Set User Properties
You must specify values of properties in the user.properties file according to your business requirements. This file is located in <PINGFEDERATE_SCRIPT_HOME>, the directory where you saved the automation scripts for the PingFederate configuration.
 |
Enclose the value of every property in single quotes.
|
The user.properties file contains settings for the following properties. Click the links to view the different properties, description, and example values.
Global user properties—Applicable to any IdP configuration
PingFederate connectivity
The following table describes the properties you must specify to configure connectivity with PingFederate and an example for each property.
Property | Description | Example | ||
|---|---|---|---|---|
global_pingFedHost | Specifies the fully qualified domain name on which PingFederate administrative console runs. The format of the property value is <server fqdn>. | global_pingFedHost='pingfed.yourorg.com' | ||
global_pingFedAdminPort | Specifies the port on which the PingFederate administrative console runs. The format of the property value is <server port>. | global_pingFedAdminPort='9999' | ||
global_pingFedIdpEntityId | Specifies the unique identifier for the security assertion markup language 2.0 (SAML 2.0) entity that represents PingFederate. | global_pingFedIdpEntityId='ptc-pingfed' | ||
global_pingFed_admin_certificate | Specifies the file name of the secure sockets layer certificate (SSL certificate) file trusted by automation scripts while making admin API calls. Specifying a value for this property is optional but recommended because using the certificate enables the secure SSL communication between PingFederate and scripts.
| global_pingFed_admin_certificate='pingfed_admin_ssl.crt' |
SSL certificates for the Application Layer (SAML encryption and signing)
The following table describes the properties you must specify to configure SSL certificates for the application layer (SAML encryption and signing) and an example for each property. For more information, see “Manage digital signing certificates and decryption keys” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_pingfed_signing_cert_organization | Specifies the organization or company name creating the certificate. | create_pingfed_signing_cert_organization='ptc' |
create_pingfed_signing_cert_organizationUnit | Specifies the specific unit within the organization. | create_pingfed_signing_cert_organizationUnit='ent-sso' |
create_pingfed_signing_cert_city | Specifies the city or other primary location where the company operates. | create_pingfed_signing_cert_city='Blaine' |
create_pingfed_signing_cert_state | Specifies the state or other political unit encompassing the location. | create_pingfed_signing_cert_state='MN' |
create_pingfed_signing_cert_country | Specifies the code of the country where the company is based. The country code is represented by a two-letter code. | create_pingfed_signing_cert_country='US' |
create_pingfed_signing_cert_validDays | Specifies the time during which the certificate is valid. | create_pingfed_signing_cert_validDays='36500' |
Service provider connection
The following table describes the properties you must specify to configure connectivity with the service provider and an example for each property. For more information, see “Manage SP connections” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_sp_connection_baseUrl | Specifies the base URL that hosts the server for your service provider. The format of the property value is: https://<server fqdn>:<server port>. | create_sp_connection_baseUrl='https://thingworx.yourorg.com:8443' where <Service_provider> could be ThingWorx, Windchill RV&S, or Windchill |
create_sp_connection_input_sign_verif_cert | Specifies the file name of the certificate used for verifying the digital signature for the incoming SAML token. | create_sp_connection_input_sign_verif_cert='twx_sp_signing.crt' where <name specific to sp> could be twx, ilm, or wnc. |
create_sp_connection_entityId | Specifies the unique identity for your service provider. Property value for your service provider should be https://<server fqdn>:<server port>/saml/metadata | This example is specific to Windchill RV&S. create_sp_connection_entityId='https://integrity.yourorg.com:8443/saml/metadata' |
OAuth client connections with ThingWorx as the service provider
The following table describes the properties you must specify to configure OAuth client connections with ThingWorx as the service provider and an example for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_twx_sp_oauth_client_description | Specifies the description of what the client application does. This description appears when the user is prompted for authorization. | create_twx_sp_oauth_client_description='Thingworx service provider OAuth client.' |
create_twx_sp_oauth_client_auth_secret_value | Specifies the OAuth client secret. | create_twx_sp_oauth_client_auth_secret_value='twx-sp-client_1234' |
create_twx_sp_oauth_client_redirectURI | Specifies the URI to which the OAuth authorization server may redirect the resource owner's user agent after authorization is obtained. The format of the property value is: https://<server fqdn>:<server port>/Thingworx/oauth2_ authorization_ code_redirect. | create_twx_sp_oauth_client_redirectURI='https://thingworx.yourorg.com:8443/ Thingworx/oauth2_ authorization_ code_redirect' |
OAuth client connections with Windchill as the resource server
The following table describes the properties you must specify to configure OAuth client connections with Windchill as the resource server and an example for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_wnc_oauth_client_description | Specifies the description of what the client application does. This description appears when a user is prompted for authorization. | create_wnc_rp_oauth_client_description='Windchill resource server OAuth client.' |
create_wnc_oauth_client_auth_secret_value | Specifies the OAuth client secret. | create_wnc_rp_oauth_client_auth_secret_value='wnc-rp-client_1234' |
OAuth client connections with Windchill RV&S as the resource server
The following table describes the properties you must specify to configure OAuth client connections with Windchill RV&S as the resource server and an example for each property. For more information, see “Configure an OAuth client” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_ilm_oauth_client_description | Specifies the description of what the client application does. This description appears when the user is prompted for authorization. | create_ilm_rp_oauth_client_description='IntegrityLifecycle Manager resource server OAuth client.' |
create_ilm_oauth_client_auth_secret_value | Specifies the OAuth client secret. | create_ilm_rp_oauth_client_auth_secret_value='olm-rp-client_1234' |
Scope management
The following table describes the properties you must specify to register scopes in PingFederate and an example for each property. For more information, see “Scopes” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_oauth_default_scope_description | Specifies the description of the permissions implied when no scope values are indicated or in addition to any values. This description displays when the user is prompted for authorization. | create_oauth_default_scope_description='Default Scope' |
create_oauth_twx_scope | Specifies the scopes for ThingWorx as the service provider. | create_oauth_twx_scope='THINGWORX' |
create_oauth_twx_read_scope_description | Specifies the description of the scope value for ThingWorx. This description appears when the user is prompted for authorization. | create_oauth_twx_scope_description='Thingworx Scope' |
create_oauth_wnc_read_scope | Specifies the scopes for Windchill as the resource server. | create_oauth_wnc_read_scope='WINDCHILL' |
create_oauth_wnc_read_scope_description | Specifies the description of the scope value for Windchill. This description appears when the user is prompted for authorization. | create_oauth_wnc_scope_description='Windchill Scope' |
create_oauth_ilm_scope | Specifies the scopes for Windchill RV&S as the service provider. | create_oauth_ilm_ scope='INTEGRITY_ READ' |
create_oauth_ilm_ read_scope_ description | Specifies the description of the scope value for Windchill RV&S. This description appears when the user is prompted for authorization. | create_oauth_ilm_ scope_ description= 'Integrity LM Scope' |
PingFederate-specific user properties—Applicable when you configure PindFederate as the IdP
Data store
You are required to configure a data store only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure a lightweight directory access protocol directory server (LDAP directory server) as the data store and an example for each property. This data store is used with the LDAP password credential validator to validate user credentials by PingFederate for authenticating users. For more information, see “Manage data stores” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_ldap_datastore_hostname | Specifies the domain name system name (DNS name) or internet protocol address (IP address) of the data store that can include a port number. The format of the property value is: <ldap fqdn>:<ldap port>. | create_ldap_datastore_hostname='windchillDS.ptc.com:389' OR create_ldap_ datastore_ hostname= 'integrityLDAP.ptc.com:389' |
create_ldap_datastore_userDN | Specifies the user name required to access the data store. | create_ldap_datastore_userDN='cn=Manager' |
create_ldap_datastore_password | Specifies the password required to access the data store. | create_ldap_datastore_password='password' |
LDAP password credential validator
The configuration of a LDAP Password Credential Validator is required only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure LDAP password credential validator and an example for each property. For more information, see “Manage password credential validators” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_ldap_pcv_searchBase | Specifies the location in the LDAP directory server from which the search begins. | create_ldap_pcv_searchBase='cn=Windchill_11.0,o=ptc' OR create_ldap_pcv_searchBase='cn=IntegrityOU,o=ptc' |
create_ldap_pcv_searchFilter | Specifies the LDAP query to locate a user record. | create_ldap_pcv_searchFilter='uid=$<username>' |
create_ldap_pcv_scopeOfSearch | Specifies the level of search to be performed in the search base. | create_ldap_pcv_scopeOfSearch='Subtree' |
IdP adapter
You are required to configure an IdP adapter only when you select PingFederate as the IdP.
The following table describes the properties you must specify to configure an IdP adapter for PingFederate and an example for each property. For more information, see “Manage IdP adapters” in the PingFederate documentation.
Property | Description | Example |
|---|---|---|
create_idp_adapter_attributeSource_id | Specifies the unique identifier of the attribute source, a specific data store or directory locations containing information that may be needed for the IdP adapter contract or the token authorization workflow. | create_idp_adapter_attributeSource_id='uid' |
create_idp_adapter_attributeSource_description | Specifies the description of the attribute source. | create_idp_adapter_attributeSource_description='uid' |
create_idp_adapter_attributeSource_baseDn | Specifies the base domain name of the attribute source. | create_idp_adapter_attributeSource_baseDn='cn=Windchill_11.0,o=ptc' where <name> could be Windchill, IntegrityOU, and so on. |
create_idp_adapter_attributeSource_SearchScope | Specifies the scope of the search. The valid values are Subtree, One level, andBase. | create_idp_adapter_attributeSource_SearchScope='SUBTREE' |
create_idp_adapter_attributeSource_SearchFilter | Specifies the search filter to use for the search. | create_idp_adapter_attributeSource_SearchFilter='uid=$<username>' |
ADFS-specific user properties—Applicable when you configure ADFS as the IdP
IdP connections for ADFS
The following table describes the properties you must specify to configure IdP connections for ADFS and an example for each property.
Property | Description | Example |
|---|---|---|
create_idp_adfs_connection_entityId | Specifies the entity identifier that is required to configure ADFS as the identity provider. | create_idp_adfs_connection_entityId=‘http://adfs.org.io/adfs/services/trust’ |
create_idp_adfs_connection_baseUrl | Specifies the base URL that hosts the server for your identity provider. The format of the property value is: https://<server fqdn>:<server port> | create_idp_adfs_connection_baseUrl =‘https://adfs.org.io’ (Specifying a default port is not required.) |
create_idp_adfs_connection_input_sign_verif_cert | Specifies the filename of the certificate that is used to verify the digital signature for the incoming SAML token. | create_idp_adfs_connection_input_sign_verif_cert =’adfs_idp_signing.crt’ |
Generic SAML-specific user properties—Applicable when you configure any generic SAML 2.0 IdP
IdP connections for generic SAML 2.0
The following table describes the properties you must specify to configure IdP connections for a generic SAML 2.0 IdP and an example for each property.
Property | Description | Example |
|---|---|---|
create_idp_saml2_connection_entityId | Specifies the entity identifier that is required to configure the identity provider. | create_idp_saml2_connection_entityId= 'http://www.okta.com/exk15nb0a9fkh36Aq2p7' |
create_idp_saml2_connection_baseUrl | Specifies the base URL that hosts the server for your identity provider. The format of the property value is: https://<server fqdn>:<server port> | create_idp_saml2_connection_baseUrl='https://org.okta.com' (Specifying a default port is not required.) |
create_idp_saml2_connection_input_sign_ verif_cert | Specifies the file name of the certificate that is used to verify the digital signature for the incoming SAML token. | create_idp_saml2_connection_input_sign_verif_cert= 'saml2_idp_signing.crt' |
create_idp_saml2_connection_assertion_ consumer_service_url | Specifies the URL for the hypertext transfer protocol resource (HTTP resource) that processes the SAML protocol messages. This URL returns a cookie that represents the information that is extracted from the message. | create_idp_saml2_connection_assertion_consumer_service_url= '/app/org399352_pingfed_1/exk15nb0a9fkh36Aq2p7/sso/saml' |
create_idp_saml2_attr_uid | Specifies the name of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate. | create_idp_saml2_attr_uid='uid' |
create_idp_saml2_attr_group | Specifies the group of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate. If a group attribute is not available from the IdP or if you do not want to map it, you may remove this property from the user.properties file. | create_idp_saml2_attr_group='group' |
create_idp_saml2_attr_email | Specifies the e-mail address of the attribute contract, an extended attribute in the SAML assertion that it will send as an IdP to the service provider, where the service provider could be ThingWorx, Windchill, or PingFederate. If an e-mail attribute is not available from the IdP or if you do not want to map it, you may remove this property from the user.properties file. | create_idp_saml2_attr_email='emailaddress' |