Introduction
PTC recommends that client applications communicate with PTC Windchill via its REST API, the Windchill REST Services (WRS). WRS supports both Basic Authentication with Windchill username and password and OAuth2 using a variety of Grant flows. This is especially true if Windchill is configured for SSO with SAML2 using Ping Federate IdP. Refer to the following link for using WRS with OAuthhttps://support.ptc.com/help/windchill_rest_services/r2.2/en/index.html#page/windchill_rest_services/oauth_for_wrs.html.
This document is a high-level overview for configuring PTC Windchill for delegated OAuth with Ping Federate such that applications can use WRS - it is not a substitute for PTC literature.
Part 1 - Install and Configure Ping Federate as the IdP for Windchill
docker compose up a PingFederate instance - which is available at Docker Hub
set the Server Base URL in PingFederate to be the intended corporate-internal FQDN for the PingFederate service
Create an IdP Adapter in PingFederate
Create an LDAP Data Source in PingFederate
Create an OAuth Client App in PingFederate, named “rs_client”
Configure the OAuth Token Manager for the rs_client OAuth Client App
Configure an OAuth Setting Scope Management Scope of “WINDCHILL” in PingFederate
Configure Access Token Mappings
Configure IdP Adapter Grant Mapping
Before doing anything more, use Postman (or equivalent REST client or cURL) to verify that it can request and receive OAuth tokens after doing user MFA Authorization-Code Grant flow with the new (or existing) PingFederate OAuth client.
Part 2 - Configure Windchill and Ping Federate for Windchill OAuth
See the Explanation of PTC’s Windchill Authentication Architecture, below.
See Configure OAuth Delegated Authorization in Tomcat Windchill
Be advised that PTC formally states that all authentication choices are “customer optional” and are not formally supported.
This is complex and beyond the scope of Syndeia - however if your team is at a loss of adequate SMEs, our team has done this several times and we can advise your available staff - we do not recommend leaving this complex task to generalists.
The two files that you will edit on your Windchill server are
<Windchill>\codebase\WEB-INF\security\config\securityContext.properties
<Windchill>\codebase\WEB-INF\web.xml
Part 3 - Configure Windchill OAuth Client in Ping Federate for Device Code Auth Grant Flow
Assuming that Windchill already has Ping Federate as its IdP:
Configure the “Oauth Client” in Ping Federate for Windchill with the additional “OAuth / Device Code Auth Grant Flow”
The least necessary change is just “ALLOWED GRANT TYPE :: Device Authorization Grant (YES)”
See the “Allowed Grant Types” figure below.
However, IF an org has not yet configured Windchill for OAuth (with PingFederate), then the org should have their Windchill Team configure their Windchill service for delegated access control through PingFederate (See Part 2)
Note: The “Device Code" OAuth grant type is based on specific users and not on just a known single specific application-client to enforce the user-specific permissions and access controls as they connect to Windchill from the same specific application-client (“Syndeia”).
Be informed that a Device Code Grant Flow has been chosen both for its high user “user ability” and for cybersecurity controls - it is the only Grant Flow which supports both users using web browsers and scripts making API calls while assuring that all such service requests are traced directly to the specific user making those requests and not to a single “application” identity or to a “digital service account”.
We can advise your cybersecurity staff in understanding the necessities here.
Part 4 - Configure Syndeia Cloud Windchill Service
Configure the Syndeia Cloud windchill-impl application
Alter its conf/application.conf according to the expansion region below this list
cd /opt/icx/syndeia-cloud-current && sudo vi application.conf
Restart the Syndeia Windchill microservice
sudo systemctl restart sc-windchill
Restart the Syndeia Web Gateway microservice
sudo systemctl restart sc-webgateway
Contact Intercax.com/help if your team needs assistance in editing any configuration files for specific microservices