OpenID Connect 身份验证支持
还有一个身份验证选项 OpenID Connect(OIDC) 可用于 Windchill 产品。OIDC 将实施基于 OAuth 2.0 的标准身份验证协议。在选取配置 OIDC 时:
• 必须选择 SAML 或 OIDC 进行身份验证,不能同时选择两者。此选项可配置。
• 可以使用支持 OAuth 2.0 的 SSO 授权服务器配置 OIDC,例如 PingFederate 和 Entra ID。有关特定的 SSO 参考体系结构,请参阅 PTC IAM 帮助中心。
OIDC 机制
OIDC 是在 OAuth 2.0 框架之上构建的标识层。它是基于令牌的 SSO 解决方案。用户可使用令牌完成身份验证过程,无需将登录凭据直接提供给 Windchill 应用程序。凭据由标识提供者 (IdP) 托管。有关详情,请参阅 OIDC 标准文档
通过 Windchill 进行 OIDC 配置的先决条件
启动 OIDC 配置之前,需具备以下先决条件:
• 应通过必需的 client_id、secret 和 callback/redirect URL,为身份验证应用程序配置 IdP。
通过 Windchill 进行 OIDC 配置
 |
一定不要编辑 30-app-Windchill-Auth1.conf 文件中的其他配置设置。
|
1. 在 <Apache_Home>/envvars 文件结尾的 LD_LIBRARY_PATH 中附加以下文本 (仅适用于 Linux)。
“:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/lib_curl/usr?lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/jansson/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/cjose/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/hiredis”
例如:
if test "x$LD_LIBRARY_PATH" != "x" ; then LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis:$LD_LIBRARY_PATH"
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
2. 复制 <APACHE_HOME>/conf/conf.d/30-app-Windchill-Auth.conf 并重命名为 30-app-Windchill-Auth1.conf,复制的位置应为 <APACHE_HOME>/conf/conf.d
3. 从复制的文件 30-app-Windchill-Auth1.conf 中移除身份验证提供者信息,如以下示例所示:
4. 移除已经过身份验证的资源,如下面的示例所示:
5. 在 30-app-Windchill-Auth1.conf 文件的开头添加以下文本。
# Location of mod_auth_openidc.so
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
les/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
les/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
OIDC 配置的示例如下:
#Overall OIDC config
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Wlndchlll/app/redlrectUI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Wlndchlll/app/redlrectUI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>