Install and Configure Shibboleth
Install and configure Shibboleth Service Provider to enable SAML capabilities for Windchill Risk and Reliability using Shibboleth Service Provider. For more information, refer to the Shibboleth installation documentation, at https://shibboleth.atlassian.net/wiki/spaces/SP3/overview.
Prerequisites
Shibboleth Service Provider version: 3.4.1.3
Installation
To install Shibboleth, complete the following steps:
1. Download Shibboleth from given link below:
For example, shibboleth-sp-3.4.1.3-win64.msi.
2. To start the installation, double-click the .msi file.
3. In the Shibboleth Service Provider Setup window, on the Configure Shibboleth panel, retain the default installation path.
4. Select the Configure IIS Support.
5. After the installation is complete, you may need to restart your computer.
Configuration
To configure Shibboleth, complete the following steps:
1. Navigate to the <shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth and open the shibboleth2.xml file in a text editor.
2. Update the shibboleth2.xml file with following details:
a. Enter the Windchill Risk and Reliability server name which is configured with your Windchill environment. Provide the following values in Site id, Host name, and Path name attributes:
<InProcess logger=”native.logger”>
<ISAPI normalizeRequest=”true” safeHeaderNames=”true”>
<Site id=”1” name=”wrr_server_name”/></ISAPI>
</InProcess><RequestMapper type=”Native”>
<RequestMap>
<Host name=”WQS_host_name”> (For example, host1)
<Path name=”<WRR_Install_Path>”
authType=”shibboleth” requireSession=”true”>
</Host>
</RequestMap>
</RequestMapper>
b. Specify the entityID and REMOTE_USER attributes in ApplicationDefaults tag. For the ciphersuites attribute, retain the default value:
<ApplicationDefaults>
entityID=<host_name_WRR12>
REMOTE_USER=”uid”
ciphersuites=”<default_value>”
</ApplicationDefaults>
c. Add entityID attribute in SSO tag of PingFederate. This SSO entityID is set while setting up PingFederate for the first time. You can also obtain this entityID from the metadata.xml file exported from PingFederate for specific SP connection.
* 
For Shibboleth 3.3 version onwards, the following values are updated:
handlerSSL="false" cookieProps="http"
<Sessions lifetime=”28000” timeout=”3600” relayState=”ss:mem”
checkAddress=”false” handlerSSL=”false” cookieProps=”http”>
<SSO entityID=”aaa-bbb-ccc”
(Here, aaa-bbb-ccc is the entity ID of PingFederate.)
discoveryProtocol=”SAMLDS” SAML2 SAML1
discoveryURL=https://ds.example.org/DS/WAYF>
</SSO>
Retain default values for the discoveryProtocol and the discoveryURL attributes. These values are pulled from the shibboleth2.xml file.
* 
Follow steps from 2d-2f after you have created the SP connection for IdP configuration and exported the metadata file (Idp metadata.xml). Rename this metadata file appropriately. For example, you can rename the metadata file for IdP configuration in WRR to WRR_idp_metadata.xml.
* 
For Shibboleth version 3.3 onwards, metadata provider is defined in path. For previous shibboleth version, metadata provider was defined in file. Example: <MetadataProvider type="XML" path="WRR_idp_metadata.xml"/>
d. Download the IdP metadata.xml file from PingFederate.
e. Copy the metadata.xml to the shibboleth directory located at:
<shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth.
f. Specify the name of the metadata XML file in the shibboleth2.xml file as shown below:
<MetadataProvider type=”XML” path="WRR_idp_metadata.xml”/>
3. Save the changes and close the shibboleth2.xml file.
4. Open the attribute-map.xml file located at <shibboleth_install_directory>\opt\shibboleth-sp\etc\shibboleth. Add a mapping for the attribute specific to your set up. For example, we have used UID.
<Attribute name=”uid” id=”uid”/>
5. Save the changes and close the attribute-map.xml file.
6. To configure Windchill Risk and Reliability to turn on the SAML authentication
Open the appsettings.config file for the desktop and web folder. Add the following lines:
<add key="SAMLUserSearchOrder" value="Username=AUTH_USER;Fullname=HTTP_UID;Emailaddress=HTTP_UID;Company=HTTP_UID;Phonenumber=HTTP_UID;EmployeeID=HTTP_UID;"/>
7. Download the Shibboleth metadata.xml file from http://<localhost>/Shibboleth.sso/Metadata.
* 
If you are not able to access this link, restart the Shibboleth service and try to access the URL again. This metadata file is used while setting up SP connection for Windchill Risk and Reliability in PingFederate.