Solved: Re: Windchill PDM Link SSO solutions

Alex1988 · ‎May 08, 2025

We are looking into implementing SSO for our customer.

Initially we wanted to go with the simpler implementation using Shibboleth As SP and Microsoft Entra as IP.

What other solutions would there be with and would be the complexity level of their implementation?

Alex1988 · ‎Feb 23, 2026

We did a simple implementation with Shibboleth and without pingFederate as in scenario 2 using the basic steps from PTC:

Security Assertion Markup Language (SAML) Authentication

View solution in original post

avillanueva · ‎May 08, 2025

What version of Windchill do they have? That might make a difference.

Alex1988 · ‎May 30, 2025

We have Windchill PDM Link 13.0.2.4. At the moment we went with the simple PTC supported solution with Shibboleth and Microsoft Entra.

It seems to work fine during testing. We would need just to manage the Windchill users like wcadmin or other accounts created.

plmcore · ‎May 30, 2025

Hi,

Are you using ProjectLink with external users? How you configured your workers for SSO as TrustedHost is not supported by PTC. If you can give some insight, that will be great

Best Regards

PR

HelesicPetr · ‎Jun 03, 2025

Hi @plmcore

It is an apache issue.

In the apache configuration you have to configure the apache to use a basic authentication for the the incoming requests based on some rule.for example server IP ...

PetrH

plmcore · ‎Jun 03, 2025

Hi,

Could you please clarify a little more details.. We have project link external users and they don't have any AD entry. We would like to enable SSO across windchill and thingworx including the worker. We do not want to use basic authentication as it is a risk

HelesicPetr · ‎Jun 03, 2025

I am talking about the basic auth and how to configure it to use parallelly with SSO.

You want to use SSO. so it is different issue.

PetrH

jbailey · ‎Feb 24, 2026

Do you use Entra? From my understanding, if you do - You may need to have a federation with the external users' entra.

If you are using a local AD instance with no entra, you would have to have an IdP that does an ID first flow (you may have seen this with google, where you first provide your email so google knows your domain, to send you to your domain to authenticate first). So your local users would be sent to authenticate based on your AD, external users would be sent to an auth source based on some attribute on the user.

avillanueva · ‎May 30, 2025

CS372501 is no longer customer visible (not sure why) but it described a way to allow Basic login in conjunction with SSO. I tried it and it worked but broke Navigate so I dropped it. I ended up just creating accounts in Microsoft for wcadmin and the others to use SSO. If you use private browsing mode, you can manually login as those accounts.

Jbailey47Q · ‎May 31, 2025

Agreed on this.

plmcore · ‎Jun 01, 2025

Hi,

Project Link users are external users and will join using email id and they don't have any corporate AD entries. So we are not able to configure with corporate AD. As now we are creating them as windchill specific LDAP as local user. So sso will not work for them

Jimwang · ‎May 12, 2025

Take a look at the article https://www.ptc.com/en/support/article/CS314308

Alex1988 · ‎Feb 23, 2026

We did a simple implementation with Shibboleth and without pingFederate as in scenario 2 using the basic steps from PTC:

Security Assertion Markup Language (SAML) Authentication

jbailey · ‎Feb 24, 2026

If the version of Windchill is 13.0.2 or newer, I would consider OIDC vs SAML if using Entra, especially if they are looking to add OAuth down the road to other tools. If you are using SAML with Entra and need OAuth down the road - you need two Entra entities, one for SAML and one for OAuth. If you use the OIDC apache module (Included 13.0.2.x+) Entra will only need one entity for Windchill. It is a little detail, but minimizes the number of items a customer needs to manage in their Entra IdP. Configuration is straightforward and well documented (I implemented this as a customer before I joined PTC with ease). Additionally, it removes the need to install / maintain / secure additional software (Shibboleth).