Windchill can be configured to participate in single sign-on (SSO) using SAML protocol for user authentication, or OAuth 2.0 protocol for delegated authorization.

For SAML authentication, PTC supports using Shibboleth Service Provider as a SAML client that is configured on the PTC HTTP Server to direct Windchill user authentication to a trusted identity provider. For more information, see Security Assertion Markup Language (SAML) Authentication.

If you have configured SAML authentication for Windchill and your site uses electronic signatures as part of its workflow process, then you can optionally configure the system to require users to provide their credentials before submitting an electronic signature. For more information, see eSignature Validation for SSO Configurations.

For OAuth delegated authorization, Windchill acts as a resource provider to applications or mashups built on the ThingWorx platform. If the user grants the application permission to access their Windchill data, then the application will present an access token to Windchill when requesting data owned by the user. PTC products affix scopes to access tokens to further protect and manage access to resources. In Windchill, scopes must be registered in the securityContext.properties file. For more information, see Establish a Central Authorization Server and Configure OAuth Delegated Authorization.

In the OAuth delegated authorization scenario, PTC supports using PingFederate as a central authorization server (CAS) to manage the trust relationship between PTC products participating in an SSO federation. The CAS issues access tokens and verifies their authenticity to trusted applications. A license for PingFederate is available at no extra cost to Windchill customers that have an active maintenance agreement or a subscription license. Download a supported version of PingFederate from the PTC software download website at https://support.ptc.com/appserver/auth/it/esd/index.jsp. Follow the instructions included in the ZIP file to deploy the PingFederate license file. For installation instructions, refer to PingFederate documentation.

It is possible to configure Windchill to use both SAML authentication and OAuth delegated authorization, the scenarios are not exclusive of the other. If you have enabled OAuth delegated authorization using PingFederate as the CAS, you can optionally use PingFederate as an identity provider (IdP) in the SAML authentication scenario. You also have the option of using a different IdP in your SAML configuration, and using PingFederate as the CAS in the OAuth configuration. Optional configuration instructions for using PingFederate as an IdP are included in Security Assertion Markup Language (SAML) Authentication.

For a full description of supported SSO use cases and the configuration steps required for setting up an SSO federation between PTC products, refer to the PTC Single Sign-on Architecture and Configuration Overview Guide.