HyperMesh Windchill Authentication Using Shibboleth
Outlines the configuration steps for HyperMesh Windchill configuration for Shibboleth SSO. You will learn to do ECP (Enhanced Client or Proxy) configuration, which in turn allows HyperMesh to communicate with Windchill using SSO layer.
- Desktop applications
- Server-side code running in a web application
- Just about anything else that is not a browser
For more information, visit https://www.shibboleth.net/ or https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP.
Prerequisites
- Amazon Correto (Version 8)
- Apache Tomcat (Version 9)
- Shibboleth Identity Provider (Version 3.4.6)
- Shibboleth Service Provider (Version 3.0.4)
Service Provider Configuration
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<SSO entityID="https://wcidp.prog.altair.com/idp/profile/SAML2/SOAP/ECP"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" ECP="true">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Administrative logout. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
Next, restart the Shibboleth service (Shiiboleth Daemon (Default)) and the PTC Windchill Apache service.
IDP Configuration
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
</list>
</property>
</bean>
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> -->
<bean parent="Shibboleth.SSO" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
<!-- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> -->
<bean parent="SAML2.SSO" />
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<ref bean="SAML2.AttributeQuery" />
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>