cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO doesn't work with Pingfederate/Thingworx

Highlighted
Level 5

SSO doesn't work with Pingfederate/Thingworx

Hi,

I have some problems with configuring SSO. I did all steps on this document https://support.ptc.com/WCMS/files/172779/en/PTC_Single_Sign_on_Architecture_and_Configuration_Overv...  . I not sure about Scope, i did as on guide WINDCHIILL_READ. Is it right? At the moment i can login to thingworx trough sso but after I do changes in ptc-windchill-integration-connector and ptc-windchill-integration-connector-proxy i get this error


Selection_057.png

In Security log i found these errors:

2018-01-20 18:33:13.521+0300 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ The requested scope(s) must be blank or a subset of the provided scopes. ]

2018-01-20 18:33:13.522+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] Could not handle request

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ The requested scope(s) must be blank or a subset of the provided scopes. ]

my sso-settings.json:

{

"BasicSettings": {

"clientBaseUrl": "https://ecsc00a00f1d.epam.com:443/Thingworx",

"idpMetadataFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml",

"metadataEntityId": "https://ecsc00a00f1d.epam.com/Thingworx",

"metadataEntityBaseUrl": "https://ecsc00a00f1d.epam.com/Thingworx",

"webSSOProfileConsumerResponseSkew": 300,

"webSSOProfileConsumerReleaseDOM": true,

"webSSOProfileResponseSkew": 300,

"samlAssertionMaxAuthenticationAge": 7200,

"samlAssertionUserNameAttributeName": "uid"

},

"AccessTokenPersistenceSettings": {

"dbType": "postgres",

"driverClassName": "org.postgresql.Driver",

"url": "jdbc:postgresql://localhost:5432/thingworx",

"username": "twadmin",

"password": "pass",

"encryptTokenInDatabase": "false"

},

"KeyManagerSettings": {

"keyStoreFilePath": "/ThingworxPlatform/ssoSecurityConfig/keystore.jks",

"keyStoreStorePass": "pass",

"keyStoreKey": "tomcat8.5",

"keyStoreKeyPass": "pass"

},

"AuthorizationServersSettings": {

"PingFed1": {

"clientId": "twx_oauth_conn",

"clientSecret": "secret",

"authorizeUri": "https://ecsc00a00f1e.epam.com:9031/as/authorization.oauth2",

"tokenUri": "https://ecsc00a00f1e.epam.com:9031/as/token.oauth2",

"clientAuthScheme": "form"

}

}

}


Tags (2)
2 REPLIES 2

Re: SSO doesn't work with Pingfederate/Thingworx

Hi Iryna,

Seems like the SCOPE is not defined in correct way. We need to mention the same SCOPE in PingFederate and in Thingworx.

I'll suggest you to create a case with Support Services. A case can be logged with TS here

BR,

Harsh Selarka

Re: SSO doesn't work with Pingfederate/Thingworx

Any success on this, I am also facing the same issue

Security log is saying:

2018-02-09 14:15:13.865+0000 [L: DEBUG] [O: o.s.s.w.c.SecurityContextPersistenceFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] SecurityContextHolder now cleared, as request processing completed

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Failed to utilize the SSO component for authentication ][ Error requesting access token. ][ 401 Unauthorized ]

2018-02-09 14:15:13.868+0000 [L: DEBUG] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] authentication status: [false]

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] Could not handle request

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] errorMessage: [Unauthorized], statusCode: [401]

2018-02-09 14:15:13.875+0000 [L: DEBUG] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] ssoException exists: [true], recoverable: [false]

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Error requesting access token. ][ 401 Unauthorized ]