PingFederate as the Central Auth Server > Examples of SSO Configurations > Example: Windchill SSO Implementation with PingFederate as Broker
Example: Windchill SSO Implementation with PingFederate as Broker
This example provides detailed steps on how to configure an environment that has Windchill PDMLink and Shibboleth SP configured for single sign-on with PingFederate as the Central Auth Server (CAS) and Active Directory Federation Services (ADFS) as the Identity Provider (IdP).
The following table displays the applications configured and their role in this example:
Role
Application
Service Provider
Windchill PDMLink + Shibboleth SP
Central Auth Server
PingFederate
Identity Provider
ADFS
Resource Provider
Windchill
The following diagram displays the configuration discussed in this example.
Part A: Prerequisites 
1. Ensure that Windchill is set up. For more information, see the appropriate Windchill Help Center.
2. Setup and configure ADFS and ensure that you have included the following attribute values and files:
uid
email
group
Metadata file
Part B: Configure Authentication for ADFS Manually 
Step 1: Create the PingFederate global SSL certificate
1. Login to PingFederate as an Administrator and search for Security > SSL Server Certificates.
2. Click Create New to create the global SSL certificate, and do the following:
a. In the Common Name field, provide the FQDN of the PingFederate machine.
b. Provide other details on the page, and click Next.
c. Click Done, and click Save.
d. Click SSL Server Certificates.
e. For the SSL certificate that you created, in the Select Action list, select Activate Default for Runtime Server, and then select Activate Default for Admin Console. Click Save.
This SSL certificate is marked as default for the Admin console and Runtime Server.
3. For the localhost certificate, do the following:
a. In the Select Action list, select Deactivate for Runtime Server, and then select Deactivate for Admin Console.
b. Delete the localhost certificate, and click Save.
Step 2: Create the Service Provider contract
1. In PingFederate, navigate to the Identity Provider page, and go to Authentication Policies > Policy Contract.
2. Click Create New Contracts, and do the following:
a. In the Contract Info field, enter a contract name, for example, SPContract, and click Next.
b. Under Contract Attributes, to extend the contract for the following attributes, click Add for each attribute:
uid
email
group
By default, the subject attribute is present.
c. Click Next, and on the Summary page, click Done.
d. On the Authentication Policy Contracts page, click Save.
Step 3: Download the ADFS FederationMetadata.xml file
1. In your ADFS machine browser, enter the following URL to download the Federation Metadata file:
https://ADSF_Host.ADFS_Domain/FederationMetadata/2007-06/FederationMetadata.xml
2. Copy the downloaded file to the PingFederate machine.
Step 4: Create the PingFederate IdP connection
A) Specify general information to create an IdP connection
1. In PingFederate, go to Service Provider > IdP Connections, and click Create New.
2. On the Connection Type tab, select the BROWSER SSO Profiles check box, and click Next.
3. On the Connection Options tab, select the BROWSER SSO check box and the OAUTH ATTRIBUTE MAPPING check box, and click Next.
4. On the Import Metadata tab, select File, and click Choose File to browse to the FederationMetadata.xml file, and click Next.
5. On the Metadata Summary tab, click Next.
6. The General Info tab is prepopulated with data. You can change the CONNECTION NAME, if you want. Verify the rest of the information, and click Next.
7. On the Browser SSO tab, click Configure Browser SSO. The Browser SSO page opens, where you need to specify the settings for single sign-on for your browser.
B) Configure Browser SSO settings
1. On the SAML Profiles tab on the Browser SSO page, select the following options, click Next:
IDP-INITIATED SSO
SP-INITIATED SSO
2. On the User-Session Creation tab, click Configure User-Session Creation. The User-Session Creation page opens, where you need to specify the settings to configure user creation.
C) Configure User-Session Creation settings
1. On the Identity Mapping tab, accept the default settings, and click Next.
2. On the Attribute Contract tab, verify the auto-filled attributes, and click Next.
3. On the Target Session Mapping tab, click Map New Authentication Policy. The Authentication Policy Mapping page opens, where you need to specify the settings for authentication policy mapping.
D) Configure Authentication Policy Mapping settings
1. In the Authentication Policy Contract list, select the contract that you created in Part B—Step 2, that is, SPContract. Verify that all attributes are displayed, and click Next.
2. On the Attribute Retrieval tab, accept the default settings, and click Next.
3. On the Contract Fulfillment tab, select the following values for the email, group, subject, and uid authentication policy contracts:
In the Source list, select Assertion.
In the Value list, select the corresponding entry from the list.
Click Next.
4. On the Issuance Criteria tab, click Next.
5. Review the information on the Summary tab. If the information is correct, click Done. The User-Session Creation page opens, where you need to review the configuration settings for user session creation.
E) Review User-Session Creation configuration settings
1. The Target Session Mapping tab on the User-Session Creation page displays the information that you selected while mapping a new authentication policy. Click Next.
2. Review the information on the Summary tab. If the information is correct, click Done. The Browser SSO page opens.
3. The User-Session Creation tab on the Browser SSO page displays the information that you entered while configuring user-session creation. Click Next.
4. On the OAuth Attribute Mapping tab, select Map Directly Into Persistent Grant, and select Configure OAuth Attribute Mapping, and then do the following:
a. On the Data Store tab, click Next.
b. On the Contract Fulfilment tab, for USER_KEY and USER_NAME, select Source as Assertion and the Value as name attribute from ADFS, and click Next.
c. On the Issuance Criteria tab, click Next.
5. Review the information on the Summary tab. If the information is correct, click Done. Click Next on the OAuth Attribute Mapping Configuration page.
6. On the Protocol Settings tab, click Configure Protocol Settings. The Protocol Settings page opens, where you need to specify the protocol settings.
F) Configure and review Protocol settings
1. On the SSO Service URLs tab, click Next.
2. On the Allowable SAML Bindings tab, do the following, and click Next:
a. Select the following check boxes:
POST
REDIRECT
b. Clear the following check boxes:
ARTIFACT
POST
3. Skip the settings on the Overrides tab, and click Next.
4. On the Signature Policy tab, click SPECIFY ADDITIONAL SIGNATURE REQUIREMENTS, select the two check boxes under it, and click Next.
5. On the Encryption Policy tab, click ALLOW ENCRYPTED SAML ASSERTIONS AND SLO MESSAGES, select the THE ENTIRE ASSERTION check box, and click Next.
6. Review the information on the Summary tab. If the information is correct, click Done. The Browser SSO page opens.
7. The Protocol Settings tab on the Browser SSO page displays the information that you selected while configuring protocol settings. Click Next.
8. Review the information on the Summary tab. If the information is correct, click Done. The IdP Connection page opens.
9. On the Browser SSO tab of the IdP Connection page, click Next.
10. On the Credentials tab, click Configure Credentials. The Credentials page opens, where you need to specify the settings to configure credentials.
G) Configure credentials
1. On the Digital Signature Settings tab, click Manage Certificates.
2. To create a signing certificate, click Create New, provide the following values, and click Next:
COMMON NAME
ORGANIZATION
COUNTRY
VALIDITY (DAYS)365
KEY ALGORITHMRSA
KEY SIZE (BITS)2048
SIGNATURE ALGORITHMRSA SHA256
3. Review the information on the Summary tab. If the information is correct, click Done, click Save.
4. On the Digital Signature Settings tab, for the SIGNING CERTIFICATE that you created, select the INCLUDE THE CERTIFICATE IN THE SIGNATURE <KEYINFO> ELEMENT check box, and click Next.
This is the application layer certificate used for digitally signing the request from PingFederate to the IdP.
5. On the Signature Verification Settings Tab, click Manage Signature Verification Settings.
a. On the Trust Model tab, select UNANCHORED, and click Next.
b. On the Signature Verification Certificate, verify that the IdP Signing Certificate is displayed, and click Next.
This is the application layer certificate used for Signature Verification for requests from the IdP to PingFederate. This was automatically imported to PingFederate when you imported the metadata.xml file from the IdP.
c. Review the information on the Summary tab. If the information is correct, click Done.
d. On the Signature Verification Settings tab, click Next.
e. On the Select Decryption Keys, select the PingFederate Certificate, and click Next.
f. Review the information on the Summary tab. If the information is correct, click Done.
g. On the Credentials page, click Next.
H) Activate the IdP connection
On the Activation & Summary page, ensure that the SSO Application Endpoint is activated, and click Save.
The IdP connection is now created and activated.
I) Verify the IdP connection
Click the IdP connection that you created, copy the SSO Application Endpoint URL, paste it in a browser, and verify that it redirects to the IdP. Thus, this URL from PingFederate must be redirected to ADFS. You will see a page similar to the following and it includes an error message.
Part E: Set up Shibboleth SP and PingFederate 
To enable SAML capabilities for Windchill using Shibboleth Service Provider 2.6.0, complete the procedure in the following section of the Windchill Help Center: Security Assertion Markup Language (SAML) Authentication. Follow the instructions in these sections of the same Windchill Help Center page:
Troubleshooting and Debugging the Shibboleth Service Provider
Restarting the Shibboleth Service Provider and PTC HTTP Servers
Part F: Set up a JNDI LDAP Entry 
To configure a JNDI adapter, complete the procedure in the following section of the Windchill Help Center: JNDI Adapter LDAP Entry.
Part G: Additional Configuration 
If your Windchill workflow requires the use of eSignature, some additional configuration is necessary to deploy SSO. For more information, see the following sections of the Windchill Help Center:
For additional considerations, see the Client Compatibility section of the Windchill Help Center:
Was this helpful?