cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X

Windchill SSO with Shibboleth and Okta

Dan_WC_EDA
4-Participant

Windchill SSO with Shibboleth and Okta

Hello, 

 

I’m trying to implement SSO in our PTC Windchill environment using Shibboleth as the Service Provider and our Identity Provider is Okta.

 

I'm basing my configs off of OKTA SSO and Windchill - PTC Community but I'm getting errors. I will admit I'm not fully sure what I'm doing, so I've basically taken the configs from that post, changed the URLs to our own okta site id's (after working with our Okta admin on that part) but I seem to be missing something. 

 

I’ve been able to get Shibboleth to call out to okta when I try logging into Windchill, but once I log into Okta, I get this error message:

<faultcode>S:Server</faultcode>

<faultstring>Error processing request.</faultstring>

 

Looking at the shibd.log, I see these errors when there’s a login failure:
2023-11-09 14:00:03 WARN OpenSAML.MessageDecoder.SAML2SOAP [2] [default]: ignoring incorrect content type (application/x-www-form-urlencoded)

2023-11-09 14:00:03 ERROR Shibboleth.ArtifactResolution.SAML2 [2] [default]: error while processing request: Invalid content type for SOAP message.

 

I've also been following PTC Windchill Help Center for other configs like the bindingTemplate.html (which also might not be correct), but i'm still stuck. I dont think its the windchill configs that are the issue, as the log in credentials dont seem to be getting passed Shibboleth. 

 

Does anyone have any examples of the Shibboleth configs for integrating with Okta? 

I can share my configs as well if needed. 

 

Thank you,
Dan

 

 

5 REPLIES 5

Have you done a SAML trace? There is a firefox / chrome plugin called SAML tracer, and you can see the messages being sent. 

Dan_WC_EDA
4-Participant
(To:jbailey)

Yes, i've done a SAML trace. 

I dont know how to use that info correctly tho, Do I base the attribute-map.xml file off that? 

Or is that something I'd need to tweak in the Shibboleth2.xml file? 

I can keep trying things all day (which I have for many days now) so that's I was hoping for an example I can base our setup on. 

Could you send me the results of the saml trace in a message?.

 

Attribute-map.xml is used to match the attribute name (or OID) from the assertion to the attribute name in shibboleth. The meat of your configuration is in shibboleth2.xml, apache conf, and a couple of xconfmanager commands.

Dan_WC_EDA
4-Participant
(To:jbailey)

Sure thing, you should see that shortly. 

Replied... If what I suggested helps, we can reply on here in generic terms the solution

Announcements


Top Tags