Review Default Properties
You can review default values of the properties specified in the default.properties file and edit them only if required. This file is located in <PINGFEDERATE_SCRIPT_HOME>, the directory where you saved the automation scripts for the PingFederate configuration.
 |
Enclose the value of every property in single quotes.
|
The default.properties file has settings for the following properties. Click the links to view the different properties, description, and example values.
Global default properties—Applicable to any IdP configuration
PingFederate connectivity
The following table describes the properties already configured for connectivity with PingFederate and the default value for each property.
Property | Description | Default Value |
|---|---|---|
global_pingFedProtocol | Specifies the protocol to be used by PingFederate. | global_pingFedProtocol='https' |
global_pingFedAdminUser | Specifies the user name of the PingFederate administrator account. | global_pingFedAdminUser='Administrator' |
SSL certificates for the Application Layer (SAML encryption and signing)
The following table describes the properties already configured for SSL certificates for the application layer (SAML encryption and signing) and the default value for each property. For more information, see “Manage digital signing certificates and decryption keys” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_pingfed_signing_cert_keyAlgorithm | Specifies the cryptographic formula used to generate a key. | create_pingfed_signing_cert_keyAlgorithm='RSA' |
create_pingfed_signing_cert_keySize | Specifies the number of bits used in the key. | create_pingfed_signing_cert_keySize='2048' |
create_pingfed_signing_cert_signatureAlgorithm | Specifies the signing algorithm of the certificate. | create_pingfed_signing_cert_signatureAlgorithm= 'SHA256withRSA' |
SSL certificates for PingFederate
The automation scripts let you install the PingFederate admin SSL certificate as the PingFederate runtime SSL certificate.
A new property, activate_global_pingFed_admin_certificate_as_runtime, is introduced to manage this behavior.
The default value of this property is set to true, which activates the PingFederate admin SSL certificate as the PingFederate runtime SSL certificate.
If you set the value of this property to false, the scripts create a new runtime SSL certificate. This new runtime SSL certificate is created using the properties that are defined to run when activate_global_pingFed_admin_certificate_as_runtime=false.
The following table describes the properties you must specify to configure SSL certificates for PingFederate and an example for each property. For more information, see “Manage SSL server certificates” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
PingFederate Runtime SSL Server Certificate: | ||
activate_global_pingFed_admin_ certificate_as_runtime | Allows the PingFederate Admin SSL certificate to be installed as the PingFederate Runtime SSL certificate. | activate_global_pingFed_admin_ certificate_as_runtime='true' |
The following properties are required only when the activate_global_pingFed_admin_certificate_as_runtime='false' | ||
create_pf_ssl_server_cert_organization | Specifies the organization or company name creating the certificate. | create_pf_ssl_server_cert_organization='ptc' |
create_pf_ssl_server_cert_organizationUnit | Specifies the specific unit within the organization. | create_pf_ssl_server_cert_organizationUnit='ent-sso' |
create_pf_ssl_server_cert_city | Specifies the city or other primary location where the company operates. | create_pf_ssl_server_cert_city='Pune' |
create_pf_ssl_server_cert_state | Specifies the state or other political unit encompassing the location. | create_pf_ssl_server_cert_state='MAH' |
create_pf_ssl_server_cert_validDays | Specifies the time during which the certificate is valid. | create_pf_ssl_server_cert_validDays='36500' |
create_pf_ssl_server_cert_country | Specifies the code of the country where the company is based. The country code is represented by a two-letter code. | create_pf_ssl_server_cert_country='IN' |
create_pf_ssl_server_cert_keyAlgorithm | Specifies the cryptographic formula used to generate a key. | create_pf_ssl_server_cert_keyAlgorithm='RSA' |
create_pf_ssl_server_cert_keySize | Specifies the number of bits used in the key. | create_pf_ssl_server_cert_keySize='2048' |
create_pf_ssl_server_cert_signatureAlgorithm | Specifies the signing algorithm of the certificate. | create_pf_ssl_server_cert_signatureAlgorithm='SHA256withRSA' |
Service provider connection
The following table describes the properties already configured for connectivity with the service provider and the default value for each property. For more information, see “Manage SP connections” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_sp_connection_type | Specifies the type of connection needed for ThingWorx as the service provider. | create_sp_connection_type='SP' |
create_sp_connection_entityId | Specifies the entity identifier needed for ThingWorx as the service provider. For example, ThingWorx or Windchill RV&S. | create_sp_connection_entityId='TWX_SP' where <SP_name> is TWX, or ILM, or WNC. |
create_sp_connection_name | Specifies the plain-language identifier for the connection with ThingWorx as the service provider. | create_sp_connection_name='TWX_SP' |
create_sp_connection_loggingMode | Specifies the logging mode for the service provider connection. | create_sp_connection_loggingMode='STANDARD' |
create_sp_connection_browserSSO_protocol | Specifies the protocol to support browser-based SSO connection type. | create_sp_connection_browserSSO_protocol='SAML20' |
create_sp_connection_browserSSO_assertion_ lifetime_valid_minutes_before | Specifies the amount of time before the assertion was issued during which it is to be considered valid. | create_sp_connection_browserSSO_assertion_ lifetime_valid_minutes_before='60' |
create_sp_connection_browserSSO_assertion_ lifetime_valid_minutes_after | Specifies the amount of time after the assertion was issued during which it is to be considered valid. | create_sp_connection_browserSSO_assertion_ lifetime_valid_minutes_after='480' |
create_sp_connection_browserSSO_ saml_identity_mapping | Specifies the way for PingFederate to send a secure token (the assertion) containing user-identity information that the service provider (ThingWorx, Windchill RV&S), can translate, or map, to local user stores. | create_sp_connection_browserSSO_ saml_identity_mapping='STANDARD' |
create_sp_connection_browserSSO_ attribute_Contract_coreAttribute_name | Specifies the name of the core attribute in the SAML assertion that PingFederate sends as an IdP to ThingWorx, the service provider (ThingWorx, Windchill RV&S). | create_sp_connection_browserSSO_ attribute_Contract_coreAttribute_name='SAML_SUBJECT' |
create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_name | Specifies the name of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S). | create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_name='uid' |
create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_group | Specifies the group of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S). | create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_group='group' |
create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_email | Specifies the e-mail of the attribute contract, an extended attribute in the SAML assertion that PingFederate sends as an IdP to the service provider (ThingWorx, Windchill RV&S). | create_sp_connection_browserSSO_ attribute_Contract_extendedAttribute_email='email' |
create_sp_connection_browserSSO_ attribute_contract_1_key | Specifies the name of the service provider connection for the first attribute contract fulfilled by the IdP adapter. | create_sp_connection_browserSSO_ attribute_contract_1_key='uid' |
create_sp_connection_browserSSO_ attribute_contract_1_value | Specifies the name of the IdP adapter value used for the fulfillment of the first attribute contract. | create_sp_connection_browserSSO_ attribute_contract_1_value='username' |
create_sp_connection_browserSSO_ attribute_contract_2_key | Specifies the name of the service provider connection for the second attribute contract fulfilled by the IdP adapter. | create_sp_connection_browserSSO_ attribute_contract_2_key='SAML_SUBJECT' |
create_sp_connection_browserSSO_ attribute_contract_2_value | Specifies the name of the IdP adapter value used for the fulfillment of the second attribute contract. | create_sp_connection_browserSSO_ attribute_contract_2_value='username' |
create_sp_connection_browserSSO_ attribute_contract_source | Specifies the data store or directory locations containing information that may be needed for the IdP adapter contract or the token authorization workflow. | create_sp_connection_browserSSO_ attribute_contract_source='ADAPTER' |
create_sp_connection_assertion_ consumer_service_url | Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes SAML protocol messages and returns a cookie representing the information extracted from the message. | create_sp_connection_assertion_ consumer_service_url='/Thingworx/saml/SSO' |
create_sp_connection_assertion_ consumer_service_binding | Specifies the SAML protocol binding used when returning the response message. | create_sp_connection_assertion_ consumer_service_binding='POST' |
create_sp_connection_sign_assertion | Specifies whether the response, logout request, and logout response elements received by the service provider is signed. | create_sp_connection_sign_assertion='true' |
create_sp_connection_sign_auth_requests | Specifies whether the authentication request message sent by the service provider is signed. The metadata of the service provider provides this information. | create_sp_connection_sign_auth_requests='true' |
create_sp_connection_encrypt_entire_assertion | Specifies whether the entire assertion received by the service provider is encrypted. | create_sp_connection_encrypt_entire_assertion='true' |
create_sp_connection_signing_algorithm | Specifies the algorithm that the service provider uses during the signing process. | create_sp_connection_signing_algorithm='SHA256withRSA' |
create_sp_connection_block_encryption_algorithm | Specifies the cipher code of the block encryption algorithm. 'AES_ 256' is recommended if Unlimited Strength Java (TM) Cryptography Extension (JCE) Policy Files is installed for both PingFederate and ThingWorx JRE or JDK. | create_sp_connection_block_encryption_algorithm='AES_128' |
create_sp_connection_key_transport_algorithm | Specifies the key transport algorithm to encrypt the certificate key. | create_sp_connection_key_transport_algorithm='RSA_OAEP' |
Access token management
The following table describes the properties already configured for managing access tokens and the default value for each property. For more information, see “Access token management” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_access_token_manager_id | Specifies the unique identifier for the instance of the access token manager. | create_access_token_manager_id='default' |
create_access_token_manager_name | Specifies the name for the instance of the access token manager. | create_access_token_manager_name='default' |
create_access_token_manager_attribute_name_1 | Specifies the attribute name for the first access token issued by the access token management instance. | create_access_token_manager_attribute_name='Username' |
create_access_token_manager_attribute_name_2 | Specifies the attribute name for the second access token issued by the access token management instance. | create_access_token_manager_attribute_name='username' |
Access token mapping
The following table describes the properties already configured for mapping access tokens and the default value for each property. For more information, see “Manage access token mappings” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_access_token_mapping_source | Specifies the source of attributes requested from the authorization server. | create_access_token_mapping_source='OAUTH_PERSISTENT_GRANT' |
create_access_token_mapping_value | Specifies the value of attributes requested from the authorization server. | create_access_token_mapping_value='USER_KEY' |
OAuth client connections with ThingWorx as the service provider
The following table describes the properties already configure for OAuth client connections with ThingWorx as the service provider and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_twx_sp_oauth_client_id | Specifies the OAuth client ID to identify the client application. | create_twx_sp_oauth_client_id='twx-sp-client' |
create_twx_oauth_client_name | Specifies the name of the client application. | create_twx_oauth_client_name='twx-sp-client' |
create_twx_oauth_client_auth_type | Specifies the authorization type for the client application to register with the authorization server. | create_twx_oauth_client_auth_type='SECRET' |
create_twx_oauth_client_grantType1 | Specifies the first grant type required by the ThingWorx OAuth client. | create_twx_oauth_client_grantType1= 'AUTHORIZATION_CODE' |
create_twx_oauth_client_grantType2 | Specifies the second grant type required by the ThingWorx OAuth client. | create_twx_oauth_client_grantType2='REFRESH_TOKEN' |
create_twx_oauth_client_grantType3 | Specifies the third grant type required by the ThingWorx OAuth client. | create_twx_oauth_client_grantType3= 'ACCESS_TOKEN_VALIDATION' |
create_twx_oauth_client_refreshRolling | Specifies the property that determines if a new refresh token is issued each time a new access token is obtained. | create_twx_oauth_client_refreshRolling='ROLL' |
create_twx_oauth_client_expirationTime | Specifies the validity period of access tokens generated for the client application. | create_twx_oauth_client_expirationTime='30' |
create_twx_oauth_client_expirationTimeUnit | Specifies the unit of measure to specify the validity period of access tokens generated for the client application. | create_twx_oauth_client_expirationTimeUnit='DAYS' |
create_twx_oauth_client_persistent_grant_ expiration_type | Specifies the persistent grant expiration settings for client applications. | create_twx_oauth_client_persistent_grant_ expiration_type='OVERRIDE_SERVER_DEFAULT' |
OAuth client connections with Windchill as the resource server
The following table describes the properties already configured for OAuth client connections with Windchill as the resource server and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_wnc_rp_oauth_client_id | Specifies the OAuth client ID to identify the client application. | create_wnc_rp_oauth_client_id='wnc-rp-client' |
create_wnc_oauth_client_name | Specifies the name of the client application to configure Windchill for OAuth delegated authorization. | create_wnc_oauth_client_name='wnc-rp-client' |
create_wnc_oauth_client_auth_type | Specifies the authorization type for the client application to register with the authorization server. | create_wnc_oauth_client_auth_type='SECRET' |
create_wnc_oauth_client_grantType | Specifies the grant type required by the Windchill OAuth client. | create_wnc_oauth_client_grantType='ACCESS_TOKEN_VALIDATION' |
OAuth client connections with Windchill RV&S as the service provider
The following table describes the properties already configured for OAuth client connections with Windchill RV&S as the service provider and the default value for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_twx_sp_oauth_client_id | Specifies the OAuth client ID to identify the client application. | create_twx_sp_oauth_client_id= 'ilm-rp-client' |
create_twx_oauth_client_name | Specifies the name of the client application. | create_twx_oauth_client_name='ilm-rp- client' |
create_twx_oauth_client_auth_type | Specifies the authorization type for the client application to register with the authorization server. | create_ilm_oauth_client_auth_type='SECRET' |
create_twx_oauth_client_grantType3 | Specifies the third grant type required by the Windchill RV&S OAuth client. | create_ilm_oauth_client_grantType='ACCESS_TOKEN_VALIDATION' |
Service Provider policy contract
The following table describes the property you must specify to configure the service provider policy contract for PingFederate and an example for the property. For more information, see Authentication Policy Contract.
Property | Description | Default Value |
|---|---|---|
create_auth_policy_contract_name | Specifies the authentication policy contract as the medium to carry user attributes from the customer IdP through PingFederate and onto the service provider. | create_auth_policy_contract_name='sp-policy-contract' |
PingFederate-specific default properties—Applicable when you configure PindFederate as the IdP
Data store
The following table describes the properties already configured for using LDAP directory server as the data store and the default value for each property. For more information, see “Manage data stores” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_ldap_datastore_type | Specifies the data store type. | create_ldap_datastore_type='LDAP' |
create_ldap_datastore_ldapType | Specifies the LDAP type. | create_ldap_datastore_ldapType='GENERIC' |
LDAP password credential validator
The following table describes the properties already configured for LDAP password credential validator and the default value for each property. For more information, see “Manage password credential validators” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_ldap_pcv_id | Specifies the unique identifier of the LDAP password credential validator. | create_ldap_pcv_id='LdapPcv' |
create_ldap_pcv_name | Specifies the name of the LDAP password credential validator. | create_ldap_pcv_name='LdapPcv' |
create_ldap_pcv_pluginDescriptorRef_id | Specifies the unique identifier of describable plug-ins of the LDAP password credential validator. | create_ldap_pcv_pluginDescriptorRef_id= 'org.sourceid.saml20.domain.LDAPUsernamePasswordCredentialValidator' |
IdP adapter
The following table describes the properties already configured for an IdP adapter for PingFederate and the default value for each property. For more information, see “Manage IdP adapters” in the PingFederate documentation.
Property | Description | Default Value |
|---|---|---|
create_idp_adapter_id | Specifies the unique identifier of the IdP adapter. | create_idp_adapter_id='IdpAdapter' |
create_idp_adapter_name | Specifies the name of the IdP adapter. | create_idp_adapter_name='IdpAdapter' |
create_idp_adapter_pluginDescriptorRef_id | Specifies the authentication plugin that performs the actual authentication with PingFederate as the IdP. It is recommended to use the HtmlFormAuthnAdapter plugin. | create_idp_adapter_pluginDescriptorRef_id= 'com.pingidentity.adapters.htmlform.idp.HtmlFormIdpAuthnAdapter' |
create_idp_adapter_isPseudonym | Specifies whether the IdP adapter uses pseudonyms for account linking. | create_idp_adapter_isPseudonym='true' |
ADFS-specific default properties—Applicable when you configure ADFS as the IdP
IdP connections for ADFS
The following table describes the properties already configured for an IdP connection for ADFS and the default value for each property.
Property | Description | Default Value |
|---|---|---|
create_idp_adfs_connection_type | Specifies the type of connection that is required to configure ADFS as the identity provider. | create_idp_adfs_connection_type='IDP' |
create_idp_adfs_connection_name | Specifies the plain language identifier for the connection with ADFS as the identity provider. | create_idp_adfs_connection_name='ADFS_IDP' |
create_idp_adfs_connection_loggingMode | Specifies the logging mode for the identity provider connection. | create_idp_adfs_connection_loggingMode='STANDARD' |
create_idp_adfs_connection_browserSSO_protocol | Specifies the protocol to support browser-based SSO connection type. | create_idp_adfs_connection_browserSSO_protocol='SAML20' |
create_idp_adfs_connection_browserSSO _saml_identity_mapping | Specifies the way for ADFS to send a secure token (the assertion) that contains user-identity information; which ThingWorx, the service provider, can translate or map to local user stores. | create_idp_adfs_connection_browserSSO_ saml_identity_mapping='ACCOUNT_MAPPING' |
create_idp_adfs_connection_assertion_ consumer_service_url | Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes SAML protocol messages. This URL returns a cookie that represents the information that is extracted from the message. | create_idp_adfs_connection_assertion_ consumer_service_url='/adfs/ls/' |
create_idp_adfs_connection_assertion_ consumer_service_binding | Specifies the SAML protocol binding that is used when a response message is returned. | create_idp_adfs_connection_assertion_ consumer_service_binding='POST' |
create_idp_adfs_connection_signing_algorithm | Specifies the algorithm that the identity provider uses during the signing process. | create_idp_adfs_connection_signing_algorithm= 'SHA256withRSA' |
create_idp_adfs_uid | Specifies the name of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider. | create_idp_adfs_uid= 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' |
create_idp_adfs_email | Specifies the email address of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider. | create_idp_adfs_email= 'http://schemas.xmlsoap.org/claims/EmailAddress' |
create_idp_adfs_group | Specifies the group of the attribute contract, an extended attribute in the SAML assertion that ADFS will send as an IdP to ThingWorx, the service provider. | create_idp_adfs_group= 'http://schemas.xmlsoap.org/claims/Group' |
Generic SAML-specific default properties—Applicable when you configure any generic SAML 2.0 IdP
IdP connections for generic SAML 2.0
The following table describes the properties already configured for an IdP connection for a generic SAML 2.0 IdP and the default value for each property.
Property | Description | Default Value |
|---|---|---|
create_idp_saml2_connection_type | Specifies the type of connection that is required to configure Generic SAML2.0 as the identity provider | create_idp_saml2_connection_type='IDP' |
create_idp_saml2_connection_name | Specifies the plain language identifier for the connection with Generic SAML2.0 as the identity provider. | create_idp_saml2_connection_name='SAML2_IDP' |
create_idp_saml2_connection_loggingMode | Specifies the logging mode for the identity provider connection. | create_idp_saml2_connection_loggingMode='STANDARD' |
create_idp_saml2_connection_browserSSO_protocol | Specifies the protocol to support browser-based SSO connection type. | create_idp_saml2_connection_browserSSO_protocol= 'SAML20' |
create_idp_saml2_connection_browserSSO_ saml_identity_mapping | Specifies the way for Generic SAML2.0 to send a secure token (the assertion) that contains user-identity information that ThingWorx, the service provider, can translate or map to local user stores. | create_idp_saml2_connection_browserSSO_ saml_identity_mapping='ACCOUNT_MAPPING' |
create_idp_saml2_connection_assertion_ consumer_service_binding | Specifies the SAML protocol binding that is used when a response message is returned. | create_idp_saml2_connection_assertion_ consumer_service_binding='POST' |
create_idp_saml2_connection_signing_algorithm | Specifies the algorithm that the identity provider uses during the signing process. | create_idp_saml2_connection_signing_algorithm= 'SHA256withRSA' |