Windchill can participate in a single sign-on (SSO) as a resource server to client applications that support the OAuth protocol. When configuring a non-interactive client that uses a machine identity, the Client Credentials grant flow is recommended. This topic describes the manual steps for configuring the OAuth Client Credential grant type to be used for secure access to Windchill as a resource server through Windchill Rest Services.

All subsections here assume that both the Central Authorization Server (CAS), Windchill, and the client application have been configured for OAuth 2.0. Windchill must be configured as a Resource Server using OAuth. The Oauth Client must be registered as a Service Provider.

A common client registration application should be supported by IdP. This application validates and verifies the access token for all clients that are configured with client credentials and authorization code grant type. The registered client must allow both grant types, it is required to configure authorization code grant type to support ThingWorx Navigate. The user attribute defined should be same for all clients that are configured for Client Credentials and Authorization grant type. The clients that are configured for client credentials are required to use Service Principal name as user attribute. The clients that are configured with Authorization Grant type should use Username as user attribute. This user attribute should be available as claim in access token.

Follow the steps below in PingFederate for the client registration in CAS(PingFederate):

The client web application server will need to exchange the authorization code to obtain an OAuth access token. This is done by making a POST request to the authorization server’s token endpoint. The request body contains the previously obtained authorization code. Note that the request body must have the application/x-www-form-urlencoded content type.