Setting Re-authentication of e-Signature
The purpose of re-authentication of e-Signature feature is to provide a mechanism to perform e-Signature approval from outside Windchill. Before approving an e-Signature activity, you are required to re-authenticate yourself at Windchill side.
Use the following instructions to set up configurations required for authentication:
1. Perform the following to configure SSO:
|
These configurations are required in addition to the configurations for enabling SSO for Windchill. PTC recommends taking backup of each file that is modified in this configuration.
|
To understand the configurations applied to enable SSO, see the section Single Sign-on Authentication in the Windchill Installation and Configuration Guide - Update Existing Installation (Guide d'installation et de configuration de Windchill - Mise à jour d'une installation existante).
a. Configure apache by adding following entries in the specified *.conf files:
a. In {WT_HOME}/HTTPServer/conf/conf.d/00-1mod_shib.conf after the <Location/reauthsecure> section:
Alias /Windchill/TokenGenerator/ "/TokenGenerator/Shibboleth.sso/Login"
<Location /TokenGenerator>
AuthType shibboleth
ShibRequestSetting applicationId jwt
require shib-session
</Location>
b. In {WT_HOME}/HTTPServer/conf/conf.d/30-app-Windchill-1Auth.conf after the <LocationMatch ^/+Windchill/reauthsecure?> section:
<LocationMatch ^/+Windchill/TokenGenerator?>
AuthType shibboleth
ShibRequestSetting applicationId jwt
ShibUseHeaders on # mod_jk doesn't pass environment, so useHeaders is required
require shib-session
</LocationMatch>
b. Configure Shibboleth SP sas described below:
a. Navigate to <SHIBBOLETH_INSTALL_DIRECTORY>/etc/shibboleth/shibboleth2.xml. Provide the SP connection name that was created on PingFederate site as entityID in configuration below. Add the following section inside <ApplicationDefaults> section:
<ApplicationOverride id="jwt" entityID="SP CONNECTION NAME"
REMOTE_USER="uid eppn persistent-id targeted-id"
cipherSuites="ECDHE+AESGCM:ECDHE:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SHA:!SSLv2">
<Sessions lifetime="5" timeout="5" checkAddress="false"
relayState="ss:mem" handlerURL="/TokenGenerator/Shibboleth.sso"
maxTimeSinceAuthn="2" handlerSSL="false" cookieProps="https"
redirectLimit="exact" postData="ss:mem"
postExpire="true" postLimit="512000" postTemplate="postTemplate.html">
<SSO entityID="IDP CONNECTION NAME" discoveryProtocol="SAMLDS"
discoveryURL="https://ds.example.org/DS/WAYF" forceAuthn="true"
postArtifact="true" template="bindingTemplate.html"
outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST">
SAML2 SAML1
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata
based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session"
showAttributeValues="true"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
</ApplicationOverride>
b. Add the following attributes to <Sessions> section:
postData="ss:mem" postExpire="true" postLimit="512000" postTemplate="postTemplate.html"
For example:
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false"
cookieProps="https" redirectLimit="exact" postData="ss:mem"
postExpire="true" postLimit="512000"
postTemplate="postTemplate.html">
c. Add the following entry in the <HOST> section:
<Path name="TokenGenerator" authType="Shibboleth" requireSession="true" forceAuthn="true" applicationId="jwt" />
For example:
<Host name="sp.example.org">
<Path name="secure" authType="shibboleth"
requireSession="true"/>
<Path name="reauthsecure" authType="shibboleth"
requireSession="true" forceAuthn="true"
applicationId="reauthsecure" />
<Path name="TokenGenerator" authType="Shibboleth"
requireSession="true" forceAuthn="true" applicationId="jwt" />
</Host>
d. Update existing postTemplate.html with the following code at <SHIBBOLETH_INSTALL_DIRECTORY>/shibboleth-sp/etc/shibboleth/postTemplate.html location:
<html>
<head>
</head>
<body onload="submit();">
<script language="Javascript">
function submit() {
document.forms[0].submit();
}
</script>
<noscript>
<p>A form submission to this site was interrupted by the login
process.
If you would like to complete it now, submit this form.</p>
</noscript>
<form method="POST" action="<shibmlp action/>">
<shibmlpfor PostedData>
<input type="hidden" name="<shibmlp $name/>" value="<shibmlp
$value/>"/>
</shibmlpfor>
</form>
</body>
</html>
c. Configure PingFederate for JWT token generation:
a. Login to PingFederate.
b. Click > > > > .
c. Click Assertion consumer Service URL.
d. Select Binding as POST and EndPoint URL as "/TokenGenerator/Shibboleth.sso/SAML2/POST.
e. Click Add,Save and Done.
d. Configure Azure Active Directory for JWT token generation:
a. Create a new Enterprise Application in Microsoft Azure portal.
b. Browse to > > .
c. Click Edit under Basic SAML Configuration section.
d. Add below link in the Reply URL:
https://<hostname:port>/TokenGenerator/Shibboleth.sso/SAML2/POST
e. Click Ok.
2. Configure the site.xconf file by specifying the URL of the external application such as ThingWorx or ThingWorx Navigate in the wt.idp.allowlisturls property.
3. Restart Shibboleth daemon, Apache, and the Windchill server for the configurations to take effect.