Set Up ThingWorx Navigate with Single Sign-On
On the screens for Single Sign-On (SSO), we’ll enter the information for the Windchill server and for connecting to PingFederate.
Before You Begin
Make sure your system meets the following prerequisites before you set up SSO authentication:
• You have configured ThingWorx Foundation using SSL.
• You have imported the Windchill SSL certificate (Certificate Chain) and the PingFederate SSL certificate into the Java TrustStore (cacerts/jssecacerts) file of Apache Tomcat.
| PingFederate is the only supported central auth server (CAS) for ThingWorx Navigate. Take a moment to go over some background on PingFederate. We also recommend reading the PTC Identity and Access Management Help Center before you begin. |
Enter Windchill Server Information
First, let’s connect to Windchill. We recommend configuring Windchill for SSL.
1. Enter your Windchill server URL:
◦ To connect to a single Windchill server—Make sure the URL follows the format [http or https]://[windchill-host]:[windchill-port]/[windchill-web-app]
◦ For cluster Windchill environments—Enter the URL of the load balancing router. For example, [https]://[LB-host]:[port]/[windchill-web-app]
2. Provide the settings for your Authorization Server Scope—The name of the scope that is registered in PingFederate. For example, SCOPE NAME = WINDCHILL.
3. Click Next or Forward.
If you entered a http URL in Windchill server URL, skip to the “ThingWorx Foundation Information” section.
Provide Your TrustStore Information for ThingWorx
Before you provide the information on this screen, create a ThingWorx TrustStore file using the Java keytool utility, and then import the Windchill SSL certificate into the TrustStore file.
The topic
Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating TrustStore files using the
keytool.
Now that you have the TrustStore file prepared, provide the information on the SSO: TrustStore information for ThingWorx screen:
1. Next to
TrustStore file, click
, and then browse to your TrustStore file. Make sure the file is in JKS (
*.jks) format.
2. Click Open.
3. Next to Password, enter the password for the TrustStore file.
4. Click Next or Forward.
Provide Your Access Token Database Information
On this screen, enter the access token information for your database. The location, port, user name, and database name appear automatically according to your installation settings.
• IP Address or Host Name
• Port
• Username
• Password
• Database Name
Click Next or Forward.
Enter the PingFederate Server Information
1. Enter this information for PingFederate:
◦ Host name—Enter the fully qualified host name for the PingFederate server, such as <hostname.domain.com>.
◦ Runtime Port—Provide the PingFederate runtime port. The default is 9031.
2. Click Next or Forward.
Provide Identity Provider (IDP) and Service Provider (SP) Information
On this screen, provide information from PingFederate. Check your input carefully. These values are not validated and you won’t get an error if the information is incorrect.
1. Provide the IDP metadata information for PingFederate:
◦ IDP metadata file (*.xml file)—Click
, and then browse to the IDP metadata file from
PingFederate. For example,
sso-idp-metadata.xml.
◦ SAML Assertion UserName AttributeName—Accept the default, uid, or enter a new attribute name.
2. Enter the information for the ThingWorx Service Provider connection:
◦ Metadata Entity ID—Enter the value for metadataEntityId. This is the ThingWorx Service Provider connection ID that you provided when you configured the Service Provider connection in PingFederate.
3. Click Next or Forward.
SSO Key Manager Settings
Before you enter the information on this screen, prepare the correct Keystore file and Key Pair:
| This is the ThingWorx signing certificate. It is an application layer certificate, and it does not have to be the same as your ThingWorx host name. For example, ThingWorx. |
2. Import the PingFederate signing certificate into the SSO Keystore file you created in Step 1.
These resources may be helpful:
Now that you have the correct files and certificates, you can enter the information on the SSO Key Manager Settings screen:
1. Provide your SSO Keystore information:
◦ SSO Keystore file (.jks file)—Click
, and then browse to the JKS (
*.jks) file.
◦ SSO Keystore password—Enter the password you defined above, when you created the Keystore file.
2. Enter the ThingWorx Key Pair information that you defined above.
◦ SSO Key Pair Alias Name
◦ SSO Key Pair password
3. Click Next or Forward.
Authorization Server Settings
PingFederate serves as your Authorization server.
1. Provide the settings for your PingFederate server:
◦ Authorization Server ID—Choose a value to provide for the AuthorizationServerId1 variable, such as PingFed1. This value is used to configure the connection settings for an Integration Connector or media entity.
◦ ThingWorx OAuth Client ID—The OAuth client ID to identify the ThingWorx application to PingFederate.
◦ ThingWorx OAuth Client Secret—The client secret mentioned in PingFederate.
◦ Client Authentication Scheme—The default is form.
2. Accept the default, Encrypt OAuth refresh tokens before they are persisted to the database, to secure the tokens before they are persisted to the database. We recommend this setting.
3. Click Next or Forward.
Summary: Configuration Settings
Review the configuration settings. When you’re ready, click Configure.
Success!
ThingWorx Navigate is configured with single sign-on. Select the programs to open:
• Open ThingWorx Navigate
• Open ThingWorx Composer
Then, click Close. You are redirected to the Identity Provider login page. Use your IdP credentials to log in.
| If configuration fails, select the Open the log file check box and review the log file for details on what went wrong. |
Next Steps
1. Grant approval on additional screen
An additional grants approval screen is displayed. Users are also required to grant approval on this screen to access
ThingWorx Navigate. For more information, see the
Configuring the Central Auth Server topic in the PTC Identity and Access Management Help Center.
2. Execute the BuildMetaDataCache service
1. In ThingWorx Composer, search for the PTC.WCAdapter thing, and then open it. The General Information page opens.
2. Click Services.
3. For
BuildMetaDataCache, click
. The
Execute Service: BuildMetaDataCache window opens.
4. For > , enter the following:
{
"data": [
{
"adapter": {
"instanceName": "windchill",
"thingName": "PTC.WCAdapter"
}
}
]
}
5. Click Execute.
Your ThingWorx Navigate is installed and licensed, and the basic configuration is complete.