E-signature Validation for SSO with OIDC
The following topic is relevant to the following users:
• Your site uses electronic signatures as part of its workflow process. For more information, see Electronic Signature Setup.
• You want to require users to provide credentials before submitting their electronic signature.
• Your site provides authentication through a single sign-on (SSO) configuration and Identity Provider (IdP).
 |
PTC recommends setting a second authentication policy, that is multi-factor authentication, when using the e-signature functionality in an SSO configuration and using certificate based authentication (CAC/PKI). Due to the browser caching the certificate, the required reauthentication cannot be forced. Therefore, a second authentication policy such as multi-factor authentication may be required to ensure the reauthentication is presented to the user.
|
 |
The following instructions assume that you have already configured basic SSO configuration for Windchill. For more information, see Open ID Connection Authentication Support.
|
Configuring E-signature with Open ID Connect
Follow the steps below for the configuration:
|
|
For Microsoft Entra ID, you are required to add auth_time claim in Application registration as ID token type.
In PingFederate, the auth_time claim is defined by default and cannot be removed from the token. This can break the Windchill e-signature functionality.
|
2. Configure these URLs at the IDP for the e-signature application.
◦ https://<Host:Port>/<WebAppName>/reauthsecure/SSOReAuthentication.jsp?buttonId=workflowEsignCompleteButton.
◦ https://<Host:Port>/<WebAppName>/reauthsecure/SSOReAuthentication.jsp
3. Add these properties in wt.properties through site.xconf:
|
Property
|
Description
|
Example
|
|---|---|---|
|
wt.jwt.oidc.esign.providerURL
|
Open Id configuration on IDP. It is the path for openid-configuration present in IDP.
|
For PingFederate: https://host_name:9031/.well-known/openid-configuration
For Microsoft Entra ID: https://login.microsoftonline.com/..well-known/openid-configuration
|
|
wt.jwt.oidc.esign.clientId
|
Client id from IDP
|
|
|
wt.jwt.oidc.esign.clientSecrets
|
Client Secrets from IDP. You are required to store in Windchill keystore and use default value encrypted.esign.clientSecrets. Check Manage esign secrets section.
|
|
|
wt.jwt.oidc.esign.scope
|
Scope define in IDP, default is “openid”
|
openid
|
|
wt.jwt.oidc.esign.audience
|
Specifies the value to use for audience validation.
|
|
|
wt.org.electronicIdentification.class
|
wt.workflow.engine.SSOConfiguredSignatureEngine
|
|
|
wt.jwt.oauth2.token.userAttrName
|
Specifies the attribute from IDP, auth token to use as Windchill username.
|
|
|
wt.auth.sso.type
|
Value should be OIDC
|
|
|
wt.auth.oidc.validation.jwt.tokentype
|
Value should be ID_TOKEN
|
|
|
wt.jwt.oauth2.token.kidUrl
|
For Microsoft Entra ID, set the value as https://login.microsoftonline.com/<tenant_id>/discovery/v2.0/keys.
For PingFederate, set the value as https://hostname:9031/pf/JWKS.
|
|
|
wt.jwt.oauth2.token.tokenIssuer
|
Token issuer at IDP
|
PingFederate: the value is https://hostname:9031
Microsoft Entra ID: The value is https://sts.windows.net//<tenant_id>/
|
|
wt.jwt.id.token.extraClaimsToBeValidated
|
The value can be one or multiple values from these: iss, aud, exp, sub, typ. This takes the list of default mandatory claims as the value. This property is used to validate the extra claims from JWT token such as, iat and nbf.
For PingFederate JWT, this property is not required.
|
|
|
wt.jwt.oauth2.token.authtime.tolerance
|
Validating auth_time claim coming in the token for re-authentication. It should be expired after this tolerance time.
|
Default:10. Value is in second.
|
Manage E-signature Secrets
|
|
Ensure that the encryption is configured to manage the secret.
|
To configure and manage e-signature secrets in Windchill key store, run this command:
ant -f <WT_HOME>/bin/adminTools/sip/EncryptPasswords.xml addValueToKeyStore -DpropertyName=esign.clientSecrets -Dpassword=<esign_ clientSecrets >
# esign_ clientSecrets: should be defined in IDP for Esign App and set in Windchill
# esign_ clientSecrets: should be defined in IDP for Esign App and set in Windchill