Community Tip - You can Bookmark boards, posts or articles that you'd like to access again easily! X
Hi,
I configured TWX SSO using Okta as IdP.
All configurations I believe are correct, I can even login to TWX with SSO, I can open Composer and view mashups. But even though I've given SSOAdmins and SSOUsers (My group mappings in SSO) run time permission for Things, to view, run services, subscribe and etc.
When I log in through SSO I can't execute any service and nothing more. It's like the user gets in, but it does not get added to the UserGroups defined.
I've also given the UserGroups permissions on PlatformSubsystem, EntityServices.
Is there some kind of different way to grant permissions to SSO users?
I even tested creating a user and adding this user to my UserGroups, and at runtime everything runs fine, I can execute services and whatnot.
I believe the issue is happening when logging in, the logged SSO user is not getting added to the respective userGroup mappings.
Thanks!
Solved! Go to Solution.
EDIT: The customer didn't set up the groups in AD properly, so that's why I wasn't getting added to the respective groups. He configured them correctly and then I was able to log in and the correct permissions were granted.
@Mukul thanks for the response. OKay, so As far as I know the AD group is mapped correctly on ThingWorx user group in SSO Authenticator.
The customer sent me the below group being the one mapped on the AD/Okta.
Can it be that my user is not on that referenced group in AD? But wouldn't that block me from logging in? Or would log but just not get added?
Also, I've given runtime permissions to the SSOUsers as well. When signing through SSO shouldn't my user be put on that default user group automatically?
There is no different or special way to grant permission to users who are getting in using SSO way in ThingWorx. As you log in the AD user will be created (user creation enabled) in ThingWorx and you can grant permission to that user. I am not sure about your exact issue but as you said - the issue is your user is not getting mapped to the desired user group in ThingWorx. Did you correctly map your AD user group to ThingWorx user group in SSO authenticator? If yes, then I would also assume that your AD user group is also coming in SAML response from IDP. if any of the previous conditions are not correct, your user will not be mapped in the mentioned user group. If that's the case and you have granted permission to the user group, it will not work for those users. (as there is no user mapped in that user group).
EDIT: The customer didn't set up the groups in AD properly, so that's why I wasn't getting added to the respective groups. He configured them correctly and then I was able to log in and the correct permissions were granted.
@Mukul thanks for the response. OKay, so As far as I know the AD group is mapped correctly on ThingWorx user group in SSO Authenticator.
The customer sent me the below group being the one mapped on the AD/Okta.
Can it be that my user is not on that referenced group in AD? But wouldn't that block me from logging in? Or would log but just not get added?
Also, I've given runtime permissions to the SSOUsers as well. When signing through SSO shouldn't my user be put on that default user group automatically?
Hello CaShimiz, would you be able to share a copy of your sso-settings.json file? I'm working with a customer now and trying to help them get TWX Integrated with OKTA for SSO. The customer is on TWX version 8.4.x. Currently we are able to have a new user Provisioned upon logging in through OKTA but are not able to have the users directed into their defined Home Mashup. All users are currently sent to ...../Thingworx/Runtime/index.html
Thanks, Andy (amonk@ptc.com)
Hi Andy, just sent in your email my sso-settings.json.
Have you set a home mashup on the ThingworxSSOAuthenticator entity? I found that If so it automatically sets that one to the default of users that connect trough SSO.