cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - New to the community? Learn how to post a question and get help from PTC and industry experts! X

Windchill SSO with Shibboleth and Okta

Dan_WC_EDA
4-Participant
4-Participant
‎Nov 09, 2023 05:33 PM
‎Nov 09, 2023 05:33 PM

Windchill SSO with Shibboleth and Okta

Hello, 

 

I’m trying to implement SSO in our PTC Windchill environment using Shibboleth as the Service Provider and our Identity Provider is Okta.

 

I'm basing my configs off of OKTA SSO and Windchill - PTC Community but I'm getting errors. I will admit I'm not fully sure what I'm doing, so I've basically taken the configs from that post, changed the URLs to our own okta site id's (after working with our Okta admin on that part) but I seem to be missing something. 

 

I’ve been able to get Shibboleth to call out to okta when I try logging into Windchill, but once I log into Okta, I get this error message:

<faultcode>S:Server</faultcode>

<faultstring>Error processing request.</faultstring>

 

Looking at the shibd.log, I see these errors when there’s a login failure:
2023-11-09 14:00:03 WARN OpenSAML.MessageDecoder.SAML2SOAP [2] [default]: ignoring incorrect content type (application/x-www-form-urlencoded)

2023-11-09 14:00:03 ERROR Shibboleth.ArtifactResolution.SAML2 [2] [default]: error while processing request: Invalid content type for SOAP message.

 

I've also been following PTC Windchill Help Center for other configs like the bindingTemplate.html (which also might not be correct), but i'm still stuck. I dont think its the windchill configs that are the issue, as the log in credentials dont seem to be getting passed Shibboleth. 

 

Does anyone have any examples of the Shibboleth configs for integrating with Okta? 

I can share my configs as well if needed. 

 

Thank you,
Dan

 

 

Labels:
0 Kudos
Notify Moderator
5 REPLIES 5
jbailey
17-Peridot
17-Peridot
(To:Dan_WC_EDA)
‎Nov 19, 2023 07:12 PM
‎Nov 19, 2023 07:12 PM

Have you done a SAML trace? There is a firefox / chrome plugin called SAML tracer, and you can see the messages being sent. 

0 Kudos
Notify Moderator
Dan_WC_EDA
4-Participant
4-Participant
(To:jbailey)
‎Nov 27, 2023 02:53 PM
‎Nov 27, 2023 02:53 PM

Yes, i've done a SAML trace. 

I dont know how to use that info correctly tho, Do I base the attribute-map.xml file off that? 

Or is that something I'd need to tweak in the Shibboleth2.xml file? 

I can keep trying things all day (which I have for many days now) so that's I was hoping for an example I can base our setup on. 

0 Kudos
Notify Moderator
jbailey
17-Peridot
17-Peridot
(To:Dan_WC_EDA)
‎Nov 27, 2023 02:58 PM
‎Nov 27, 2023 02:58 PM

Could you send me the results of the saml trace in a message?.

 

Attribute-map.xml is used to match the attribute name (or OID) from the assertion to the attribute name in shibboleth. The meat of your configuration is in shibboleth2.xml, apache conf, and a couple of xconfmanager commands.

0 Kudos
Notify Moderator
Dan_WC_EDA
4-Participant
4-Participant
(To:jbailey)
‎Nov 27, 2023 03:41 PM
‎Nov 27, 2023 03:41 PM

Sure thing, you should see that shortly. 

0 Kudos
Notify Moderator
jbailey
17-Peridot
17-Peridot
(To:Dan_WC_EDA)
‎Nov 27, 2023 08:39 PM
‎Nov 27, 2023 08:39 PM

Replied... If what I suggested helps, we can reply on here in generic terms the solution

0 Kudos
Notify Moderator
Announcements


Contact Community Management
Top Tags