Example: Integrate Certificate-based Authentication with PingFederate

Examples of CAS Configurations > PingFederate as the Central Auth Server > Examples of SSO Configurations > Example: Integrate Certificate-based Authentication with PingFederate

This example provides detailed steps on how to enhance an SSO environment that has ThingWorx configured for single sign-on with PingFederate as the Central Auth Server (CAS) and Identity Provider (IdP), and Windchill DS as the Data Store with certificate-based authentication (CBA). It allows users to log into ThingWorx using either their credentials or the certificate.

For detailed PingFederate documentation, refer to Configuring an X.509 Certificate IdP Adapter.

Part A: Prerequisites

Step 1: Generate certificates

When you set up certificate-based authentication, you configure PingFederate so that the certificate used for authenticating the user can be validated against the Certificate Authority (CA) certificate stored in PingFederate. If you do not have a CA and a user certificate, you can generate a self-signed certificate and use it in PingFederate. To generate a public key and a client certificate, use the following commands:

1. openssl genrsa -out ptc-sso-ca.key 4096

2. openssl req -x509 -new -nodes -key ptc-sso-ca.key -days 3650 -out ptc-sso-ca.pem

3. openssl genrsa -out ptc-sso-jsmith.key 2048

4. openssl req -new -key ptc-sso-jsmith.key -out ptc-sso-jsmith.csr

5. Create a v3.ext file:

extendedKeyUsage=clientAuth
keyUsage = digitalSignature

6. openssl x509 -req -in ptc-sso-jsmith.csr -CA ptc-sso-ca.pem -CAkey ptc-sso-ca.key -CAcreateserial -out ptc-sso-jsmith.pem -days 1024 -sha256 -extfile <path to v3.ext file>

7. openssl pkcs12 -export -out ptc-sso-jsmith.pfx -inkey ptc-sso-jsmith.key -in ptc-sso-jsmith.pem

Step 2: Add CA certificate to PingFederate

To use the X.509 token, PingFederate requires a secondary SSL port. To set a secondary SSL port, edit the <pf-install>/ping federate/bin/run.properties file by changing the value of pf.secondary.https.port to a valid port number. (For this example, we will configure it as 9032).

Step 3: Add a trusted CA certificate

1. Navigate to Security > Trusted CA > Import.

2. Select your CA authority certificate file (pem file).

3. On the Summary window, review your configuration, amend as needed, and click Save.

Step 4: Store the user certificate in your browser

Now, import the user certificate (pfx file) into your browser.

Part B: Create the X509 Certificate IDP Adapter

This adapter will be used to authenticate users based on their certificates.

1. Login to PingFederate as an Administrator. Navigate to Authentication > Integration > IdP > Adapters. Click Create New Instance

2. Enter Instance Name and Instance ID. Set the type to X.509 Certificate IdP Adapter 1.3.1. Click Next.

3. Enter the Client Auth Port specified for the pf.secondary.https.port (9032). For client hostname, enter the fqdn of the PingFederate system.

4. Check the Match Issuer DN in Client X.509 certificate and click Show Advanced Fields.

5. Set Authentication Context with Policy OID and select the Include Subject Alternative Name (SAN) option. Click Next.

6. In the Extended Contract tab, use the Add button to enter userPrincipalName and CN and click Next.

7. In the Adapter Attributes tab, set the Pseudonym option for the userPrincipalName attribute and click Next.

8. In the Adapter Contract Mapping tab, you can configure additional attributes from a data store and Issuance Criteria. The Issuance Criteria validates the user’s presence in LDAP with the provided information from the certificate.

It is mandatory to set an Issuance Criteria for CBA in ThingWorx.

a. Click Configure Adapter Contract.

b. In Adapter Contract Mapping, click ADD Attribute Source.

c. Set LDAP as the Attribute Source Id and Attribute Source Description. In the Active Data Store, select your WindchillDS data store and click Next.

d. In LDAP Directory Search, provide the following parameters:

i. Base DN = cn=Windchill_11.1,o=ptc

ii. Search Scope = Subtree

iii. Add the following user attributes: uid, CN and Subject DN

e. Click Next.

f. In LDAP FILTER, set the following filter: uid=${CN}.Click Next and Done.

g. In Adapter Contract Fulfillment, set the userPrincipalName source to LDAP with uid value. Set all other contract sources to Adapter. Click Next.

h. In Issuance Criteria, click Show Advanced Criteria.

i. Add the following Expression: #this.get("ds.LDAP.uid").hasValue(#this.get("CN").getValue())

ii. Provide an Error Result, i.e. “User was not found”

iii. Click ADD.

9. Click Next and Save

Part C: Add Certificate Adapter to the SP Connection

1. Login to PingFederate as an Administrator. Navigate to Applications > Integration > SP Connections. Select your connection name.

2. Click Authentication Source Mapping > Map New Adapter Instance.

3. In the Adapter Instance tab, select the adapter name you created in Part B. Click Next.

4. Map the various attributes to adapter values or dynamic text values.

5. Click Next and Save.

Was this helpful?