Configure ThingWorx Navigate with Windchill Authentication
This option uses
Windchill authentication for
ThingWorx. A user that opens a
ThingWorx Navigate mashup is routed to
Windchill for authentication. Once authenticated, the user is routed back to the
ThingWorx Navigate mashup. From this point of view, the user is able to access the
ThingWorx Navigate mashup as the user authenticated in
Windchill. For technical details, see
Architecture of Windchill Authentication.
This configuration requires that the same user exists in both
Windchill and
ThingWorx.
ThingWorx Navigate provides an option to automatically create users in
ThingWorx once they have been authenticated in
Windchill. If this option is not enabled, users must independently exist in both
Windchill and
ThingWorx. After creating a user in
ThingWorx, the administrator needs to add the user to the specified
ThingWorx group in order to access the
ThingWorx Navigate tasks. For more information, see
Modify ThingWorx Permissions.
|
|
Prerequisites for Windchill authentication:
• Windchill must be configured with SSL.
• We also recommend to configure ThingWorx with SSL.
|
Complete the following steps to configure ThingWorx Navigate with Windchill:
1. If EnableSSO appears in platform-settings.json (ThingworxPlatform), set it to false and restart Tomcat.
|
|
If it does not appear in platform-settings.json, and you are using out-of-the-box platform-settings.json, you can skip to step 2.
|
2. Open ptc-windchill-integration-connector and select Configuration
◦ Set Authentication Type to None
◦ No need to fill out Username and Password
◦ Fill the Base URL with: https://<Windchill Hostname>:<port>/Windchill/sslClientAuth
, and click Save.
3. Open ptc-windchill-integration-connector-proxy and select Configuration
◦ URL: https://<Windchill Hostname>
◦ Set Authentication Type to Session User
◦ No need to fill out Username, Password
◦ In SSL Connection Configuration specify the path to Keystore and TrustStore information, and add passwords.
◦ In Session User Configuration, verify that wt.effectiveUid is the value of Session User Query Parameter, unless stated otherwise in Windchill.
4. To test the configuration for ThingWorx Navigate follow these steps:
In the ThingWorx Composer go to ptc-windchill-integration-connector, select Services and execute the Validate Connection service. The following message confirms the successful connection to Windchill Server: Success - 200-OK - WindchillSwaggerConnector.
To confirm if the data can be fetched from Windchill Server open the URL for ThingWorx Navigate landing page: http://<host>:<port>/Thingworx/Runtime/index.html?master=PTC.AccessApp.Master&mashup=LandingPageAccessAppMashup
Configuring the PTC Identity Provider Authenticator
The following steps describe how to configure the PTC Identity Provider Authenticator.
1. Select Authenticator under SECURITY in the left navigation pane.
2. Click the ptc-identity-provider-authenticator link to display the general information about the extension. The General Information page opens.
3. On the General Information page, complete the following steps:
a. Select the Enabled checkbox.
b. Enter the value in the Priority field. By default, the priority is 1 indicating that this authenticator is the first authenticator to run.
The value in the Priority field is important if you want to implement check by multiple authenticators. If the authenticator with a priority of 1 fails, then the next authenticator does the authentication check and so on.
4. Click Configuration under ENTITY INFORMATION in the left navigation pane:
Use the two options, CreateUserDynamically and HomeMashup, with single sign-on so that users who are authenticated in Windchill are automatically added as users to ThingWorx and assigned a home mashup. When a user opens a browser to ThingWorx for the first time, they will be routed to Windchill for authentication. Once authenticated, a corresponding user is created in ThingWorx and the user is assigned a home mashup. Then the browser is routed to the specified home mashup.
◦ CreateUserDynamically– When selected, configures the authenticator to automatically create a user in ThingWorx if the user does not yet exist and the user has been authenticated by Windchill.
If the authenticator is not configured to automatically create users, the browser is still routed to Windchill for authentication, but fails to open ThingWorx if the user does not exist.
|
|
If the user receives Error Message #500, he does not exist in ThingWorx.
|
◦ HomeMashup – Assigns a home mashup to the newly created users. If no home mashup is specified, ThingWorx routes the browser to the ThingWorx search page.
For ThingWorx Navigate, set to LandingPageAccessAppMashup.
5. Ensure that a home mashup value is set for either all dynamically created users using the HomeMashup field (described in the previous step) or for existing users (other than administrative users) on the General Information pages of users. If a home mashup is not set for a general user, that user is redirected to the default ThingWorx search page.
6. Click Save.
Users must be added to specified groups. For more information, see
Modify ThingWorx Permissions.
Add Servlet Filters to Tomcat Configuration
Using the Windchill IdP authentication filter, the ThingWorx unauthenticated user is redirected to the Windchill login form for authentication credentials. After successful authentication, the ThingWorx application received a key and user name.
The filter is configured on the ThingWorx side in the web.xml that is under the ThingWorx Tomcat installation directory. Use the following steps:
1. Stop Tomcat and Integration Runtime.
2. Copy ptc-identity-provider-authentication-filter-{version}.jar from the idp folder in the ptc-windchill-extension-bundle to the WEB-INF/lib directory that is under the ThingWorx Tomcat installation directory.
3. Go to the web.xml file in: Tomcat-install\webapps\Thingworx\WEB-INF\web.xml.
4. Make a copy of the web.xml file from Tomcat-install\webapps\Thingworx\WEB-INF and save it somewhere else.
5. Replace the web.xml in Tomcat-install\webapps\Thingworx\WEB-INF with web.xml from ptc-windchill-extension-bundle\idp\twx-8.2.x.
6. Open web.xml and add your Windchill Server details in [http or https]://[windchill-host]:[windchill-port]/windchill-web-app] in the filters: IdentityProviderAuthenticationFilter and IdentityProviderKeyValidationFilter.
7. Start Tomcat and Integration Runtime.
|
|
After defining the value of authparam in web.xml of Windchill, the out-of-the-box value is no longer valid. To fetch the correct data, change the value of Session User Query Parameter in ptc-windchill-integration-connector-proxy.
|
Verify Configuration
Both Windchill and ThingWorx need to agree on the name of the administrator user. Consider the following options:
• If you have not made changes in Windchill, an administrator user named “Administrator” was created when Windchill was installed. Using a configured ThingWorx system , you can authenticate as that user and have full access rights as the administrator user in ThingWorx.
• If you have modified Windchill so that there is not a user named “Administrator,” then you must decide on a username that is common to both Windchill and ThingWorx, and add that user toThingWorx and the Administrators user group.
To verify the Windchill Authentication configuration, open a browser to the ThingWorx URL. The browser is routed to Windchill for authentication. Provide the Windchill credentials for Administrator (or another user configured to be the ThingWorx administrator). The browser is routed back to ThingWorx, which will open ThingWorx. Verify you are now running in ThingWorx as that user. This verifies that ThingWorx is configured with Windchill Authentication properly.
If you have selected to have the authenticator automatically create users, test that next. To verify, open a browser to the ThingWorxURL. You are routed to Windchill for authentication. Provide Windchill credentials of a user that does not exist in ThingWorx. Your browser is routed back to ThingWorx on the page specified as the home mashup. Verify you are now running as the correct user in ThingWorx.
