Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X
Hello community,
we are trying to do SSO in thingworx without using external resources just with the thingworx core. So the users must to access to one external app loggin and when they logging must to be logged in thingworx and shows the specific TWX mashup.
One of the ways that we try is by the ThingworxSSOAuthenticator, but we are not able to put enable this authenticator.
1. What changes in the machine where thingworx is installed we must to do to be able to put enable or just to do SSO? For example modify the platform-settings.json or any other file...
2. What we must to consider to create in thingworx or to do for use this SSO aunthenticator by default?
3. ThingworxSSOAunthenticator is just for Pingfederate? If the answers is yes, the alternative is to create an extension and the question 1 I need to have an answer please.
Thank you in advance,
Luis.
Solved! Go to Solution.
How does the user authenticate in your main App? If you don't use a supported IdP (or protocol which the supported ones use SAML2) which ThingWorx supports my ideas would be:
- Use AppKey in the embedded mashup. Appkey may be generic appkey used by all users, or the backend of your main app requests one in TWX for the currently logged in user (with small lifetime, would be more secure). Note: AppKey in URL is deprecated as stated in linked article (we still use it as there is no (cheap) alternative for us)
- Create custom authenticator which can make use of your existing login details of the main app https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/Authenticators/AuthenticatorSampleExtensionConfiguration.html
FYI there is also this page for embedding TWX mashups in other pages https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/AllowingEmbeddedMashupsiniFrames.html (wont help you with the login issue).
Hey,
checkout the docs here: https://www.ptc.com/en/support/Thingworx-IAM/Thingworx-IAM-main/GettingStartedSSO/SSOStandardUseCases to see which TWX version you are using and then which IdP you need. If e.g. TWX 9.2+ with AzureAD you can directly connect it to TWX and follow the linked instructions (https://support.ptc.com/help/identity_and_access_management/en/#page/iam/AzureADasCASandIdP.html
Hope these links help you!
Hello @nmutter ,
thank you for your reply. The use case that we want to cover is the next:
We have a main app and one module of the app is going to be managed by one thingworx mashup. So, we dont want to use a IdP as Azure,
the idea is when the user log in to the main app, must to be logged also in twx to access to the concrete mashup (module).
Any idea about how to do this?
Thank you in advance,
Luis.
How does the user authenticate in your main App? If you don't use a supported IdP (or protocol which the supported ones use SAML2) which ThingWorx supports my ideas would be:
- Use AppKey in the embedded mashup. Appkey may be generic appkey used by all users, or the backend of your main app requests one in TWX for the currently logged in user (with small lifetime, would be more secure). Note: AppKey in URL is deprecated as stated in linked article (we still use it as there is no (cheap) alternative for us)
- Create custom authenticator which can make use of your existing login details of the main app https://support.ptc.com/help/thingworx/platform/r9/en/#page/ThingWorx/Help/Composer/Security/Authenticators/AuthenticatorSampleExtensionConfiguration.html
FYI there is also this page for embedding TWX mashups in other pages https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/AllowingEmbeddedMashupsiniFrames.html (wont help you with the login issue).
Hello @nmutter ,
Thank you for the answer. The main app use keycloak (https://www.keycloak.org/) and it supports SALM2. So, by a default installation of TWX
Can we use SALM2 to authenticate or we must to build a extension for that?
Maybe the alternative of the Appkey can be a option.
Thank you in advance,
Luis.
So I remember some community post (I did not find it for now) where it basically said: ThingWorx with direct AzureAD connection is supported (as you see in the docs). And this setup uses SAML2 protocol. So in theory if your other IdP also uses SAML2 you should be able to connect your IdP as well to ThingWorx. This will not be officially supported, has no support from PTC - but as the protocol is a standard it should basically work.
My thinking regarding this, if you use the same IdP for MainApp + TWX, if SSO works, you should also be getting logged in TWX if you are logged in in the main app (not sure how well this works with embedded mashups).
As stated, this might work but is not officially supported. Not sure how many resources you have to do a PoC of this setup and if you want to take the risk to use an not officially supported setup. If you want I figure you just follow the setup instructions with AzureAD but do the AzureAD parts in your own IdP.