cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can subscribe to a forum, label or individual post and receive email notifications when someone posts a new topic or reply. Learn more! X

Mapping for AD Users based on Group ID over Group Name

MS_10929021
4-Participant

Mapping for AD Users based on Group ID over Group Name

Good day everyone,

 

Today we changed the name of a group in our Active Directory and as a consequence we locked all users relying on that group out of the system for a while until we figured out where the problem is coming from - apparently, the connection between AD & Thingworx is based on the AD Group's name rather than its unique SID. For organisations where names can change frequently, this is quite the issue - is there any way around this currently?

 

Kind regards,

Martin

7 REPLIES 7
nmutter
14-Alexandrite
(To:MS_10929021)

You need to configure your AD to send the "group-id" as claim instead of the "display name". Then in TWX you need change the mapping to use the ids to TWX groups (in the ThingworxSSOAuthenticator).

What kind of AD are you using? AAD?

MS_10929021
4-Participant
(To:nmutter)

We're only synching to Azure, we're using an in-house one with Windows Domain Controller. Generally, I do believe it's set up properly from our side specifically, I'm just wondering about how to properly implement it on Thingworx' side of things.

 

I'm assuming you are talking about the ThingworxSSOAuthenticator's "Identity Provider Group Name"? 

nmutter
14-Alexandrite
(To:MS_10929021)

Yes, I was referring this section. But I assumed that you are already using this section to map your "ad group name" to twx groups. From what I understand you don't do that? So most likely I have misinterpreted your setup (I thought some Single Sign-on setup is in place).

MS_10929021
4-Participant
(To:nmutter)

Not exactly - we have a project with a Thingworx Directory Service which has the group mappings from the Active Directory to Thingworx Groups - the problem is that the mapping and search functionality there only lets you select the AD Groups by name so that's when everything broke once the name was changed internally

nmutter
14-Alexandrite
(To:MS_10929021)

I see. I have no experience with this one. In the docs I only found

https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/DirectoryServicesAuthentication/ActiveDirectoryGroupsDynamicLogin.html# the parameter "Group Attribute Name" which defaults to "cn" (common name) which twx will use for mapping. Not sure if you could change this to something else which identifies the group by id?

From my google search it does not seem that the AD-group contains some id https://stackoverflow.com/a/33961313 

 

pjahn
16-Pearl
(To:nmutter)

There are attributes for groups in Active Directory for groups that  have unique values: objectSid, objectGUID

pjahn_0-1713258771277.png

It would be a great improvement to configure the mapping to those attributes instead of the group name.

MS_10929021
4-Participant
(To:pjahn)

Indeed - and how to do that using a Thingworx DirectoryService is why I created this topic. Sadly, in the group mappings it seems like you can only add mappings via common name. 

 

MS_10929021_0-1713261574756.png

 

Top Tags