Installation and Upgrade > Advanced Deployment Considerations > Authentication > Configuring an Alternative Authentication in Windchill > Single Sign-on Authentication > eSignature Validation for SSO Configurations > Setting Re-authentication of e-Signature
  
Setting Re-authentication of e-Signature
The purpose of re-authentication of e-Signature feature is to provide a mechanism to perform e-Signature approval from outsideWindchill. Before approving an e-Signature activity, you are required to reauthenticate yourself.at Windchillside.
Use the following instructions to set up configurations required for authentication:
1. Perform the following to configure SSO:
* 
These configurations are required in addition to the configurations for enabling SSO for Windchill. PTC recommends taking backup of each file that is modified in this configuration.
To understand the configurations applied to enable SSO, see the help center section Single Sign-on Authentication.
To understand the configurations applied to enable SSO, see the section Single Sign-on Authentication in the Windchill Installation and Configuration Guide — Update Existing Installation.
a. Configure apache by adding following entries in the specified *.conf files:
a. In {WT_HOME}/HTTPServer/conf/conf.d/00-1mod_shib.conf after the <Location/reauthsecure> section:
<LocationMatch ^/+Windchill/TokenGenerator?>
AuthType shibboleth
ShibRequestSetting applicationId jwt
ShibUseHeaders on # mod_jk doesn't pass environment, so useHeaders is required
require shib-session
</LocationMatch>
b. In {WT_HOME}/HTTPServer/conf/conf.d/30-app-Windchill-1Auth.conf after the <LocationMatch ^/+Windchill/reauthsecure?> section:
<LocationMatch ^/+Windchill/TokenGenerator?>
AuthType shibboleth
ShibRequestSetting applicationId jwt
ShibUseHeaders on # mod_jk doesn't pass environment, so useHeaders is required
require shib-session
</LocationMatch>
b. Configure Shibboleth2 as described below:
a. Provide the SP connection name that was created on PingFederate site as entityID in configuration below. Add the following section inside <ApplicationDefaults> section:
<ApplicationOverride id="jwt" entityID="PTC-QA-Jaguar-B77"
REMOTE_USER="uid eppn persistent-id targeted-id"
cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
<Sessions lifetime="5" timeout="5" checkAddress="false"
relayState="ss:mem" handlerURL="/TokenGenerator/Shibboleth.sso"
maxTimeSinceAuthn="2" handlerSSL="false" cookieProps="https"
redirectLimit="exact" postData="ss:mem"
postExpire="true" postLimit="512000" postTemplate="postTemplate.html">

<SSO entityID="DEVOPS-844-UPGRADE" discoveryProtocol="SAMLDS"
discoveryURL="https://ds.example.org/DS/WAYF" forceAuthn="true"
postArtifact="true" template="bindingTemplate.html"
outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata
based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>

<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
</ApplicationOverride>
b. Add the following attributes to <Sessions> section:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false"
cookieProps="https" redirectLimit="exact" postData="ss:mem"
postExpire="true" postLimit="512000"
postTemplate="postTemplate.html">
c. Add the following entry in the <HOST> section:
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
<Path name="reauthsecure" authType="shibboleth"
requireSession="true" forceAuthn="true"
applicationId="reauthsecure" />
<Path name="TokenGenerator" authType="Shibboleth"
requireSession="true" forceAuthn="true" applicationId="jwt" />
</Host>
d. Replace the content of postTemplate.html with the following code:
<html>
<head>
</head>
<body onload="submit();">
<script language="Javascript">
function submit() {
document.forms[0].submit();
}
</script>
<noscript>
<p>A form submission to this site was interrupted by the login
process.
If you would like to complete it now, submit this form.</p>
</noscript>

<form method="POST" action="<shibmlp action/>">
<shibmlpfor PostedData>
<input type="hidden" name="<shibmlp $name/>" value="<shibmlp
$value/>"/>
</shibmlpfor>
</form>
</body>
</html>
c. Configure PingFederate for JWT token generation:
a. Login to PingFederate.
b. Click SP Connection > Browser SSO > Configure Browser SSO > Protocol Settings > Configure Protocol Settings.
c. Click Assertion consumer Service URL.
d. Select Binding as POST and EndPoint URL as "/TokenGenerator/Shibboleth.sso/SAML2/POST.
e. Click Add,Save and Done.
2. Configure the site.xconf file by specifying the URL of the external application such as ThingWorx or ThingWorx Navigate in the wt.idp.allowlisturls property.
3. Restart Shibboleth daemon, Apache, and the Windchill server for the configurations to take effect.