Appendix G1 - Configuring Windchill for OAuth with Ping Federate
Introduction
PTC recommends that client applications communicate with PTC Windchill via its REST API, the Windchill REST Services (WRS). WRS supports both Basic Authentication with Windchill username and password and OAuth2 using a variety of Grant flows. This is especially true if Windchill is configured for SSO with SAML2 using Ping Federate IdP. Refer to the following link for using WRS with OAuthPTC Help Center.
This document is a high-level overview for configuring PTC Windchill for delegated OAuth with Ping Federate such that applications can use WRS - it is not a substitute for PTC literature.
The instructions that follow assume that the IdP is Ping Federate. This assumption is made because Ping Federate is the only IdP for which PTC provides installation guidance.
Part 1 - Install and Configure Ping Federate as the IdP for Windchill
docker compose up
a PingFederate instance - which is available at Docker Hubset the Server Base URL in PingFederate to be the intended corporate-internal FQDN for the PingFederate service
Create an IdP Adapter in PingFederate
Create an LDAP Data Source in PingFederate
Create an OAuth Client App in PingFederate, named
rs_client
Configure the OAuth Token Manager for the rs_client OAuth Client App
Configure an OAuth Setting Scope Management Scope of
WINDCHILL
in PingFederateConfigure Access Token Mappings
Configure IdP Adapter Grant Mapping
Before doing anything more, use Postman (or equivalent REST client or cURL) to verify that it can request and receive OAuth tokens after doing user MFA Authorization-Code Grant flow with the new (or existing) PingFederate OAuth client.
Part 2 - Configure Windchill and Ping Federate for Windchill OAuth
See the Explanation of PTC’s Windchill Authentication Architecture, below.
See Configure OAuth Delegated Authorization in Tomcat Windchill
Be advised that PTC formally states that all authentication choices are “customer optional” and are not formally supported.
This is complex and beyond the scope of Syndeia - however if your team is at a loss of adequate SMEs, our team has done this several times and we can advise your available staff - we do not recommend leaving this complex task to generalists.
The two files that you will edit on your Windchill server are
<Windchill>\codebase\WEB-INF\security\config\securityContext.properties
<Windchill>\codebase\WEB-INF\web.xml
Part 3 - Configure Windchill OAuth Client in Ping Federate for Device Code Auth Grant Flow
Assuming that Windchill already has Ping Federate as its IdP:
Configure the “Oauth Client” in Ping Federate for Windchill with the additional “OAuth / Device Code Auth Grant Flow”
The least necessary change is just “ALLOWED GRANT TYPE :: Device Authorization Grant (YES)”
See the “Allowed Grant Types” figure below.
However, IF an org has not yet configured Windchill for OAuth (with PingFederate), then the org should have their Windchill Team configure their Windchill service for delegated access control through PingFederate (See Part 2)
Note: The “Device Code" OAuth grant type is based on specific users and not on just a known single specific application-client to enforce the user-specific permissions and access controls as they connect to Windchill from the same specific application-client (“Syndeia”).
Intercax selected a Device Code Grant Flow for its industry support, for high user “user ability”, and for cybersecurity controls - it is the only Grant Flow which offers authentication for both users using web browsers and for scripts making API calls while assuring that all such service requests are traced directly to the specific user making those requests and not to a single “application” identity or to some “digital service account”.
We can advise your cybersecurity staff in understanding the necessities here.
Part 4 - Configure Syndeia Cloud Windchill Service
Step 1: Configure the Syndeia Cloud windchill-impl application
Log into the Syndeia Service
ssh MySyndeiaServer.company.com
Alter its Windchill conf/application.conf according to the example file in the expansion region below
cd /opt/icx/syndeia-cloud-current/windchill-impl-*/conf && sudo vi application.conf
(see file below, edit, then exit vi with
:wq
)
Step 2: Restart the Syndeia Windchill & Web-gateway microservices
After you have configured Windchill and Ping Federate and after you have configured Syndeia’s windchill microservice for OAuth, you likely will want to add a Windchill Repository instance using the Syndeia Web Dashboard. Read Adding a Windchill Repository using OAuth for that guide.
Contact Intercax.com/help if your team needs assistance in editing any configuration files for specific microservices