cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

User Provisioning Exclusion List

TanmeyTWX
17-Peridot

User Provisioning Exclusion List

Hi Experts,

 

I have Azure AD integrated with Thingworx using ThingworxSSOAuthenticator and I have added Administrator and one thingworx created local user in the exclusion list. But having SSO Authenticator enabled, Administrator/Other user doesn't login.

 

I am using Thingworx 9.3.

1 ACCEPTED SOLUTION

Accepted Solutions
nmutter
14-Alexandrite
(To:TanmeyTWX)

To answer your previous questions

- Do I need to create 'Administrator' user in AD also? -> you can do that if you want to login with user "Administrator". For this see the link I shared from PTC in my previous comment. But this is very complicated and not needed. As you can just make your own user <TanmeyTWX> (which has a valid login at AzureAD) a administrator by putting him in the "Administratros" group.

- Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How? -> Not possible, only SSO will work (or AppKey)

 

To clear up some things:

- If you activate SSO you cannot login with a username+password defined of a Thingworx user. You can ONLY login via SSO. From SSO the username is taken and mapped to a thingworx user (with the same username).

- Any user who should have access to the Composer or Admin permissions needs to be in the correct UserGroups (e.g. "Administrators") which grant these permissions.

- Putting users in the "Excluded list" only says that thingworx will not change their user or the groups he belongs to. Still the login is done via SSO.

- If SSO is active as a user you can only login via SSO - no other way. So the user to login with needs to be in the correct UserGroups to have the needed permissions in ThingWorx.

 

Maybe this makes it more clear? Maybe there is also another link missing...

View solution in original post

7 REPLIES 7
nmutter
14-Alexandrite
(To:TanmeyTWX)

I'm not clear what your issue is. Can you elaborate?

 

Putting users in the list u specified will just say, if these users login they will not be modified in any way. Being on that list will not prevent them from login.  If login is not working there is a different issue. What error do these users get?

TanmeyTWX
17-Peridot
(To:nmutter)

Here are the details.

 

1. I have 2 users in use. One is thingworx default 'Administrator' user and other is Azure AD authenticated user 'JohnFernandez'.

2. I have added 'Administrator' in the SSO provisioning user exclusion list.

3. Enabled SSO and restarted Apache.

4. Trying to Form login (https://myApp.dpm.com/Thingworx/FormLogin/myApp.Org) with 'JohnFernandez' user, it navigates to microsoft login and getting redirected to thingworx and finally logged-in.

5. Now trying to Composer login with 'Administrator' user but this also getting navigated to microsoft login for authentication instead of direct login into the composer. Why?

Do I need to create 'Administrator' user in AD also?

Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How?

 

Note: above form login url is just for reference.

 

nmutter
14-Alexandrite
(To:TanmeyTWX)

I see. If you have SSO activated you can only login via SSO. Also the Administrator user has to do it with SSO. Besides SSO you can only use AppKeys to authenticate.

 

PTC also "recommends" to create the "Administrator" entity in your IdP: https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/SSO/CreateThingWorxAdministratorAliasInIdP.html# but I never do that. I just put my own user in the "Administrators" group and put him on User Exclusion List.

 

As an example: If John should be a Administrator you would need to put "JohnFernandez" user in the "Administrators" group manually and put him in the "ExclusionList". So the user, when he logs in via SSO will not be modified - and stay in the "Administrators" group. You can also have automatic group mappings - if configured - mapping AzureAD groups to Thingworx groups.

 

Additional: Having SSO activated, the FormLogin page has no real functionality anymore as you will always authenticate with user+password at AzureAD - and also reset the password there. I always give the users the link to the target entry-mashup instead (of the FormLogin).

 

Hope that helps. Let me know

TanmeyTWX
17-Peridot
(To:nmutter)

Hi,

 

Thanks for the reply.

I am not using FormLogin as such. I mentioned it just for reference to explain the flow. URL directly jumps to Microsoft authentication only.

Regarding excluded user, I want 'Administrator' to login Composer even SSO enabled. But whenever I try to hit Composer login (//Thingworx/Composer) it redirects to microsoft authentication login always and which takes only email username(Administrator@abc.com), which actually doesn't exist in AD. 

nmutter
14-Alexandrite
(To:TanmeyTWX)

As mentioned you cannot login without SSO. You need to configure an existing account from your AD to be Administrator (/ to have Administrator permissions).

TanmeyTWX
17-Peridot
(To:nmutter)

I don't get it. Could you please let me know some high level steps to do so. What changes/additions I have to do in Azure AD and what to be done in TWX side?

 

nmutter
14-Alexandrite
(To:TanmeyTWX)

To answer your previous questions

- Do I need to create 'Administrator' user in AD also? -> you can do that if you want to login with user "Administrator". For this see the link I shared from PTC in my previous comment. But this is very complicated and not needed. As you can just make your own user <TanmeyTWX> (which has a valid login at AzureAD) a administrator by putting him in the "Administratros" group.

- Do I need to bypass microsoft AD authentication in case of Composer or Excluded users? How? -> Not possible, only SSO will work (or AppKey)

 

To clear up some things:

- If you activate SSO you cannot login with a username+password defined of a Thingworx user. You can ONLY login via SSO. From SSO the username is taken and mapped to a thingworx user (with the same username).

- Any user who should have access to the Composer or Admin permissions needs to be in the correct UserGroups (e.g. "Administrators") which grant these permissions.

- Putting users in the "Excluded list" only says that thingworx will not change their user or the groups he belongs to. Still the login is done via SSO.

- If SSO is active as a user you can only login via SSO - no other way. So the user to login with needs to be in the correct UserGroups to have the needed permissions in ThingWorx.

 

Maybe this makes it more clear? Maybe there is also another link missing...

Top Tags