OpenID Connect Authentication Support
You have the additional authentication option OpenID Connect(OIDC) available for Windchill products. OIDC will implement the standard authentication protocol based on OAuth 2.0. When choosing to configure OIDC:
• You must choose either SAML or OIDC for authentication, cannot select both. This is a configurable option.
• OIDC can be configured with SSO authorization servers which support OAuth 2.0, for example PingFederate and Entra ID. For specific SSO reference architectures refer to PTC IAM Help Center.
OIDC Mechanism
OIDC is an identity layer built on top of the OAuth 2.0 framework. It is a token based SSO solution. Instead of users providing credentials directly to the Windchill application, tokens are used to complete the authentication process. Credentials are managed by the Identity Provider (IdP). For more information, refer to the OIDC standard documentation
Pre-requisites for OIDC Configuration with Windchill
Following pre-requisites are required before starting with the OIDC configuration:
• IDP should be configured with required client_id, secret and callback/redirect URLs for Authentication application.
OIDC Configurations with Windchill
 |
Make sure not to edit other configuration settings from the 30-app-Windchill-Auth1.conf file.
|
1. Append below text in LD_LIBRARY_PATH at the end in File <Apache_Home>/envvars for Linux only.
“:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/lib_curl/usr?lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/jansson/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/cjose/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/hiredis”
For example:
if test "x$LD_LIBRARY_PATH" != "x" ; then LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis:$LD_LIBRARY_PATH"
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
2. Copy <APACHE_HOME>/conf/conf.d/30-app-Windchill-Auth.conf and rename to 30-app-Windchill-Auth1.conf, copied location should be <APACHE_HOME>/conf/conf.d
3. Remove Authentication providers information from the copied file 30-app-Windchill-Auth1.conf like seen in the example below:
4. Remove the Authenticated resources as seen in the example below:
5. Add below text in the 30-app-Windchill-Auth1.conf file at the beginning.
# Location of mod_auth_openidc.so
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
les/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
les/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
Example of the OIDC configuration is:
#Overall OIDC config
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Wlndchlll/app/redlrectUI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Wlndchlll/app/redlrectUI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>