Set Up ThingWorx Navigate with Single Sign-on

On the screens for Single Sign-on, we’ll enter the information for the Windchill server and for connecting to PingFederate.

Take a moment to go over some background on PingFederate. We also recommend reading the PTC Single Sign-on Architecture and Configuration Overview guide before you begin.

First, let’s connect to Windchill. We recommend configuring Windchill for SSL.

◦ To connect to a single Windchill server—Make sure the URL follows the format [http or https]://[windchill-host]:[windchill-port]/[windchill-web-app]

◦ For cluster Windchill environments—Enter the URL of the load balancing router. For example, [https]://[LB-host]:[port]/[windchill-web-app]

◦ To connect to multiple Windchill systems—For now, connect to a single server. Then, after you complete the initial configuration, follow the manual steps in Configure ThingWorx Navigate to Connect to Multiple Windchill Systems.

Provide your TrustStore information for ThingWorx

Before you provide the information on this screen, prepare the correct TrustStore file, depending on whether your Apache Tomcat is configured with SSL:

• Apache Tomcat with SSL—Use the same ThingWorx TrustStore file that you used during the installation to configure Apache Tomcat with SSL. Then, use the keytool utility to import the Windchill SSL certificate to the ThingWorx TrustStore file.

• Apache Tomcat without SSL—Create a ThingWorx TrustStore file using the Java keytool utility, and then import the Windchill SSL certificate into the TrustStore file.

The topic Set Up ThingWorx Navigate with SSL has instructions for generating TrustStore files using the keytool.

Now that you have the TrustStore file prepared, provide the information on the SSO: TrustStore for ThingWorx screen:

1. Next to TrustStore file, click Fetch file

, and then browse to your TrustStore file. Make sure the file is in JKS (*.jks) format.

3. Next to Password, enter the password for the TrustStore file.

On this screen, enter the access token information for your database. The location, port, user name and database name appear automatically according to your installation settings.

• IP Address or Host Name

◦ Hostname—Enter the fully qualified host name for the PingFederate server, such as <hostname.domain.com>.

◦ Runtime port—Provide the PingFederate runtime port. The default is 9031.

Provide the information for the Identity Provider (IdP) and Service Provider (SP)

On this screen, provide information from PingFederate. Check your input carefully. These values are not validated and you won’t get an error if the information is incorrect.

1. Provide the IdP metadata information for PingFederate:

◦ IdP metadata file—Click Fetch file

, and then browse to the IdP metadata file from PingFederate. For example, sso-idp-metadata.xml.

◦ SAML Assertion UserName AttributeName—Accept the default, uid, or enter a new attribute name.

2. Enter the information for the ThingWorx Service Provider connection:

◦ SP Connection Entity ID—Enter the value for metadataEntityId. This is the ThingWorx Service Provider connection ID that you provided when you configured the Service Provider connection in PingFederate.

Before you enter the information on this screen, prepare the correct KeyStore file and Key Pair:

1. Create an SSO KeyStore file using the Java keytool utility. Create a Key Pair using the keytool commands mentioned in Set Up ThingWorx Navigate with SSL.

This is the ThingWorx signing certificate. It is an application layer certificate, and it does not have to be the same as your ThingWorx host name. For example, ThingWorx.

2. Import the PingFederate signing certificate into the SSO KeyStore file you created in Step 1.

• PTC Single Sign-on Architecture and Configuration Overview guide

• The topic “Import Certificates to KeyStore File” in the ThingWorx Help

Now that you have the correct files and certificates, you can enter the information on the SSO Key Manager Settings screen:

◦ KeyStore file—Click Fetch file

, and then browse to the JKS (*.jks) file.

◦ KeyStore password—Enter the password you defined above, when you created the KeyStore file.

2. Enter the ThingWorx Key Pair information that you defined above.

PingFederate serves as your Authorization server.

1. Provide the settings for your PingFederate server:

◦ Authorization Server ID—The ID for your PingFederate server.

◦ Authorization Server Scope—The name of the scope that is registered in PingFederate. For example, SCOPE NAME = WINDCHILL_READ

◦ ThingWorx OAuth Client ID—The OAuth client ID to identify the ThingWorx application to PingFederate.

◦ ThingWorx OAuth Client Secret—The client secret mentioned in PingFederate.

◦ Client Authentication Scheme—The default is form.

2. Accept the default, Encrypt OAuth refresh tokens, to secure the tokens before they are persisted to the database. We recommend this setting.

Review the configuration settings. When you’re ready, click Configure.

ThingWorx Navigate is configured with Single Sign-on. Select the programs to open:

• Open ThingWorx Navigate

• Open ThingWorx Composer

Then, click Close. You are redirected to the Identity Provider login page. Use your IdP credentials to log in.

Your ThingWorx Navigate is installed and licensed, and the basic configuration is complete. The next required step is to grant permission to non-administrative users. Follow the steps in Modify ThingWorx Permissions: Users and Groups.

You can also move on to the optional configurations, such as these: