cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X

Mapping for AD Users based on Group ID over Group Name

Go to solution
Frowne
10-Marble
10-Marble
‎Apr 11, 2024 08:32 AM
‎Apr 11, 2024 08:32 AM

Mapping for AD Users based on Group ID over Group Name

Good day everyone,

 

Today we changed the name of a group in our Active Directory and as a consequence we locked all users relying on that group out of the system for a while until we figured out where the problem is coming from - apparently, the connection between AD & Thingworx is based on the AD Group's name rather than its unique SID. For organisations where names can change frequently, this is quite the issue - is there any way around this currently?

 

Kind regards,

Martin

0 Kudos
Notify Moderator
ACCEPTED SOLUTION

Accepted Solutions
TonyZhang
15-Moonstone
15-Moonstone
(To:Frowne)
‎Dec 04, 2024 02:40 AM
‎Dec 04, 2024 02:40 AM

Hi @Frowne 

I think it is possible to map ThingWorx Group to AD Group by specifying attributes other than the common name.

Simply change the Group Attribute Name in AD configuration in ThingWorx.

For example:

I want to use E-mail attribute as the identifier for AD security group and never change this value

Then in ThingWorx AD configuration, set the Group Attribute Name to mail

In GroupMappings, specify the mail value of the Security Group instead of the common name.

 

Thanks,

Tony

View solution in original post

Notify Moderator
10 REPLIES 10
nmutter
16-Pearl
16-Pearl
(To:Frowne)
‎Apr 11, 2024 11:24 AM
‎Apr 11, 2024 11:24 AM

You need to configure your AD to send the "group-id" as claim instead of the "display name". Then in TWX you need change the mapping to use the ids to TWX groups (in the ThingworxSSOAuthenticator).

What kind of AD are you using? AAD?

0 Kudos
Notify Moderator
Frowne
10-Marble
10-Marble
(To:nmutter)
‎Apr 12, 2024 03:52 AM
‎Apr 12, 2024 03:52 AM

We're only synching to Azure, we're using an in-house one with Windows Domain Controller. Generally, I do believe it's set up properly from our side specifically, I'm just wondering about how to properly implement it on Thingworx' side of things.

 

I'm assuming you are talking about the ThingworxSSOAuthenticator's "Identity Provider Group Name"? 

0 Kudos
Notify Moderator
nmutter
16-Pearl
16-Pearl
(To:Frowne)
‎Apr 12, 2024 04:05 AM
‎Apr 12, 2024 04:05 AM

Yes, I was referring this section. But I assumed that you are already using this section to map your "ad group name" to twx groups. From what I understand you don't do that? So most likely I have misinterpreted your setup (I thought some Single Sign-on setup is in place).

Notify Moderator
Frowne
10-Marble
10-Marble
(To:nmutter)
‎Apr 12, 2024 04:26 AM
‎Apr 12, 2024 04:26 AM

Not exactly - we have a project with a Thingworx Directory Service which has the group mappings from the Active Directory to Thingworx Groups - the problem is that the mapping and search functionality there only lets you select the AD Groups by name so that's when everything broke once the name was changed internally

0 Kudos
Notify Moderator
nmutter
16-Pearl
16-Pearl
(To:Frowne)
‎Apr 12, 2024 05:16 AM
‎Apr 12, 2024 05:16 AM

I see. I have no experience with this one. In the docs I only found

https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/DirectoryServicesAuthentication/ActiveDirectoryGroupsDynamicLogin.html# the parameter "Group Attribute Name" which defaults to "cn" (common name) which twx will use for mapping. Not sure if you could change this to something else which identifies the group by id?

From my google search it does not seem that the AD-group contains some id https://stackoverflow.com/a/33961313 

 

Notify Moderator
pjahn
16-Pearl
16-Pearl
(To:nmutter)
‎Apr 16, 2024 05:13 AM
‎Apr 16, 2024 05:13 AM

There are attributes for groups in Active Directory for groups that  have unique values: objectSid, objectGUID

pjahn_0-1713258771277.png

It would be a great improvement to configure the mapping to those attributes instead of the group name.

Notify Moderator
Frowne
10-Marble
10-Marble
(To:pjahn)
‎Apr 16, 2024 05:59 AM
‎Apr 16, 2024 05:59 AM

Indeed - and how to do that using a Thingworx DirectoryService is why I created this topic. Sadly, in the group mappings it seems like you can only add mappings via common name. 

 

MS_10929021_0-1713261574756.png

 

0 Kudos
Notify Moderator
TonyZhang
15-Moonstone
15-Moonstone
(To:Frowne)
‎Dec 04, 2024 02:40 AM
‎Dec 04, 2024 02:40 AM

Hi @Frowne 

I think it is possible to map ThingWorx Group to AD Group by specifying attributes other than the common name.

Simply change the Group Attribute Name in AD configuration in ThingWorx.

For example:

I want to use E-mail attribute as the identifier for AD security group and never change this value

Then in ThingWorx AD configuration, set the Group Attribute Name to mail

In GroupMappings, specify the mail value of the Security Group instead of the common name.

 

Thanks,

Tony
Notify Moderator
Frowne
10-Marble
10-Marble
(To:TonyZhang)
‎Dec 04, 2024 03:17 AM
‎Dec 04, 2024 03:17 AM

That's definitely a workaround but not at all what I was looking for - e-mail addresses could also feasibly change, I want to use the unique identifier, no other arbitrary properties that could be subject to change potentially.

 

I'm still interested in a potential solution here, but we've instead used a work-around on our end, creating a new AD group whose name is never going to change and putting the previous one inside it. 

0 Kudos
Notify Moderator
pjahn
16-Pearl
16-Pearl
(To:Frowne)
‎Dec 04, 2024 03:36 AM
‎Dec 04, 2024 03:36 AM

But this is still a possibly correct approach: You could also use the ObjectGUID. It never changes.

Notify Moderator
Announcements


Contact Community Management
Top Tags