SSO configuration error (Thingworx Navigate1.8+Windchill+Pingfederate)

Question

Hi,
 
I am using automated script for pingfederate , after configured my thingworx and windchill.When starting thingworx , I got the following error:
 
2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.SignatureValidationFilter] [I: ] [U: ] [S: ] [T: Metadata-reload] Signature trust establishment failed for metadata entry tom.wcserver.com
2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.AbstractReloadingMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Error filtering metadata from D:\THINGW~1\THINGW~2\SSOSEC~1\PF_IDP_metadata.xml
2019-01-04 14:32:14.579+0800 [L: ERROR] [O: o.o.s.m.p.AbstractReloadingMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Error occurred while attempting to refresh metadata from 'D:\THINGW~1\THINGW~2\SSOSEC~1\PF_IDP_metadata.xml'
2019-01-04 14:32:14.594+0800 [L: ERROR] [O: o.o.s.m.p.AbstractMetadataProvider] [I: ] [U: ] [S: ] [T: Metadata-reload] Metadata provider failed to properly initialize, fail-fast=true, halting
tom.wcserver.com is the FQDN of my  vmware environment , I installed pingfederate, thingworx navigate and Windchill in the same machine. Both thingworx and windchill using http instead of https.
 
Could you please tell me where I am wrong? Which direction should I look for?  Honestly, I don't truly understand the ssl trust relationship between CAS, SP and RP, after reading all kinds of related documents I am still confusing. 
 
Thanks for your help.
Tom

barko · Accepted Answer

When a user first requests access from a web server using a browser, the web server sends the familiar log in page as a pop up asking for credentials. The browser displays the pop up page and waits for a human user to respond to it. An application like ThingWorx is not a browser, so it cannot respond to a pop up like that, and needs to establish the trust relationship with the Windchill server in some other way that does not involve the intervention of a user. The mechanism that ThingWorx uses for this is known as 2-way authentication. This involves the server (Windchill) and the client (ThingWorx) exchanging SSL certificates. The ThingWorx certificate must have a specific attribute, Extended Key Usage (EKU), set with a value of “clientAuthentication”. When ThingWorx submits its certificate, Windchill validates it and based upon the results of the validation, either grants access to resources (most often a search of the Windchill database or index), or if the validation fails Windchill denies access. A successful validation establishes the trust relationship between Windchill and ThingWorx.

To access the certificate validation functionality, Windchill (and HTTPServer) must be “configured for SSL”, so it can use the HTTPS protocol. The HTTP protocol will not invoke certificate validation. So, at a minimum Windchill must be configured for SSL. PingFederate complicates the process, and also uses certificates in a similar manner. I suggest that you first try to configure Windchill Authentication in ThingWorx before attempting to configure PingFederate. That will give you some experience using certificates, which will help when you attempt to introduce PingFederate into the infrastructure.

Navigate 1.8 introduced an installer for fresh installs on a server that does not have Tomcat, ThingWorx and Navigate already installed on it. This installer sets up Fixed Authentication, but does not complete the configuration necessary for Windchill Authentication or for PingFederate, and manual steps are required to complete those configurations. The steps are detailed in the installation guide, and are the same general steps that were required for configuring Navigate 1.7, if you are familiar with those.

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded