This topic describes the steps required to register a non-interactive client to integrate with Windchill through Windchill Rest Services (using OAuth 2.0). OAuth client is the service provider and PingFederate is CAS when client credential grant type is implemented with PingFederate to authorize access to the resources and authenticate the resource owners. Windchill server is the resource server. As the LDAP protocol is replaced with OAuth protocol. Windchill is required to use OAuth/token based authentication to invoke APIs.

All subsections here assume that both the Central Authorization Server (CAS), Windchill, and the client application have been configured for OAuth. Windchill must be configured as a Resource Server using OAuth. The OAuth Client must be registered as a Service Provider.

The Windchill principal used with client credential grant type is a machine identity intended to represent a non-interactive client machine used to integrate with Windchill. It represents a non-human identity and must be defined in LDAP like any other user. However, this user should be used only for integration purposes. The process to associate the client credential in Ping Federate to an identity in Windchill is explained below.

Use of the machine identity must be controlled to ensure it is managed securely. The identity, client id and secret should be managed by the Windchill administrator and should not be shared. Specific actions in Windchill are not expected to be completed by a machine identity and should not be expected such as:

To open a service request to create Windchill user for client credential grant type implementation, see Opening a Service Request.