topic Re: Windchill Basic authentication and SSO together in Windchill

Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 11:59:02 GMT

Has anyone set your WC environment to have some users using Basic Authentication and some users using SSO?

There is a PTC KB article said it is doable, but it did not provide the steps.

Has anyone done ever done with this kind of configuration?

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 14:50:58 GMT

It can be done... What is the use case?

Do you have a SAML IdP in your organization already (either internal or third party)?

Re: Windchill Basic authentication and SSO together

HelesicPetr — Fri, 25 Aug 2023 14:49:15 GMT

Hi @tchao

It is configurable on a HTTP Server (apache) side so I would contact Apache support for that.

in another word> I know it is possible but I've never needed it:D

PetrH

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 14:50:17 GMT

It can be done with PTC provided tools as well (PingFederate). I have an entirely SAML authentication policy that allows admins to use secondary accounts for separation of duties.

Re: Windchill Basic authentication and SSO together

HelesicPetr — Fri, 25 Aug 2023 14:51:30 GMT

Hi @jbailey

I have one use case.

Users use SSO from client computers and administrator use basic login from Server side not from client computer.

PetrH

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 14:53:08 GMT

Why would administrators need to use basic login?

Re: Windchill Basic authentication and SSO together

HelesicPetr — Fri, 25 Aug 2023 15:06:45 GMT

@jbailey

Because it is demilitarization zone where is not available connection to a server provided the SSO 😄 for example IBM WebSEAL

PetrH

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 15:47:11 GMT

Yes. We are changing our SSO from ADFS to PingOne with MFA.

Our user cases are like this:

- Regular users will be with PingID + MFA

- Services integration will use Basic authentication (such as middleware and Engineering to Order Configurator tool, etc).

In the second item above works well with LDAP connection, but we are getting authentication fail with LDAPS connection and PTC is not able to provide a solid case where were the root cause of this denial....

Any implementation steps high level are very much appreciated!

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 15:50:01 GMT

In our case, the access with Basic authentication are also internal and we don't have DMZ in our case.

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 15:50:53 GMT

So with Ping they should be able to set up an auth flow that directs users to the appropriate authentication method.

What is the error you see when LDAPs fails? if there is anything with PKIX in the error then it is an issue with certificate trust (the LDAP server certificate is not in the offending keystore).

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 15:52:45 GMT

Also, I would recommend at some point to consider Oauth for your integration authentications. I know some tools may not support that, however that is a much more secure method.

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 15:57:36 GMT

Also, from the machine that is trying to connect to your DS via ldaps.... The windchill server will have openssl on it... in a command prompt you can run the following command and see what it returns (should come back with a server cert in pem format along with connection info)

openssl s_client -connect <ldap server fqdn like: myAD.mycorp.com>:636

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 16:34:42 GMT

Try the openssl command, but the command ends there after hitting enter.

It seems that it is being blocked somewhere, but our firewall and NetScaler set it to pass through. Not sure if PTC cloud allows this....

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 16:38:48 GMT

After a while, the openssl got this back:

socket: Bad file descriptor
connect:errno=9

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 16:39:35 GMT

This sounds like the problem. When a user attempts to authenticate, apache (or IIS) sends the username/password to LDAP for verification... which means that your Windchill web server (and the application portion) needs to have outbound access to the Active Directory (or other LDAP v3 DS), and the server where the AD/DS resides needs to have inbound access from the Web/App server. You could potentially have two firewall issues here... inbound and outbound on both sides.

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 16:40:32 GMT

Not for administrators. All users is getting connection with LDAPS OK, but the middleware failed for unknown reasons.

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 16:42:58 GMT

So for your middleware... any LDAP certs need to be imported in the middleware keystores as well. Did you try running the openssl command from your server that the middleware is on?

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 17:10:39 GMT

I thought they should have because this is all internal. But it is worth a try to ask the middleware admin.

Re: Windchill Basic authentication and SSO together

jbailey — Fri, 25 Aug 2023 17:12:32 GMT

Also what errors are showing up in the logs for the middleware?

Re: Windchill Basic authentication and SSO together

tchao — Fri, 25 Aug 2023 17:12:34 GMT

They are all traffic inside the corp network. I am assuming they should not be any issue, but it is worthy to check it again to make sure.

Thanks,