Establish a Central Authorization Server
Windchill can be configured for delegated authorization using the OAuth 2.0 protocol, which is an industry standard for authorization. In this scenario,
Windchill acts as a resource provider and ThingWorx acts as a service provider, which is the application the user is actively using and makes a request for data from
Windchill on behalf of the user.
Windchill is configured to grant access to protected resources when requests for data from ThingWorx contain the correct access tokens and scopes.
Windchill verifies the authenticity of access tokens with the CAS, which manages the trust relationship between applications participating in the SSO federation. For up to date information on supported SSO use cases between PTC products, refer to the
PTC Product Platform Single Sign-on Guide.
The following procedure outlines the steps for configuring an OAuth client and registering scopes in PingFederate and configuring Windchill for OAuth authorization.
This procedure assumes that you have already installed and configured PingFederate according to the requirements of your enterprise’s SSO federation. For example, it assumes that you have configured PingFederate to redirect service provider user login requests to the LDAP or ADFS that is the identity provider in your SSO federation. A license for PingFederate is available to Windchill customers at no additional cost and a supported version of the software is available from the PTC software download website. For PingFederate installation and configuration instructions, refer to that product’s documentation and customer support. The PingFederate configuration instructions included here are limited to establishing a connection between Windchill and PingFederate.
This procedure also assumes that you have enabled SSO in ThingWorx so that it can act as service provider. Completing this procedure only enables Windchill to participate in an SSO federation as a resource provider. For delegated authorization to be useful, you must configure other applications within your SSO federation to use OAuth access tokens when requesting data from Windchill. Refer to the ThingWorx documentation for instructions for enabling SSO and configuring it as a service provider.
1. Create an OAuth Client in PingFederate that Windchill will connect to when verifying access tokens.
a. On the OAuth Settings page, locate the Clients section and click Create New
b. Enter a Client ID. Make note of this value, it will be needed when configuring the Windchill securityContext.properties file.
c. Select Client Secret and enter a client secret value. Make note of this value, it will be needed when configuring the Windchill securityContext.properties file.
d. In the Name field, enter a descriptive value. This is displayed in the PingFederate Clients list.
e. Enter a Description
f. In the Allow Grants Types section, select Access Token Validation (Client is a Resource Server)
g. In the Persistent Grants Expiration section, select Use Global Setting
h. In the Refresh Token Rolling Policy section, select Use Global Setting
2. Register a scope in PingFederate. Scopes are string values that you register in the CAS, service provider, and resource provider. When the service provider requests data from the resource provider, it must attach the scope name to the access token
a. On the OAuth Settings page, click Scope Management.
b. In the Scope Value field, type WINDCHILL_READ and in Scope Description, type Permission to read Windchill data, then click Add.
Windchill only supports defining and using one scope. In testing, the value WINDCHILL_READ was used. Spaces cannot be used in scope names because Windchill uses spaces to delimit scope names.
3. Enable OAuth in
Windchill by configuring the
WindchillsecurityContext.xml and
Web.xml files. Full instructions for completing these edits are detailed in
Configure OAuth Delegated Authorization.