cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community email notifications are disrupted. While we are working to resolve, please check on your favorite boards regularly to keep up with your conversations and new topics.

SSO Authenticator - ThingworxSSOAuthenticator - TWX 9.4

Go to solution
LuisCabello
12-Amethyst
12-Amethyst
‎Nov 17, 2023 06:31 AM
‎Nov 17, 2023 06:31 AM

SSO Authenticator - ThingworxSSOAuthenticator - TWX 9.4

Hello community,

 

we are trying to do SSO in thingworx without using external resources just with the thingworx core.  So the users must to access to one external app loggin and when they logging must to be logged in thingworx and shows the specific TWX mashup.

 

One of the ways that we try is by the ThingworxSSOAuthenticator, but we are not able to put enable this authenticator. 

 

1. What changes in the machine where thingworx is installed we must to do to be able to put enable or just to do SSO? For example modify the platform-settings.json or any other file...

2. What we must to consider to create in thingworx or to do for use this SSO aunthenticator by default?

3. ThingworxSSOAunthenticator is just for Pingfederate? If the answers is yes, the alternative is to create an extension and the question 1 I need to have an answer please.

 

Thank you in advance,

Luis.

0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
nmutter
14-Alexandrite
14-Alexandrite
(To:LuisCabello)
‎Nov 20, 2023 04:28 PM
‎Nov 20, 2023 04:28 PM

How does the user authenticate in your main App? If you don't use a supported IdP (or protocol which the supported ones use SAML2) which ThingWorx supports my ideas would be:

- Use AppKey in the embedded mashup. Appkey may be generic appkey used by all users, or the backend of your main app requests one in TWX for the currently logged in user (with small lifetime, would be more secure). Note: AppKey in URL is deprecated as stated in linked article (we still use it as there is no (cheap) alternative for us)

- Create custom authenticator which can make use of your existing login details of the main app https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/Authenticators/AuthenticatorSampleExtensionConfiguration.html 

 

FYI there is also this page for embedding TWX mashups in other pages https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/AllowingEmbeddedMashupsiniFrames.html (wont help you with the login issue).

View solution in original post

Notify Moderator
5 REPLIES 5
nmutter
14-Alexandrite
14-Alexandrite
(To:LuisCabello)
‎Nov 17, 2023 06:10 PM
‎Nov 17, 2023 06:10 PM

Hey,

checkout the docs here: https://www.ptc.com/en/support/Thingworx-IAM/Thingworx-IAM-main/GettingStartedSSO/SSOStandardUseCases to see which TWX version you are using and then which IdP you need. If e.g. TWX 9.2+ with AzureAD you can directly connect it to TWX and follow the linked instructions (https://support.ptc.com/help/identity_and_access_management/en/#page/iam/AzureADasCASandIdP.html

 

Hope these links help you!

0 Kudos
Notify Moderator
LuisCabello
12-Amethyst
12-Amethyst
(To:nmutter)
‎Nov 20, 2023 04:18 AM
‎Nov 20, 2023 04:18 AM

Hello @nmutter ,

 

thank you for your reply. The use case that we want to cover is the next:

 

LC_9552411_0-1700471779163.png

We have a main app and one module of the app is going to be managed by one thingworx mashup. So, we dont want to use a IdP as Azure,

the idea is when the user log in to the main app, must to be logged also in twx to access to the concrete mashup (module).

 

Any idea about how to do this?

 

Thank you in advance,

Luis.

0 Kudos
Notify Moderator
nmutter
14-Alexandrite
14-Alexandrite
(To:LuisCabello)
‎Nov 20, 2023 04:28 PM
‎Nov 20, 2023 04:28 PM

How does the user authenticate in your main App? If you don't use a supported IdP (or protocol which the supported ones use SAML2) which ThingWorx supports my ideas would be:

- Use AppKey in the embedded mashup. Appkey may be generic appkey used by all users, or the backend of your main app requests one in TWX for the currently logged in user (with small lifetime, would be more secure). Note: AppKey in URL is deprecated as stated in linked article (we still use it as there is no (cheap) alternative for us)

- Create custom authenticator which can make use of your existing login details of the main app https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/Authenticators/AuthenticatorSampleExtensionConfiguration.html 

 

FYI there is also this page for embedding TWX mashups in other pages https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/AllowingEmbeddedMashupsiniFrames.html (wont help you with the login issue).

Notify Moderator
LuisCabello
12-Amethyst
12-Amethyst
(To:nmutter)
‎Nov 21, 2023 03:48 AM
‎Nov 21, 2023 03:48 AM

Hello @nmutter ,

 

Thank you for the answer. The main app use keycloak (https://www.keycloak.org/) and it supports SALM2. So, by a default installation of TWX

Can we use SALM2 to authenticate or we must to build a extension for that?

 

Maybe the alternative of the Appkey can be a option. 

 

Thank you in advance,

Luis.

 

0 Kudos
Notify Moderator
nmutter
14-Alexandrite
14-Alexandrite
(To:LuisCabello)
‎Nov 21, 2023 04:47 AM
‎Nov 21, 2023 04:47 AM

So I remember some community post (I did not find it for now) where it basically said: ThingWorx with direct AzureAD connection is supported (as you see in the docs). And this setup uses SAML2 protocol. So in theory if your other IdP also uses SAML2 you should be able to connect your IdP as well to ThingWorx. This will not be officially supported, has no support from PTC - but as the protocol is a standard it should basically work.

 

My thinking regarding this, if you use the same IdP for MainApp + TWX, if SSO works, you should also be getting logged in TWX if you are logged in in the main app (not sure how well this works with embedded mashups).

As stated, this might work but is not officially supported. Not sure how many resources you have to do a PoC of this setup and if you want to take the risk to use an not officially supported setup. If you want I figure you just follow the setup instructions with AzureAD but do the AzureAD parts in your own IdP.

 

0 Kudos
Notify Moderator
Top Tags