Set User Properties
You must specify values of properties in the user.properties file according to your business requirements. This file is located in <PINGFEDERATE_SCRIPT_HOME>, the directory where you saved the automation scripts for the PingFederate configuration.
* 
Enclose the value of every property in single quotes.
The user.properties file contains settings for the following properties. Click the links to view the different properties, description, and example values.
Global user properties—Applicable to any IdP configuration
PingFederate connectivity 
The following table describes the properties you must specify to configure connectivity with PingFederate and an example for each property.
Property
Description
Example
global_pingFedHost
Specifies the fully qualified domain name on which PingFederate administrative console runs. The format of the property value is <server fqdn>.
global_pingFedHost='pingfed.yourorg.com'
global_pingFedAdminPort
Specifies the port on which the PingFederate administrative console runs. The format of the property value is <server port>.
global_pingFedAdminPort='9999'
global_pingFedIdpEntityId
Specifies the unique identifier for the security assertion markup language 2.0 (SAML 2.0) entity that represents PingFederate.
global_pingFedIdpEntityId='ptc-pingfed'
global_pingFed_admin_certificate
Specifies the file name of the secure sockets layer certificate (SSL certificate) file trusted by automation scripts while making admin API calls. Specifying a value for this property is optional but recommended because using the certificate enables the secure SSL communication between PingFederate and scripts.
* 
If you use a certificate signed by a local root certificate authority (CA) rather than being self-signed, you must place the local root CA certificate in the <PINGFEDERATE_SCRIPT_HOME>/input directory and specify the local root CA certificate as the value of this property.
global_pingFed_admin_certificate='pingfed_admin_ssl.crt'
SSL certificates for the Application Layer (SAML encryption and signing) 
The following table describes the properties you must specify to configure SSL certificates for the application layer (SAML encryption and signing) and an example for each property. For more information, see “Manage digital signing certificates and decryption keys” in the PingFederate documentation.
Property
Description
Example
create_pingfed_signing_cert_organization
Specifies the organization or company name creating the certificate.
create_pingfed_signing_cert_organization='ptc'
create_pingfed_signing_cert_organizationUnit
Specifies the specific unit within the organization.
create_pingfed_signing_cert_organizationUnit='ent-sso'
create_pingfed_signing_cert_city
Specifies the city or other primary location where the company operates.
create_pingfed_signing_cert_city='Blaine'
create_pingfed_signing_cert_state
Specifies the state or other political unit encompassing the location.
create_pingfed_signing_cert_state='MN'
create_pingfed_signing_cert_country
Specifies the code of the country where the company is based. The country code is represented by a two-letter code.
create_pingfed_signing_cert_country='US'
create_pingfed_signing_cert_validDays
Specifies the time during which the certificate is valid.
create_pingfed_signing_cert_validDays='36500'
Service provider connection 
The following table describes the properties you must specify to configure connectivity with the service provider and an example for each property. For more information, see “SP connection management” in the PingFederate documentation.
Property
Description
Example
create_sp_connection_baseUrl
Specifies the base URL that hosts the server for your service provider. The format of the property value is: https://<server fqdn>:<server port>.
create_sp_connection_baseUrl='https://thingworx.yourorg.com:8443'
where <Service_provider> could be ThingWorx, Windchill RV&S, or Windchill
create_sp_connection_input_sign_verif_cert
Specifies the file name of the certificate used for verifying the digital signature for the incoming SAML token.
create_sp_connection_input_sign_verif_cert='twx_sp_signing.crt'
where <name specific to sp> could be twx, ilm, or wnc.
create_sp_connection_entityId
Specifies the unique identity for your service provider. Property value for your service provider should be https://<server fqdn>:<server port>/saml/metadata
This example is specific to Windchill RV&S.
create_sp_connection_entityId='https://integrity.yourorg.com:8443/saml/metadata'
OAuth client connections with ThingWorx as the service provider 
The following table describes the properties you must specify to configure OAuth client connections with ThingWorx as the service provider and an example for each property. For more information, see “Configuring OAuth clients” in the PingFederate documentation.
Property
Description
Example
create_twx_sp_oauth_client_description
Specifies the description of what the client application does. This description appears when the user is prompted for authorization.
create_twx_sp_oauth_client_description='Thingworx service provider OAuth client.'
create_twx_sp_oauth_client_auth_secret_value
Specifies the OAuth client secret.
create_twx_sp_oauth_client_auth_secret_value='twx-sp-client_1234'
create_twx_sp_oauth_client_redirectURI
Specifies the URI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. The format of the property value is: https://<server fqdn>:<server port>/Thingworx/oauth2_ authorization_ code_redirect.
create_twx_sp_oauth_client_redirectURI='https://thingworx.yourorg.com:8443/ Thingworx/oauth2_ authorization_ code_redirect'
OAuth client connections with Windchill as the resource server 
The following table describes the properties you must specify to configure OAuth client connections with Windchill as the resource server and an example for each property. For more information, see “Configuring OAuth clients” in the PingFederate documentation.
Property
Description
Example
create_wnc_oauth_client_description
Specifies the description of what the client application does. This description appears when a user is prompted for authorization.
create_wnc_rp_oauth_client_description='Windchill resource server OAuth client.'
create_wnc_oauth_client_auth_secret_value
Specifies the OAuth client secret.
create_wnc_rp_oauth_client_auth_secret_value='wnc-rp-client_1234'
OAuth client connections with Windchill RV&S as the resource server 
The following table describes the properties you must specify to configure OAuth client connections with Windchill RV&S as the resource server and an example for each property. For more information, see “Configuring OAuth clients” in the PingFederate documentation.
Property
Description
Example
create_ilm_oauth_client_description
Specifies the description of what the client application does. This description appears when the user is prompted for authorization.
create_ilm_rp_oauth_client_description='IntegrityLifecycle Manager resource server OAuth client.'
create_ilm_oauth_client_auth_secret_value
Specifies the OAuth client secret.
create_ilm_rp_oauth_client_auth_secret_value='olm-rp-client_1234'
Scope management 
The following table describes the properties you must specify to register scopes in PingFederate and an example for each property. For more information, see “Scopes” in the PingFederate documentation.
Property
Description
Example
create_oauth_default_scope_description
Specifies the description of the permissions implied when no scope values are indicated or in addition to any values. This description displays when the user is prompted for authorization.
create_oauth_default_scope_description='Default Scope'
create_oauth_twx_scope
Specifies the scopes for ThingWorx as the service provider.
create_oauth_twx_scope='THINGWORX'
create_oauth_twx_read_scope_description
Specifies the description of the scope value for ThingWorx. This description appears when the user is prompted for authorization.
create_oauth_twx_scope_description='Thingworx Scope'
create_oauth_wnc_read_scope
Specifies the scopes for Windchill as the resource server.
create_oauth_wnc_read_scope='WINDCHILL'
create_oauth_wnc_read_scope_description
Specifies the description of the scope value for Windchill. This description appears when the user is prompted for authorization.
create_oauth_wnc_scope_description='Windchill Scope'
create_oauth_ilm_scope
Specifies the scopes for Windchill RV&S as the service provider.
create_oauth_ilm_ scope='INTEGRITY_ READ'
create_oauth_ilm_ read_scope_ description
Specifies the description of the scope value for Windchill RV&S. This description appears when the user is prompted for authorization.
create_oauth_ilm_ scope_ description= 'Integrity LM Scope'
PingFederate-specific user properties—Applicable when you configure PindFederate as the IdP
Data store 
You are required to configure a data store only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure a lightweight directory access protocol directory server (LDAP directory server) as the data store and an example for each property. This data store is used with the LDAP password credential validator to validate user credentials by PingFederate for authenticating users. For more information, see “Datastore query configuration” in the PingFederate documentation.
Property
Description
Example
create_ldap_datastore_hostname
Specifies the domain name system name (DNS name) or internet protocol address (IP address) of the data store that can include a port number. The format of the property value is: <ldap fqdn>:<ldap port>.
create_ldap_datastore_hostname='windchillDS.ptc.com:389'
OR
create_ldap_ datastore_ hostname= 'integrityLDAP.ptc.com:389'
create_ldap_datastore_userDN
Specifies the user name required to access the data store.
create_ldap_datastore_userDN='cn=Manager'
create_ldap_datastore_password
Specifies the password required to access the data store.
create_ldap_datastore_password='password'
LDAP password credential validator 
The configuration of a LDAP Password Credential Validator is required only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure LDAP password credential validator and an example for each property. For more information, see “Password credential validators” in the PingFederate documentation.
Property
Description
Example
create_ldap_pcv_searchBase
Specifies the location in the LDAP directory server from which the search begins.
create_ldap_pcv_searchBase='cn=Windchill_11.0,o=ptc'
OR
create_ldap_pcv_searchBase='cn=IntegrityOU,o=ptc'
create_ldap_pcv_searchFilter
Specifies the LDAP query to locate a user record.
create_ldap_pcv_searchFilter='uid=$<username>'
create_ldap_pcv_scopeOfSearch
Specifies the level of search to be performed in the search base.
create_ldap_pcv_scopeOfSearch='Subtree'
IdP adapter 
You are required to configure an IdP adapter only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure an IdP adapter for PingFederate and an example for each property. For more information, see “Managing IdP adapters” in the PingFederate documentation.
Property
Description
Example
create_idp_adapter_attributeSource_id
Specifies the unique identifier of the attribute source, a specific data store or directory locations containing information that may be needed for the IdP adapter contract or the token authorization workflow.
create_idp_adapter_attributeSource_id='uid'
create_idp_adapter_attributeSource_description
Specifies the description of the attribute source.
create_idp_adapter_attributeSource_description='uid'
create_idp_adapter_attributeSource_baseDn
Specifies the base domain name of the attribute source.
create_idp_adapter_attributeSource_baseDn='cn=Windchill_11.0,o=ptc'
where <name> could be Windchill, IntegrityOU, and so on.
create_idp_adapter_attributeSource_SearchScope
Specifies the scope of the search. The valid values are Subtree, One level, and Base.
create_idp_adapter_attributeSource_SearchScope='SUBTREE'
create_idp_adapter_attributeSource_SearchFilter
Specifies the search filter to use for the search.
create_idp_adapter_attributeSource_SearchFilter='uid=$<username>'
ADFS-specific user properties—Applicable when you configure ADFS as the IdP
IdP connections for ADFS 
The following table describes the properties you must specify to configure IdP connections for ADFS and an example for each property.
Property
Description
Example
create_idp_adfs_connection_entityId
Specifies the entity identifier that is required to configure ADFS as the identity provider.
create_idp_adfs_connection_entityId=‘http://adfs.org.io/adfs/services/trust’
create_idp_adfs_connection_baseUrl
Specifies the base URL that hosts the server for your identity provider. The format of the property value is: https://<server fqdn>:<server port>
create_idp_adfs_connection_baseUrl =‘https://adfs.org.io’
(Specifying a default port is not required.)
create_idp_adfs_connection_input_sign_verif_cert
Specifies the filename of the certificate that is used to verify the digital signature for the incoming SAML token.
create_idp_adfs_connection_input_sign_verif_cert =’adfs_idp_signing.crt’
Generic SAML-specific user properties—Applicable when you configure any generic SAML 2.0 IdP
IdP connections for generic SAML 2.0 
The following table describes the properties you must specify to configure IdP connections for a generic SAML 2.0 IdP and an example for each property.
Property
Description
Example
create_idp_saml2_connection_entityId
Specifies the entity identifier that is required to configure the identity provider.
create_idp_saml2_connection_entityId=
'http://www.okta.com/exk15nb0a9fkh36Aq2p7'
create_idp_saml2_connection_baseUrl
Specifies the base URL that hosts the server for your identity provider. The format of the property value is: https://<server fqdn>:<server port>
create_idp_saml2_connection_baseUrl='https://org.okta.com'
(Specifying a default port is not required.)
create_idp_saml2_connection_input_sign_
verif_cert
Specifies the file name of the certificate that is used to verify the digital signature for the incoming SAML token.
create_idp_saml2_connection_input_sign_verif_cert=
'saml2_idp_signing.crt'
create_idp_saml2_connection_assertion_
consumer_service_url
Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes the SAML protocol messages. This URL returns a cookie that represents the information that is extracted from the message.
create_idp_saml2_connection_assertion_consumer_service_url=
'/app/org399352_pingfed_1/exk15nb0a9fkh36Aq2p7/sso/saml'
create_idp_saml2_attr_uid
Specifies the name of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate.
create_idp_saml2_attr_uid='uid'
create_idp_saml2_attr_group
Specifies the group of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate.
If a group attribute is not available from the IdP or if you do not want to map it, you may remove this property from the user.properties file.
create_idp_saml2_attr_group='group'
create_idp_saml2_attr_email
Specifies the e-mail address of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate.
If an e-mail attribute is not available from the IdP or if you do not want to map it, you may remove this property from the user.properties file.
create_idp_saml2_attr_email='emailaddress'
Was this helpful?