OpenID Connect 認証のサポート
Windchill 製品では、追加の認証オプションとして OpenID Connect (OIDC) を使用できます。OIDC は、OAuth 2.0 に基づいて標準認証プロトコルを実装します。OIDC を設定する場合:
• 認証には SAML または OIDC のどちらかを選択する必要があり、両方を選択することはできません。これはコンフィギュレーション可能なオプションです。
• OIDC は、PingFederateや Entra ID などの OAuth 2.0 をサポートする SSO 認証サーバーで設定できます。特定のシングルサインオン (SSO) 参照アーキテクチャについては、PTC IAM ヘルプセンターを参照してください。
OIDC メカニズム
OIDC は、OAuth 2.0 フレームワークの上に構築されたアイデンティティレイヤーです。これはトークンベースの SSO ソリューションです。ユーザーが Windchill アプリケーションに資格証明を直接提供する代わりに、トークンを使用して認証プロセスを完了します。資格証明は ID プロバイダ (IdP) によって管理されます。詳細については、OIDC の標準のドキュメンテーションを参照してください。
Windchill での OIDC コンフィギュレーションの必要条件
OIDC のコンフィギュレーションを開始する前に、次の必要条件が満たされている必要があります。
• IDP は、認証アプリケーションに必要な client_id、シークレット、コールバック/リダイレクト URL を使用して設定する必要があります。
Windchill での OIDC コンフィギュレーション
 |
30-app-Windchill-Auth1.conf ファイルのほかのコンフィギュレーション設定を編集しないでください。
|
1. <Apache_ホーム>/envvars ファイルの末尾にある LD_LIBRARY_PATH に以下のテキストを追加します (Linux のみ)。
“:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/lib_curl/usr?lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/jansson/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/cjose/usr/lib64\:<APACHE_HOME>/mod_oidc_Linux<OS_VERSION>/hiredis”
次に例を示します。
if test "x$LD_LIBRARY_PATH" != "x" ; then LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis:$LD_LIBRARY_PATH"
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
else LD_LIBRARY_PATH="/opt/ptc/server/HTTPServer/openssl/lib:/opt/ptc/server/HTTPServer/openldap/lib:/opt/ptc/server/HTTPServer/pcre/lib:/opt/ptc/server/HTTPServer/nghttp2/lib:/opt/ptc/server/HTTPServer/lib:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/lib_curl/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/jansson/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/cjose/usr/lib64:/opt/ptc/server/HTTPServer/mod_oidc_Linux8/hiredis"
fi
export LD_LIBRARY_PATH
2. <APACHE_HOME>/conf/conf.d/30-app-Windchill-Auth.conf をコピーして、名前を 30-app-Windchill-Auth1.conf に変更します。コピーした場所は <APACHE_HOME>/conf/conf.d でなければなりません。
3. コピーしたファイル 30-app-Windchill-Auth1.conf から認証プロバイダ情報を除去します。
<AuthnProviderAlias>
AuthLDAPURL " "
AuthLDAPBindPassword " "
</AuthnProviderAlias>
AuthLDAPURL " "
AuthLDAPBindPassword " "
</AuthnProviderAlias>
4. 以下の認証済みリソースを除去します。
<LocationMatch ^/+Windchill/+(;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+infoengine/+verifyCredentials.html (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+servlet/+CAPATTimeLineFeed (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+infoengine/+verifyCredentials.html (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
<LocationMatch ^/+Windchill/+servlet/+CAPATTimeLineFeed (;.*)?>
AuthName "Windchill"
AuthType "Basic"
AuthBasicProvider Windchill-LDAP
Require valid-user
</LocationMatch>
5. 30-app-Windchill-Auth1.conf ファイルの先頭に以下のテキストを追加します。
# Location of mod_auth_openidc.so
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
LoadModule auth_openidc_module
<Apache_Home>/mod_oidc_Linux<OS_Version>/mod_auth_openidc/usr/lib64/httpd/modules/mod_auth_openidc.so
OS_Version: should be 8/9 based on the OS version
#Windows
LoadModule auth_openidc_module modules/mod_auth_openidc.so
# Metadata URL of OIDC configuration
OIDCProviderMetadataURL "<OIDCProviderMetadataURL>"
# Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "<client_id>"
# Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientSecret "<client_secret>"
# Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "<scope>"
# The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "<OIDCRemoteUserCLaim>"
# Set a password for crypto purposes
OIDCCryptoPassphrase "random string"
# Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "<OIDC redirect URL>"
# Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs). This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
# for all clients
OIDCUnAuthAction auth true
# Require a valid SSL server certificate when communicating with the OP. Default “On”
OIDCSSLValidateServer "off"
# Authenticated resources
<LocationMatch ^/+<WebAppName>/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
#“<WebAppName>”: it should be web app name that you provided at install time. Ex. Default: Windchill
OIDC コンフィギュレーションの例を次に示します。
#Overall OIDC config
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Windchill/app/redirectURI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
LoadModule auth_openidc_module modules/mod_auth_openidc.so
#Metadata URL of OIDC configuration
OIDCProviderMetadataURL "https://loqin.microsoftonline.com/tentntid/.well-known/openid-confiquration"
#Client identifier used in calls to the statically configured OpenID Connect Provider.
OIDCClientID "testoidclient"
#Client secret used in calls to the statically configured OpenID Connect Provider.
OIDCClientsecret "testoidclient123"
#Define the OpenID Connect scope that is requested from the OP (eg. "openid email profile").
OIDCScope "openid"
#The claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths.
OIDCRemoteUserClaim "unique_name"
#Extra parameters that will be sent along with the Authorization Request.
#Set a password for crypto purposes
OIDCCryptoPassphrase "oidccryptopassphrase21122"
#Define the way in which the claims and tokens are passed to the application environment:
OIDCPassClaimsAs "environment"
#The redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served.
OIDCRedirectURI "https://hostname:port/Windchill/app/redirectURI"
#Overall Delegate OAuth configuration config
#The JWKs URL on which the Authorization Server publishes the keys used to sign its JWT access tokens.
OIDCOAuthVerifyJwksUri "https://loqin.microsoftonline.com/common/di3covery/keys"
#Indicates whether POST data will be preserved across authentication requests (and discovery in case of multiple OPs).
#This is designed to prevent data loss when a session timeout occurs in a (long) user filled HTML form.
OIDCPreservePost "on"
#Defines the action to be taken when an unauthenticated request is made.
#"auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
#To disable auto-detection of XML HTTP request altogether and unconditionally return "auth"
#for all clients
OIDCUnAuthAction auth true
#OIDC authenticated resources
<LocationMatch ^/Windchill/+(;.*)?>
AuthType openid-connect
Require valid-user
</LocationMatch>
OIDC SSO を使用したクラスタコンフィギュレーション
OIDC SSO を使用してクラスタコンフィギュレーションを有効にするには、30-app-Windchill-Auth1.conf ファイルで以下のプロパティを設定します。
• OIDCCacheType ファイル
• OIDCCacheDir <すべてのノードからアクセス可能な共有場所>
別のキャッシュタイプをサポートするには、ここに記載されている推奨事項に従います。
• shared memory concept (shm) が既成で使用され、スタンドアロンインストールではこれを使用することが推奨されます。
• クラスタ設定には file キャッシュタイプ、redis キャッシュタイプ、または memcache キャッシュタイプを使用することをお勧めします。詳細については、「mod_auth_openidc」を参照してください。
|
|
memcache キャッシュタイプまたは redis キャッシュタイプを使用することをお勧めします。PTC はファイルキャッシュタイプを確認しているので、任意の安全なキャッシュコンフィギュレーションを設定できます。
|