支持 OpenID Connect 身份验证
还有一个身份验证选项 OpenID Connect(OIDC) 可用于 Windchill 产品。OIDC 将实施基于 OAuth 2.0 的标准身份验证协议。在选取配置 OIDC 时:
• 必须选择 SAML 或 OIDC 进行身份验证,不能同时选择两者。此选项可配置。
• 可以使用支持 OAuth 2.0 的 SSO 授权服务器来配置 OIDC,例如 PingFederate 和 Entra ID。有关特定单点登录 (SSO) 参考体系结构的信息,请参阅 PTC IAM 帮助中心。
OIDC 机制
OIDC 是在 OAuth 2.0 框架之上构建的标识层。它是基于令牌的 SSO 解决方案。用户可使用令牌完成身份验证过程,无需将登录凭据直接提供给 Windchill 应用程序。登录凭据由标识提供者 (IdP) 托管。有关详情,请参阅 OIDC 标准文档
通过 Windchill 进行 OIDC 配置的先决条件
启动 OIDC 配置之前,需具备以下先决条件:
• 应为身份验证应用程序配置 IdP 以及必需的客户端 ID、密钥和回调或重定向 URL。在 IDP 处添加回调或重定向 URL,如下所示:
https://<hostname>:<port>/<webapp>/app/redirectURL
通过 Windchill 进行 OIDC 配置
 |
一定不要编辑 30-app-Windchill-Auth1.conf 文件中的其他配置设置。
|
1. 在 <Apache_Home>/envvars 文件结尾的 LD_LIBRARY_PATH 中附加以下文本 (仅适用于 Linux)。
“:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/lib_curl/usr/lib64:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/jansson/usr/lib64:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/cjose/usr/lib64:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/hiredis”
|
|
OS_VERSION 应为可用的操作系统版本 8 或 9。
|
例如:
if test "x$LD_LIBRARY_PATH" != "x" ; then LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis:$LD_LIBRARY_PATH"
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
2. 复制 <APACHE_HOME>/conf/conf.d/30-app-Windchill-Auth.conf 并重命名为 30-app-Windchill-Auth1.conf,复制的位置应为 <APACHE_HOME>/conf/conf.d
3. 从复制的 30-app-Windchill-Auth1.conf 文件中移除身份验证提供者信息。
<AuthnProviderAlias>
AuthLDAPURL " "
AuthLDAPBindPassword " "
</AuthnProviderAlias>
AuthLDAPURL " "
AuthLDAPBindPassword " "
</AuthnProviderAlias>
4. 移除下列经过身份验证的资源。
<LocationMatch ^/+Windchill/+(;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+infoengine/+verifyCredentials.html (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+servlet/+CAPATTimeLineFeed (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+infoengine/+verifyCredentials.html (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+servlet/+CAPATTimeLineFeed (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
5. 在 30-app-Windchill-Auth1.conf 文件的开头添加以下文本。
# Location of mod_auth_openidc.so
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri <JWKs URL from IdP>
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
|| ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' && %{HTTP:Sec-Fetch-Mode} != 'no-cors' ) \
|| ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' && %{HTTP:Sec-Fetch-Dest} != 'empty' )"
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
<Location /<WebAppName>/ptc1/csrfNonce>
OIDCUnAuthAction 401 true
</Location>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri <JWKs URL from IdP>
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
|| ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' && %{HTTP:Sec-Fetch-Mode} != 'no-cors' ) \
|| ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' && %{HTTP:Sec-Fetch-Dest} != 'empty' )"
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
<Location /<WebAppName>/ptc1/csrfNonce>
OIDCUnAuthAction 401 true
</Location>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
OIDC 配置的示例如下:
#Overall OIDC config
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Windchill/app/redirectURI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
|| ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' && %{HTTP:Sec-Fetch-Mode} != 'no-cors' ) \
|| ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' && %{HTTP:Sec-Fetch-Dest} != 'empty' )"
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
<Location /Windchill/ptc1/csrfNonce>
OIDCUnAuthAction 401 true
</Location>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Windchill/app/redirectURI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
OIDCUnAuthAction 401 "%{HTTP:X-Requested-With} == 'XMLHttpRequest' \
|| ( -n %{HTTP:Sec-Fetch-Mode} && %{HTTP:Sec-Fetch-Mode} != 'navigate' && %{HTTP:Sec-Fetch-Mode} != 'no-cors' ) \
|| ( -n %{HTTP:Sec-Fetch-Dest} && %{HTTP:Sec-Fetch-Dest} != 'document' && %{HTTP:Sec-Fetch-Dest} != 'empty' )"
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
<Location /Windchill/ptc1/csrfNonce>
OIDCUnAuthAction 401 true
</Location>
使用 OIDC SSO 的集群配置
要使用 OIDC SSO 启用集群配置,请在 30-app-Windchill-Auth1.conf 文件中配置以下特性。
• OIDCCacheType 文件
• OIDCCacheDir <所有节点均可访问的共享位置>
为支持不同缓存类型,请遵照此处提及的建议:
• 预设使用 shared memory concept (shm),建议将其用于独立安装。
|
|
建议使用 memcache 或 redis 缓存类型。PTC 已验证文件缓存类型,您可以配置任何安全缓存配置。
|