Required Configuration Steps for Windchill Authentication

With Windchill authentication, a user who opens ThingWorx Navigate is routed to Windchill for authentication. Then, the user is routed back to ThingWorx Navigate. For the technical details, see Architecture of Windchill Authentication.

Each user must have accounts in both ThingWorx and Windchill. We can automatically create users for you in ThingWorx once they have been authenticated in Windchill. After creating a user in ThingWorx, the administrator needs to add the user to the specified ThingWorx group, to access the ThingWorx Navigate tasks.

Prerequisites for Windchill authentication:

• ThingWorx Integration Runtime must be updated with the required Trustore and Keystore files for SSL.

• 2–way SSL is configured. For more information, see Using SSL for a Secure Connection.

Using the Windchill IdP authentication filter, the ThingWorx unauthenticated user is redirected to the Windchill login form for authentication credentials. After successful authentication, the ThingWorx application receives a key and user name.

You can configure the filter on the ThingWorx side in <Tomcat installation directory>\webapps\Thingworx\WEB-INF\web.xml.

2. Copy the JAR file to the Tomcat installation directory as follows:

a. Browse to ThingWorx-Navigate-Upgrade-<version>-bundle\idp\.

b. Copy the file ptc-identity-provider-authentication-filter-<version>.jar to this location:

3. Replace the web.xml in the Tomcat installation directory as follows:

a. Browse to <Tomcat installation location>\webapp\Thingworx\WEB-INF\.

b. Make a copy of web.xml, and then save it in a different location.

c. Browse to ThingWorx-Navigate-Upgrade-<version>-bundle\idp\twx-8.3.x\.

4. Open <Tomcat installation location>\webapps\Thingworx\WEB-INF\web.xml in a text editor.

5. Add your Windchill server details in [http or https]://[windchill-host]:[windchill-port]/windchill-web-app] in the filters: IdentityProviderAuthenticationFilter and IdentityProviderKeyValidationFilter.

7. In ThingWorx Composer, open ptc-windchill-integration-connector-proxy.

9. Under Content Source Connection Information, for Test connection URL, enter https://<Windchill Hostname>/Windchill/sslClientAuth/servlet/WindchillAuthGW/wt.httpgw.HTTPServer/echo.

11. Search for ptc-identity-provider-authenticator, and then open it.

13. Make sure the check box for CreateUserDynamically is selected.

The administrator must have the same user name in Windchill and ThingWorx.

• If you have not made changes in Windchill, the administrator user, “Administrator”, was created when Windchill was installed. Using a configured ThingWorx system, you can authenticate as that user and have full access rights as the administrator user in ThingWorx.

• If you changed the administrator’s user name, then select a user name that is common to Windchill and ThingWorx, and then add that user to ThingWorx and the Administrators user group.

To verify the Windchill Authentication configuration:

1. Open the ThingWorx URL. You are routed to Windchill for authentication.

2. Provide the Windchill administrator credentials (or another user configured to be the ThingWorx administrator). The browser is routed back to ThingWorx, and ThingWorx Composer opens.

3. Verify that you are now running ThingWorx as the administrator.

Success! ThingWorx is properly configured with Windchill Authentication.

If you set authenticator to automatically create users, test that next:

1. Open the browser to ThingWorx URL. You are routed to Windchill for authentication.

2. Provide the Windchill credentials for a user that does not exist in ThingWorx.

3. Your browser is routed back to the ThingWorx home mashup page.

4. Verify that you are now running ThingWorx as the correct user. The user was automatically created.

If the tailoring options and the search results are not working as expected, restart Apache Tomcat and ThingWorx Integration Runtime.