cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get called away in the middle of writing a post? Don't worry you can find your unfinished post later in the Drafts section of your profile page. X

User Provisioning Exclusion List

Go to solution
TanmeyTWX
17-Peridot
17-Peridot
‎Nov 30, 2022 08:20 AM
‎Nov 30, 2022 08:20 AM

User Provisioning Exclusion List

Hi Experts,

 

I have Azure AD integrated with Thingworx using ThingworxSSOAuthenticator and I have added Administrator and one thingworx created local user in the exclusion list. But having SSO Authenticator enabled, Administrator/Other user doesn't login.

 

I am using Thingworx 9.3.

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
nmutter
14-Alexandrite
14-Alexandrite
(To:TanmeyTWX)
‎Dec 02, 2022 12:20 PM
‎Dec 02, 2022 12:20 PM

To answer your previous questions

- Do I need to create 'Administrator' user in AD also? -> you can do that if you want to login with user "Administrator". For this see the link I shared from PTC in my previous comment. But this is very complicated and not needed. As you can just make your own user <TanmeyTWX> (which has a valid login at AzureAD) a administrator by putting him in the "Administratros" group.

- Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How? -> Not possible, only SSO will work (or AppKey)

 

To clear up some things:

- If you activate SSO you cannot login with a username+password defined of a Thingworx user. You can ONLY login via SSO. From SSO the username is taken and mapped to a thingworx user (with the same username).

- Any user who should have access to the Composer or Admin permissions needs to be in the correct UserGroups (e.g. "Administrators") which grant these permissions.

- Putting users in the "Excluded list" only says that thingworx will not change their user or the groups he belongs to. Still the login is done via SSO.

- If SSO is active as a user you can only login via SSO - no other way. So the user to login with needs to be in the correct UserGroups to have the needed permissions in ThingWorx.

 

Maybe this makes it more clear? Maybe there is also another link missing...

View solution in original post

0 Kudos
Notify Moderator
7 REPLIES 7
nmutter
14-Alexandrite
14-Alexandrite
(To:TanmeyTWX)
‎Dec 01, 2022 12:46 PM
‎Dec 01, 2022 12:46 PM

I'm not clear what your issue is. Can you elaborate?

 

Putting users in the list u specified will just say, if these users login they will not be modified in any way. Being on that list will not prevent them from login.  If login is not working there is a different issue. What error do these users get?

0 Kudos
Notify Moderator
TanmeyTWX
17-Peridot
17-Peridot
(To:nmutter)
‎Dec 02, 2022 01:08 AM
‎Dec 02, 2022 01:08 AM

Here are the details.

 

1. I have 2 users in use. One is thingworx default 'Administrator' user and other is Azure AD authenticated user 'JohnFernandez'.

2. I have added 'Administrator' in the SSO provisioning user exclusion list.

3. Enabled SSO and restarted Apache.

4. Trying to Form login (https://myApp.dpm.com/Thingworx/FormLogin/myApp.Org) with 'JohnFernandez' user, it navigates to microsoft login and getting redirected to thingworx and finally logged-in.

5. Now trying to Composer login with 'Administrator' user but this also getting navigated to microsoft login for authentication instead of direct login into the composer. Why?

Do I need to create 'Administrator' user in AD also?

Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How?

 

Note: above form login url is just for reference.

 

0 Kudos
Notify Moderator
nmutter
14-Alexandrite
14-Alexandrite
(To:TanmeyTWX)
‎Dec 02, 2022 04:07 AM
‎Dec 02, 2022 04:07 AM

I see. If you have SSO activated you can only login via SSO. Also the Administrator user has to do it with SSO. Besides SSO you can only use AppKeys to authenticate.

 

PTC also "recommends" to create the "Administrator" entity in your IdP: https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/SSO/CreateThingWorxAdministratorAliasInIdP.html# but I never do that. I just put my own user in the "Administrators" group and put him on User Exclusion List.

 

As an example: If John should be a Administrator you would need to put "JohnFernandez" user in the "Administrators" group manually and put him in the "ExclusionList". So the user, when he logs in via SSO will not be modified - and stay in the "Administrators" group. You can also have automatic group mappings - if configured - mapping AzureAD groups to Thingworx groups.

 

Additional: Having SSO activated, the FormLogin page has no real functionality anymore as you will always authenticate with user+password at AzureAD - and also reset the password there. I always give the users the link to the target entry-mashup instead (of the FormLogin).

 

Hope that helps. Let me know

0 Kudos
Notify Moderator
TanmeyTWX
17-Peridot
17-Peridot
(To:nmutter)
‎Dec 02, 2022 05:51 AM
‎Dec 02, 2022 05:51 AM

Hi,

 

Thanks for the reply.

I am not using FormLogin as such. I mentioned it just for reference to explain the flow. URL directly jumps to Microsoft authentication only.

Regarding excluded user, I want 'Administrator' to login Composer even SSO enabled. But whenever I try to hit Composer login (//Thingworx/Composer) it redirects to microsoft authentication login always and which takes only email username(Administrator@abc.com), which actually doesn't exist in AD. 

0 Kudos
Notify Moderator
nmutter
14-Alexandrite
14-Alexandrite
(To:TanmeyTWX)
‎Dec 02, 2022 06:21 AM
‎Dec 02, 2022 06:21 AM

As mentioned you cannot login without SSO. You need to configure an existing account from your AD to be Administrator (/ to have Administrator permissions).

0 Kudos
Notify Moderator
TanmeyTWX
17-Peridot
17-Peridot
(To:nmutter)
‎Dec 02, 2022 08:23 AM
‎Dec 02, 2022 08:23 AM

I don't get it. Could you please let me know some high level steps to do so. What changes/additions I have to do in Azure AD and what to be done in TWX side?

 

0 Kudos
Notify Moderator
nmutter
14-Alexandrite
14-Alexandrite
(To:TanmeyTWX)
‎Dec 02, 2022 12:20 PM
‎Dec 02, 2022 12:20 PM

To answer your previous questions

- Do I need to create 'Administrator' user in AD also? -> you can do that if you want to login with user "Administrator". For this see the link I shared from PTC in my previous comment. But this is very complicated and not needed. As you can just make your own user <TanmeyTWX> (which has a valid login at AzureAD) a administrator by putting him in the "Administratros" group.

- Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How? -> Not possible, only SSO will work (or AppKey)

 

To clear up some things:

- If you activate SSO you cannot login with a username+password defined of a Thingworx user. You can ONLY login via SSO. From SSO the username is taken and mapped to a thingworx user (with the same username).

- Any user who should have access to the Composer or Admin permissions needs to be in the correct UserGroups (e.g. "Administrators") which grant these permissions.

- Putting users in the "Excluded list" only says that thingworx will not change their user or the groups he belongs to. Still the login is done via SSO.

- If SSO is active as a user you can only login via SSO - no other way. So the user to login with needs to be in the correct UserGroups to have the needed permissions in ThingWorx.

 

Maybe this makes it more clear? Maybe there is also another link missing...

0 Kudos
Notify Moderator
Top Tags