Install and Configure Shibboleth

Installing Windchill Risk and Reliability > Enterprise Edition > Configuring Windchill Risk and Reliability for Single Sign-on > Install and Configure Shibboleth

Install and configure Shibboleth Service Provider to enable SAML capabilities for Windchill Risk and Reliabilityy using Shibboleth Service Provider 2.6.0. For more information, refer to the Shibboleth installation documentation, at https://wiki.shibboleth.net/confluence/display/SHIB2.

To install Shibboleth, complete the following steps:

1. Download Shibboleth from given link below:

https://shibboleth.net/downloads/service-provider/

For example, shibboleth-sp-2.6.0.1-win64.msi.

2. To start the installation, double-click the .msi file.

3. In the Shibboleth Service Provider Setup window, on the Configure Shibboleth panel, retain the default installation path.

4. Select the Install ISAPI modules into IIS check box.

5. In the IIS Script Extension field, enter .sso and click Next.

6. After the installation is complete, you may need to restart your computer.

To configure Shibboleth, complete the following steps:

1. Navigate to the <shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth and open the shibboleth2.xml file in a text editor.

2. Update the shibboleth2.xml file with following details:

a. Enter the Windchill Risk and Reliability server name which is configured with your Windchill environment. Provide the following values in Site id, Host name, and Path name attributes:

<InProcess logger=”native.logger”>
<ISAPI normalizeRequest=”true” safeHeaderNames=”true”>
<Site id=”1” name=”wqs_server_name”/></ISAPI>
</InProcess><RequestMapper type=”Native”>
<RequestMap>
<Host name=”WQS_host_name”> (For example, host1)
<Path name=”<WQS_Install_Path>”
authType=”shibboleth” requireSession=”true”>
</Host>
</RequestMap>
</RequestMapper>

b. Specify the entityID and REMOTE_USER attributes in ApplicationDefaults tag. For the ciphersuites attribute, retain the default value:

<ApplicationDefaults>
entityID=http://<host_name>/WindchillRiskandReliability 12.0
REMOTE_USER=”uid”
ciphersuites=”<default_value>”
</ApplicationDefaults>

c. Add entityID attribute in SSO tag of PingFederate. This SSO entityID is set while setting up PingFederate for the first time. You can also obtain this entityID from the metadata.xml file exported from PingFederate for specific SP connection.

Retain default values for the discoveryProtocol and the discoveryURL attributes. This values are pulled from the shibboleth2.xml file.

Follow steps from 2d-2f after you have created the SP connection for IdP configuration and exported the metadata file (Idp metadata.xml). Rename this metadata file appropriately. For example, you can rename the metadata file for IdP configuration in WQS to WQS_idp_metadata.xml.

d. Download the IdP metadata.xml file from PingFederate.

e. Copy the metadata.xml to the shibboleth directory located at:

<shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth.

f. Specify the name of the metadata XML file in the shibboleth2.xml file as shown below:

3. Save the changes and close the shibboleth2.xml file.

4. Open the attribute-map.xml file located at <shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth. Add a mapping for the attribute specific to your set up. For example, we have used UID.

5. Save the changes and close the attribute-map.xml file.

6. Download the Shibboleth metadata.xml file from http://<localhost>/Shibboleth.sso/Metadata.

If you are not able to access this link, restart the Shibboleth service and try to access the URL again. This metadata file is used while setting up SP connection for Windchill Risk and Reliability in PingFederate.