Cancel
Showing results for 
Search instead for 
Did you mean: 

bypass Teamcenter SSO login window

Hello Team,

 

I want to bypass the Teamcenter SSO login window with OS credentilas for the Users, which also managed in LDAP.

has anyone done it before? please suggest

5 REPLIES

Re: bypass Teamcenter SSO login window

Solution Partner Phenom Solution Partner Phenom
Solution Partner Phenom
This can get a little complicated depending on your use-case...

If you just need to run command line utilities as a non-AD user then you can copy tc_profilevar.bat to tc_profilevar_nosso.bat and comment out the three SSO lines. Then in the script, you set TC_ROOT and TC_DATA as normal but call %TC_DATA%\tc_profilevars_nosso.bat before running your utility. Simple.

If you intend to launch a 4tier Rich Client then you'll have to create tc_profilevars_nosso.bat and install a second server manager that calls tc_profilevars_nosso.bat and a separate web tier that points to the server manager and rich client that points to the correct web tier. Complicated.

Randy Ellsworth, Teamcenter Architect, Applied CAx, LLC
NX 11 | SW 2016 | Creo 4 | TcUA 11.4
Evaluating: AW 3.4

Re: bypass Teamcenter SSO login window

Hi @RandyEllsworth Thanks for the reply..,

 

I think i want to use second option which is complicated, because what i need is when i click on TC 4T Rich client then there should not be appearance of login page, instead TC should logged in with current OS user credentials.

 

here i have question, do i need to have TC user already for every OS user present in the domain?

or i can create that at the run time once i validate the credntials(from LDAP) in case un-availability of that user in TC?

I haven't used SSO before so i am curious to know how it really works!

 

the status of what i have now is..

1. Normal Server Manager & Normal TC.war deployed on tomcat,

2. SSO Server Manager, SSO Login Service,Identity Service & SSO tc.war file deployed on Wildfly

3. When Rich Client & Thin client opened SSO page getting opened to fill the credentials.

 

 

 

Re: bypass Teamcenter SSO login window

Solution Partner Phenom Solution Partner Phenom
Solution Partner Phenom
Oh, you don't want to bypass SSO (which requires a separate path non-SSO tc_profilevars.bat)?

You want to use SSO but bypass the login by supplying the OS user credentials. In that case, you want to use Kerberos authentication. The login screen will popup but then Kerberos auto logs in using the OS name. The Teamcenter User name must match the OS user name in LDAP. Be careful of case in LDAP, Windows doesn't care but Kerberos/Teamcenter(java) does. Yes, you will need to create the (Person/User/Group Member) Teamcenter account yourself before the user can login.

The normal GTAC docs for installing Kerberos will have you deploy Jboss (Wildfly) but the supported version of Jboss is old. Latest versions of JBoss (WildFly) do not work (I tried). Instead deploy use the latest version of Tomcat which is supported and provides more recent security fixes. You'll need IIS and the ISAPI Redirector to point to Tomcat on the server and you'll need to install TCCS (shared not personal) on the client. You will still need INSWEB to compile the war files deployed to Tomcat until Deployment Center takes over compiling.

Randy Ellsworth, Teamcenter Architect, Applied CAx, LLC
NX 11 | SW 2016 | Creo 4 | TcUA 11.4
Evaluating: AW 3.4

Re: bypass Teamcenter SSO login window

yes @RandyEllsworth you are right, I want to use SSO but bypass the login window.

I am going through the Siemens docs but things are not that much clear to me, because still havent gone through all.

 

When i am using Kerberos authentication, do i still need Identity service which is authenticating credential from LDAP?

 

because doc says,

 

Kerberos offers users the advantage of zero sign-on. Because you are already logged on to the operating system, you use your operating system identity to get into Teamcenter.Another advantage of using Kerberos is there is no password sent across the network.Thus, Kerberos provides a security advantage.Kerberos is only supported on Windows and its use with Teamcenter is optional.

 

Which mean i will need only login Service and no need of Identity Service. OS User is already logged in so his credentials are already authenticated and he is allowed tologin with the help of Kerberos.

 

am i right?

 

Re: bypass Teamcenter SSO login window

Solution Partner Phenom Solution Partner Phenom
Solution Partner Phenom
No, you still need both the login service (ls.war) and identity service (id.war). The advantage of Kerberos is zero-signon as you stated, using the OS user name to authenticate against LDAP and obtain a token (uses TCCS), the OS user name and token are then used to login to Teamcenter (still see the login screen [background image] until TcRAC starts).

Its a pain to get setup correctly and to debug but the benefits once its working are nice.

Randy Ellsworth, Teamcenter Architect, Applied CAx, LLC
NX 11 | SW 2016 | Creo 4 | TcUA 11.4
Evaluating: AW 3.4