.microsoft.com/en-us/entra/identity/app-proxy/how-to-configure-sso

 

Have anyone tried this approach for Windchill SSO? Can anyone suggest on this approach and how reliable it would be with Windchill and its associated integrations ?

 

 

Labels:
0 Kudos
Notify Moderator
2 REPLIES 2
jbailey
17-Peridot
17-Peridot
(To:DeekshithV)
‎Jun 26, 2024 07:00 PM
‎Jun 26, 2024 07:00 PM

A couple of things to consider based on my SSO / SAML / Authentication experience (I have not looked into Entra ID Application Proxy before)

1) Regardless of how a user authenticates, InfoEngine still needs to connect to a back-end ldap v3 compliant - Do they have Entra ID DS? If not, you still need to connect to an enterprise AD on the back end.

2) I would think you would need to configure Apache to accept the username in the header (PTC recommends against this for security reasons), because Apache (as configured for basic authentication w/Windchill) I don't think will just accept a header with a username for authentication.

3) If you plan on using electronic signatures, Windchill creates a browser session with no auth header, then invokes authentication, and compares the authenticated user from the new browser to the WC logged in user to validate.

4) DTI, WGM, and Creo View all invoke authentication on launch ootb - you may run into issues here

Notify Moderator
vnamboodheri
Moderator
Moderator
(To:DeekshithV)
‎Jul 08, 2024 02:31 AM
‎Jul 08, 2024 02:31 AM

Hello @DeekshithV

 

It looks like you have a response from a community member. If it helped to answer your question please mark the reply as the Accepted Solution. 

Of course, if you have more to share on your issue, please let the Community know so other community members can continue to help you.

Thanks,

Vivek N
Community Moderation Team.

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags