E-signature Validation for SSO with OIDC
The following topic is relevant to the following users:
Your site uses electronic signatures as part of its workflow process. For more information, see Electronic Signature Setup.
You want to require users to provide credentials before submitting their electronic signature.
Your site provides authentication through a single sign-on (SSO) configuration and Identity Provider (IdP).
* 
PTC recommends setting a second authentication policy, that is multi-factor authentication, when using the e-signature functionality in an SSO configuration and using certificate based authentication (CAC/PKI). Due to the browser caching the certificate, the required reauthentication cannot be forced. Therefore, a second authentication policy such as multi-factor authentication may be required to ensure the reauthentication is presented to the user.
* 
The following instructions assume that you have already configured basic SSO configuration for Windchill. For more information, see Open ID Connection Authentication Support.
Configuring E-signature with Open ID Connect
Follow the steps below for the configuration:
* 
For Microsoft Entra ID, you are required to add auth_time claim in Application registration as ID token type.
In PingFederate, the auth_time claim is defined by default and cannot be removed from the token. This can break the Windchill e-signature functionality.
2. Configure these URLs at the IDP for the e-signature application.
https://<Host:Port>/<WebAppName>/reauthsecure/SSOReAuthentication.jsp?buttonId=workflowEsignCompleteButton.
https://<Host:Port>/<WebAppName>/reauthsecure/SSOReAuthentication.jsp
3. Add these properties in wt.properties through site.xconf:
Property
Description
Example
wt.jwt.oidc.esign.providerURL
Open Id configuration on IDP. It is the path for openid-configuration present in IDP.
For PingFederate: https://host_name:9031/.well-known/openid-configuration
For Microsoft Entra ID: https://login.microsoftonline.com/..well-known/openid-configuration
wt.jwt.oidc.esign.clientId
Client id from IDP
wt.jwt.oidc.esign.clientSecrets
Client Secrets from IDP. You are required to store in Windchill keystore and use default value encrypted.esign.clientSecrets. Check Manage esign secrets section.
wt.jwt.oidc.esign.scope
Scope define in IDP, default is “openid”
openid
wt.jwt.oidc.esign.audience
Specifies the value to use for audience validation.
wt.org.electronicIdentification.class
wt.workflow.engine.SSOConfiguredSignatureEngine
wt.jwt.oauth2.token.userAttrName
Specifies the attribute from IDP, auth token to use as Windchill username.
wt.auth.sso.type
Value should be OIDC
wt.auth.oidc.validation.jwt.tokentype
Value should be ID_TOKEN
wt.jwt.oauth2.token.kidUrl
For Microsoft Entra ID, set the value as https://login.microsoftonline.com/<tenant_id>/discovery/v2.0/keys.
For PingFederate, set the value as https://hostname:9031/pf/JWKS.
wt.jwt.oauth2.token.tokenIssuer
Token issuer at IDP
PingFederate: the value is https://hostname:9031
Microsoft Entra ID: The value is https://sts.windows.net//<tenant_id>/
wt.jwt.id.token.extraClaimsToBeValidated
The value can be one or multiple values from these: iss, aud, exp, sub, typ. This takes the list of default mandatory claims as the value. This property is used to validate the extra claims from JWT token such as, iat and nbf.
For PingFederate JWT, this property is not required.
wt.jwt.oauth2.token.authtime.tolerance
Validating auth_time claim coming in the token for re-authentication. It should be expired after this tolerance time.
Default:10. Value is in second.
Manage E-signature Secrets
* 
Ensure that the encryption is configured to manage the secret.
To configure and manage e-signature secrets in Windchill key store, run this command:
ant -f <WT_HOME>/bin/adminTools/sip/EncryptPasswords.xml addValueToKeyStore -DpropertyName=esign.clientSecrets -Dpassword=<esign_ clientSecrets >
# esign_ clientSecrets: should be defined in IDP for Esign App and set in Windchill
Was this helpful?