cancel
Showing results for 
Search instead for 
Did you mean: 
Security Alert Log4j Security Vulnerability. Click here to know more.
cancel
Showing results for 
Search instead for 
Did you mean: 

Azure AD and Thingworx SSO configuration

Velkumar
17-Peridot

Azure AD and Thingworx SSO configuration

Hi,

 

I'm trying to integrate Azure AD for SSO, I have configured Thingworx platform-settings.json and sso-settings.json as in documentation. When I start Thingworx I get following error,

 

2020-03-02 09:25:55.868+0000 [L: DEBUG] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: verja] [S: ] [P: ] [T: http-nio-80-exec-18] executing request for URI: /Thingworx/Logs/SecurityLog/Services/GetLogLevel
2020-03-02 09:27:44.935+0000 [L: INFO] [O: S.c.t.s.a.s.SSOBootstrapper] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] ThingworxSSOBootstrapper context initializing...
2020-03-02 09:27:44.982+0000 [L: INFO] [O: S.c.t.s.a.s.SSOBootstrapper] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] ThingworxSSOContextLoaderListener created ...
2020-03-02 09:27:44.982+0000 [L: INFO] [O: S.c.t.s.a.s.SSOBootstrapper] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] ThingworxSSOContextLoaderListener context initializing...
2020-03-02 09:27:45.170+0000 [L: INFO] [O: S.c.t.s.a.s.SSOSettingsFile] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] The config file - sso-settings.json location is: /ThingworxPlatform\ssoSecurityConfig
2020-03-02 09:27:45.201+0000 [L: INFO] [O: S.c.t.s.a.s.SSOSettingsFile] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] The config file - sso-settings.json location is: /ThingworxPlatform\ssoSecurityConfig
2020-03-02 09:27:45.201+0000 [L: INFO] [O: S.c.t.s.a.s.SSOSettingsFile] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] The config file - sso-settings.json location is: /ThingworxPlatform\ssoSecurityConfig
2020-03-02 09:27:45.357+0000 [L: INFO] [O: S.c.t.s.a.s.SSOResourceServer] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] The resourceServerSettings.json file was loaded succesfully.
2020-03-02 09:27:45.373+0000 [L: INFO] [O: S.c.t.s.a.s.SSOResourceServer] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Thingworx configured with global scopes of THINGWORX
2020-03-02 09:27:46.639+0000 [L: INFO] [O: S.c.t.s.a.s.SSOContext] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] SSOContext created...
2020-03-02 09:27:47.795+0000 [L: INFO] [O: o.s.s.c.SecurityNamespaceHandler] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Spring Security 'config' module version is 5.2.1.RELEASE
2020-03-02 09:27:51.951+0000 [L: ERROR] [O: S.c.t.s.a.s.SSOSettings] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] [ Failed to get SSO Setting [table=SCIMAccessTokenServicesSettings, setting=authScimOAuthClientId] ][ JSONObject["SCIMAccessTokenServicesSettings"] not found. ]
2020-03-02 09:27:51.951+0000 [L: ERROR] [O: S.c.t.s.a.s.SSOSCIMClientAwareOAuth2AuthenticationManager] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Failed to get instance of SSOSettings class
2020-03-02 09:27:51.982+0000 [L: ERROR] [O: S.c.t.s.a.s.SSOSettings] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] [ Failed to get SSO Setting [table=SCIMAccessTokenServicesSettings, setting=clientId] ][ JSONObject["SCIMAccessTokenServicesSettings"] not found. ]
2020-03-02 09:27:52.092+0000 [L: INFO] [O: o.s.s.w.DefaultSecurityFilterChain] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Creating filter chain: Ant [pattern='/rp/SCIMProvider/**'], [org.springframework.security.web.context.SecurityContextPersistenceFilter@4c091f6, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@2a05a8e8, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@379a1011, com.thingworx.security.authentication.sso.ThingworxSSOAuthenticatorFilter@6f559ce]
2020-03-02 09:27:52.248+0000 [L: INFO] [O: o.s.s.w.DefaultSecurityFilterChain] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Creating filter chain: Ant [pattern='/rp/**'], [org.springframework.security.web.context.SecurityContextPersistenceFilter@4c091f6, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@ff143e6, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@379a1011, com.thingworx.security.authentication.sso.ThingworxSSOAuthenticatorFilter@6f559ce]
2020-03-02 09:27:52.576+0000 [L: ERROR] [O: o.s.s.s.k.JKSKeyManager] [I: ] [U: SuperUser] [S: ] [P: ] [T: localhost-startStop-1] Error initializing key store
2020-03-02 09:27:52.701+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: localhost-startStop-1] Could not load session timeout from database, using default: null
2020-03-02 09:27:52.811+0000 [L: INFO] [O: S.c.t.s.s.SCIMProvider] [I: ] [U: ???] [S: ] [P: ] [T: localhost-startStop-1] Initializing SCIMProvider servlet...
2020-03-02 09:27:52.811+0000 [L: ERROR] [O: S.c.t.s.s.SCIMProvider] [I: ] [U: ???] [S: ] [P: ] [T: localhost-startStop-1] SCIMProvider initialization failure.  Thingworx Server is not running
2020-03-02 09:27:54.248+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationUtilities] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-3] null
2020-03-02 09:27:54.248+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-3] Could not handle request
2020-03-02 09:27:54.279+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-3] errorMessage: [Unauthorized], statusCode: [401]
2020-03-02 09:28:07.295+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationUtilities] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-3] null

 

 

Could any one help me to fix this issue ?

 

/VR

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

You are using also PingFederate?

The error is related to keystore, could you check if you have such file?

 

Thank you,

Raluca Edu

View solution in original post

7 REPLIES 7

Hi,

 

You are using also PingFederate?

The error is related to keystore, could you check if you have such file?

 

Thank you,

Raluca Edu

View solution in original post

Hi @raluca_edu ,

 

Yes I have created and placed keystore file in mentioned location.

 

Regards,

Velkumar R

Hi,

 

Could you attach sso-settings.json (remove any credentials before) and pingfederate/logs?

 

Thanks,

Raluca Edu

Hi @raluca_edu 

 

Thanks for the response.

 

PFA the log files & json file.

 

Is there any specific method to create and verify keystore file. I created keystore using cmd from online.

 

/VR

Velkumar
17-Peridot
(To:Velkumar)

Hi @raluca_edu 

 

I have solved key issue it is due to tampered keystore file. 

 

Now I'm facing new error,

 

2020-03-10 12:08:26.895+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: SuperUser] [S: ] [P: ] [T: http-nio-80-exec-8] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:08:26.895+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: SuperUser] [S: ] [P: ] [T: http-nio-80-exec-8] Could not handle request
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: SuperUser] [S: ] [P: ] [T: http-nio-80-exec-6] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: SuperUser] [S: ] [P: ] [T: http-nio-80-exec-6] Could not handle request
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-5] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-5] Could not handle request
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-5] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-8] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-5] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-8] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:08:26.910+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] Could not handle request
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-6] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-7] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-7] Could not handle request
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-9] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-7] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-7] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:13:26.786+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [P: ] [T: http-nio-80-exec-9] Could not handle request
2020-03-10 12:13:26.802+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-9] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:13:26.802+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-9] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:15:54.801+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-1] [ Failed to utilize the SSO component for authentication ][ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]
2020-03-10 12:15:54.801+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-1] Could not handle request
2020-03-10 12:15:54.801+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-1] errorMessage: [Unauthorized], statusCode: [401]
2020-03-10 12:15:54.801+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ???] [S: ] [P: ] [T: http-nio-80-exec-1] [ org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP ][ No IDP was configured, please update included metadata with at least one IDP ]

 

Could you please help me to solve this issue 

 

/VR

Hi,

 

Follow this article: https://www.ptc.com/en/support/article/CS275630

 

Please add a full path for idpMetadataFilePath in sso-config.json

 

Hope it helps,

Raluca Edu

Hi @raluca_edu 

 

I have exported XML and placed in folder as in article, still I'm facing issue.

 

Capture.PNG

 

/VR

Announcements