Skip to main content
V
Vinay_S1-Visitor
1-Visitor
January 10, 2020
Solved

Technically what is the difference between windchill authentication and sso with ping federate?

  • January 10, 2020
  • 1 reply
  • 4018 views

I am in a dilemma as to why exactly I should configure SSO with ping federate for production server when Windchill authentication itself does the work? Can anyone here who have successfully implemented SSO with ping federate tell the exact difference between Windchill authentication and SSO configuration while installing navigate with Ping federate.

Best answer by barko

Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.

 

From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.  

1 reply

B
barko16-Pearl
16-Pearl
January 13, 2020

Windchill Authentication provides SSO for Windchill only, while PingFederate provides SSO across most PTC products. PingFederate is considered by IT Security people to be the “most secure”, while Windchill Authentication security is considered “adequate” for most situations including Production environments. Windchill Authentication is much simpler to configure, which in many cases has been the deciding factor.

 

Technically, Windchill Authentication uses SSL 2-way certificate authentication meaning that the ThingWorx application authenticates as a client to Windchill using specially configured SSL certificates and keystores. Once ThingWorx has a connection to Windchill, permissions are established for each request by (automatically) providing the name of the user. In PingFederate, SAML is used to obtain an “assertion” from the LDAP Identity Provider that the user is authenticated, and then OAuth is used to obtain a token with delegated permissions from the user that ThingWorx is authorized to act on his behalf when requesting data from Windchill. The OAuth token is validated between Windchill and PingFederate for each data request without further interaction with the user.

    V
    Vinay_S1-VisitorAuthor
    1-Visitor
    January 14, 2020
    Hi Barko,
    So basic difference is when we have multiple applications like ADS which actively or passively participate SSO process we need SSO configuration for Navigate with Windchill. When we are using Windchill with Navigate alone Windchill authentication or two way security authentication is sufficient.
    In scenarios where advanced security measure is mandatory we require ping federate.

    Is this correct? Also are there any other differences apart from this?
    B
    barko16-PearlAnswer
    16-Pearl
    January 14, 2020

    Any LDAP that works with Windchill will work with Windchill Authentication. The multiple applications that can be accessed with PingFederate SSO are things like Flex, Arbortext, etc. from PTC, as well as Windchill. Windchill Authentication only provides SSO functionality with Windchill.

     

    From a security standpoint, you or your IT management must decide on an acceptable level of risk and what you will invest in time and effort to meet that. PingFederate uses the industry standard SAML and OAuth protocols, but requires complex time-consuming configuration. Windchill Authentication uses the 2-way SSL authentication method defined in the Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246), which is also an industry standard, and is generally easier and quicker to configure.  

      Terms & ConditionsCookie settingsAccessibility statement