HyperMesh Windchill Authentication Using Shibboleth

Outlines the configuration steps for HyperMesh Windchill configuration for Shibboleth SSO. You will learn to do ECP (Enhanced Client or Proxy) configuration, which in turn allows HyperMesh to communicate with Windchill using SSO layer.

ECP is a SAML acronym that stands for Enhanced Client or Proxy. The name is historical; the basic point of an enhanced client is that it is not a browser. The ECP profile is an adaptation of the SAML profile used for Browser SSO with the parts that were designed around the limitations of a browser removed. Thus, it is the profile of SAML authentication designed for clients other than browsers, such as:
  • Desktop applications
  • Server-side code running in a web application
  • Just about anything else that is not a browser

For more information, visit https://www.shibboleth.net/ or https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP.

Prerequisites

Windchill installation configured with Shibboleth SSO with:
  • Amazon Correto (Version 8)
  • Apache Tomcat (Version 9)
  • Shibboleth Identity Provider (Version 3.4.6)
  • Shibboleth Service Provider (Version 3.0.4)

Service Provider Configuration

In the Service Provider directory (C:\opt\shibboleth-sp\etc\shibboleth), edit the shibboleth2.xml file. At the beginning of the file, you need to add the md namespace to allow the AssertionConsumerServices to be added:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
Further down in the file, you will need to add the ECP attribute, setting it to “true” and then adding the additional consumer services.
<SSO entityID="https://wcidp.prog.altair.com/idp/profile/SAML2/SOAP/ECP"
    discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF" ECP="true">
  SAML2
      </SSO>

<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>

<!-- Administrative logout. -->
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

<md:AssertionConsumerService Location="/SAML2/POST" index="1"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

Next, restart the Shibboleth service (Shiiboleth Daemon (Default)) and the PTC Windchill Apache service.

IDP Configuration

In the Identity Provider directory (C:\opt\shibboleth-idp\conf), edit the relying-party.xml file.
Note: This step may be unnecessary, however, should be innocuous if added.
Make a change to the shibboleth.UnverifiedRelyingParty bean to add the following references:
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
            <ref bean="SAML2.ECP" />
            <ref bean="SAML2.Logout" />
            <ref bean="SAML2.AttributeQuery" />
            <ref bean="SAML2.ArtifactResolution" />
        </list>
    </property>
</bean>
Make a change to the shibboleth.DefaultRelyingParty bean to disable the Attribute Release form.
Note: This step may be unnecessary and should be tested without it. This disables the Attribute Release that appears during the standard login process, so you may want this active or may already have it disabled.
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
    <property name="profileConfigurations">
        <list>
<!--      <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />      -->
            <bean parent="Shibboleth.SSO" />
            <ref bean="SAML1.AttributeQuery" />
            <ref bean="SAML1.ArtifactResolution" />
<!--      <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />      -->
            <bean parent="SAML2.SSO" />
            <ref bean="SAML2.ECP" />
            <ref bean="SAML2.Logout" />
            <ref bean="SAML2.AttributeQuery" />
            <ref bean="SAML2.ArtifactResolution" />
            <ref bean="Liberty.SSOS" />
        </list>
    </property>
</bean>