Set Up ThingWorx Navigate with Single Sign-on
On the screens for Single Sign-on (SSO), we’ll enter the information for the Windchill server and for connecting to PingFederate.
Before You Begin
Make sure your system meets the following prerequisites before you set up SSO authentication:
• You have configured ThingWorx Foundation using SSL.
• You have imported the Windchill SSL certificate (Certificate Chain) and the PingFederate SSL certificate into the Java TrustStore (cacerts/jssecacerts) file of Apache Tomcat.
• You have created TrustStore and KeyStore files. The topic Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating these files.
Take a moment to go over some background on PingFederate. We also recommend reading the PTC Identity and Access Management Help Center before you begin.
Enter Windchill Server Information
First, let’s connect to Windchill. We recommend configuring Windchill for SSL.
1. Enter your Windchill server URL:
◦ To connect to a single Windchill server—Make sure the URL follows the format [http or https]://[windchill-host]:[windchill-port]/[windchill-web-app]
◦ For cluster Windchill environments—Enter the URL of the load balancing router. For example, [https]://[LB-host]:[port]/[windchill-web-app]
In Configure ThingWorx Navigate with a Clustered Windchill Environment, see the sections on Single Sign-on environments.
◦ To connect to multiple Windchill systems—For now, connect to a single server. Then, after you complete the initial configuration, follow the manual steps in Configure ThingWorx Navigate to Connect to Multiple Windchill
Systems.
2. Provide the settings for your Authorization Server Scope—The name of the scope that is registered in PingFederate. For example, SCOPE NAME = WINDCHILL.
3. Click Next or Forward.
If you entered a http URL in Windchill server URL, skip to the “ThingWorx Foundation Information” section.
Provide Your TrustStore Information for ThingWorx
Before you provide the information on this screen, create a ThingWorx TrustStore file using the Java keytool utility, and then import the Windchill SSL certificate into the TrustStore file.
The topic Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating TrustStore files using the keytool.
Now that you have the TrustStore file prepared, provide the information on the SSO: TrustStore information for ThingWorx screen:
1. Next to TrustStore file, click 
, and then browse to your TrustStore file. Make sure the file is in JKS (*.jks) format.
, and then browse to your TrustStore file. Make sure the file is in JKS (*.jks) format.2. Click Open.
3. Next to Password, enter the password for the TrustStore file.
4. Click Next or Forward.
Enter Your ThingWorx Foundation Information
 | This step is only applicable if you are installing ThingWorx Navigate 9.0.0. |
Enter your ThingWorx Foundation installation location and then provide the following ThingWorx Foundation Administrator credentials:
• Username
• Password
Provide Your Access Token Database Information
On this screen, enter the access token information for your database. The location, port, user name, and database name appear automatically according to your installation settings.
• IP Address or Host Name
• Port
• Database Name
• Username
• Password
Enter the PingFederate Server Information
1. Enter this information for PingFederate:
◦ Host name—Enter the fully qualified host name for the PingFederate server, such as <hostname.domain.com>.
◦ Runtime Port—Provide the PingFederate runtime port. The default is 9031.
2. Click Next or Forward.
Provide Identity Provider (IDP) and Service Provider (SP) Information
On this screen, provide information from PingFederate. Check your input carefully. These values are not validated and you won’t get an error if the information is incorrect.
1. Provide the IDP metadata information for PingFederate:
◦ IDP metadata file (*.xml file)—Click , and then browse to the IDP metadata file from PingFederate. For example, sso-idp-metadata.xml.
, and then browse to the IDP metadata file from PingFederate. For example, sso-idp-metadata.xml.◦ SAML Assertion UserName AttributeName—Accept the default, uid, or enter a new attribute name.
2. Enter the information for the ThingWorx Service Provider connection:
◦ Metadata Entity ID—Enter the value for metadataEntityId. This is the ThingWorx Service Provider connection ID that you provided when you configured the Service Provider connection in PingFederate.
3. Click Next or Forward.
SSO Key Manager Settings
Before you enter the information on this screen, prepare the correct Keystore file and Key Pair:
1. Create an SSO Keystore file using the Java keytool utility. Create a Key Pair using the keytool commands mentioned in Create KeyStore and TrustStore Files for ThingWorx Navigate.
| | This is the ThingWorx signing certificate. It is an application layer certificate, and it does not have to be the same as your ThingWorx host name. For example, ThingWorx. |
2. Import the PingFederate signing certificate into the SSO Keystore file you created in Step 1.
These resources may be helpful:
• The topic Import Certificates to Keystore File in the ThingWorx Help Center
Now that you have the correct files and certificates, you can enter the information on the SSO Key Manager Settings screen:
1. Provide your SSO Keystore information:
◦ SSO Keystore file (.jks file)—Click , and then browse to the JKS (*.jks) file.
, and then browse to the JKS (*.jks) file.◦ SSO Keystore password—Enter the password you defined above, when you created the Keystore file.
2. Enter the ThingWorx Key Pair information that you defined above.
◦ SSO Key Pair Alias Name
◦ SSO Key Pair password
3. Click Next or Forward.
Authorization Server Settings
PingFederate serves as your Authorization server.
1. Provide the settings for your PingFederate server:
◦ Authorization Server ID—Choose a value to provide for the AuthorizationServerId1 variable, such as PingFed1. This value is used to configure the connection settings for an Integration Connector or media entity.
◦ ThingWorx OAuth Client ID—The OAuth client ID to identify the ThingWorx application to PingFederate.
◦ ThingWorx OAuth Client Secret—The client secret mentioned in PingFederate.
◦ Client Authentication Scheme—The default is form.
2. Accept the default, Encrypt OAuth refresh tokens before they are persisted to the database, to secure the tokens before they are persisted to the database. We recommend this setting.
3. Click Next or Forward.
Summary: Configuration Settings
Review the configuration settings. When you’re ready, click Configure.
Success!
ThingWorx Navigate is configured with Single Sign-on. Select the programs to open:
• Open ThingWorx Navigate
• Open ThingWorx Composer
Then, click Close. You are redirected to the Identity Provider login page. Use your IdP credentials to log in.
| | If configuration fails, select the Open the log file check box and review the log file for details on what went wrong. |
Next Steps
Your ThingWorx Navigate is installed and licensed, and the basic configuration is complete. The next required step is to grant permission to non-administrative users. Follow the steps in Modify ThingWorx Permissions: Users and Groups.
You can also move on to the optional configurations, such as these: