cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Want the oppurtunity to discuss enhancements to PTC products? Join a working group! X

Using appKey with SSO (further assistance needed)

SL_10617171
4-Participant

Using appKey with SSO (further assistance needed)

Hi!

We currently have our TW server configured for SSO via pingFederate.  That part works great.  I now want to use some android tablets to access TW mashups on the LAN which bypass SSO.

 

I have done the following:

1. created an appKey and can set an expiry and userID to it.

2. Checked the boxes in the platform system settings to "Allow Request Method Switch" and "Allow Application Key As URL Parameter"

3. Added ApplicationKeySettings: enabled=true to the sso-settings.json file

4. Opened an URL on the android tablets in this format: "https://<ThingWorxServer>:<ThingWorxPort>/Thingworx/Mashups/<MashupName>?appKey=<AppKey>&x-thingworx-session=true"

 

I am still getting directed to the SSO SAML sign-in page.

 

I can't seem to find any other documentation on how to use the appKey approach and SSO at the same time.  Does anyone have any other insights?

 

We are on version 9.3.8

 

Thanks!

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VVM_4
4-Participant
(To:SL_10617171)

Hi @SL_10617171 ,

 

Most of the Thingworx Authenticators are system objects. When you browse for authenticators, make sure to click on the filter icon and select "Show System Objects" checkbox.

Screenshot 2023-05-25 093058.png

 

You will find the "ThingworxApplicationKeyAuthenticator" or "ThingworxAppKeyAuthenticator".

Check if the "Enabled" checkbox is selected. If not, then you will have to enable it.

Since this is a system object, this will not be editable and you cannot change the priority or any property.

What you will have to do is, click on it and navigate to services tab. Once there, search "enable" in the services search box. You should find "EnableAuthenticator".

Screenshot 2023-05-25 093729.png

Execute the service and voila, the "ThingworxApplicationKeyAuthenticator" should be enabled now.

 

You will also need to go to the "ThingworxSSOAuthenticator", edit it and change the priority to 250. Since, this is not a system object, editing it and changing priority or enable/disable is straight forward.

 

View solution in original post

8 REPLIES 8
VVM_4
4-Participant
(To:SL_10617171)

Hi @SL_10617171 ,

 

If all the settings are in place as mentioned in the sso configuration guide and help settings then it may be a case where the App Key Authenticator is disabled.

You can reference the TwxSSOAuthenticator help page. Pasting an extract snapshot here:

Screenshot 2023-05-24 181417.png

 

Enable the "ThingworxApplicationKeyAuthenticator". And also try to keep the priority on this as a smaller integer as compared to the SSO Authenticator.

Example:

Priority for ThingworxApplicationKeyAuthenticator - 200

Priority for ThingworxSSOAuthenticator - 250

 

The lower the number, the higher the priority.

 

Hope this helps.

SL_10617171
4-Participant
(To:VVM_4)

Hi @VVM_4 ,

I appreciate the insight, and I totally understand the concept of setting metric priority of these two authentication methods.  That's great information!

 

I am very new to an existing small TW team, so there is a lot that I am trying to figure out. SSO was already setup on TW at my location, so I have no experience in configuring the different authenticators TW provides out of the box. 

 

Anyway, after I read your explanation, and links to the documents, I am still a little unclear of what auth methods should be included out of the box.  If you look at the screenshot below, here are the authenticators that are installed (notice the missing ThingworxApplicationKeyAuthenticator?  Is this something that I need to create from scratch somehow, or if TW supports ThingworxApplicationKeyAuthenticator stock, do I just need to add it in somewhere?  I tried looking some more stuff up, but I was only able to find how to create/compile custom authentication methods.

 

Appreciate any further help you can provide!

 

SL_10617171_0-1685019366542.png

 

@SL_10617171  

 

Adding to @VVM_4  point 

 

Open 'ThingworxSSOAuthenticator' and set priority to 250

 

Velkumar_3-1685021914097.png

 

You can click on 'Show System Objects' to see the default authenticators

Velkumar_4-1685022007162.png

 

By default 'ThingworxApplicationKeyAuthenticator' priority is set to 200, so ThingworxSSOAuthenticator should be higher than AppKey authenticator.

 

/VR

 

 

 

 

 

 

 

 

VVM_4
4-Participant
(To:SL_10617171)

Hi @SL_10617171 ,

 

Most of the Thingworx Authenticators are system objects. When you browse for authenticators, make sure to click on the filter icon and select "Show System Objects" checkbox.

Screenshot 2023-05-25 093058.png

 

You will find the "ThingworxApplicationKeyAuthenticator" or "ThingworxAppKeyAuthenticator".

Check if the "Enabled" checkbox is selected. If not, then you will have to enable it.

Since this is a system object, this will not be editable and you cannot change the priority or any property.

What you will have to do is, click on it and navigate to services tab. Once there, search "enable" in the services search box. You should find "EnableAuthenticator".

Screenshot 2023-05-25 093729.png

Execute the service and voila, the "ThingworxApplicationKeyAuthenticator" should be enabled now.

 

You will also need to go to the "ThingworxSSOAuthenticator", edit it and change the priority to 250. Since, this is not a system object, editing it and changing priority or enable/disable is straight forward.

 

SL_10617171
4-Participant
(To:VVM_4)

@Velkumar @VVM_4 

Thanks all for the assistance, it now works as I need it to!  I had figured out (once it would not let me click the enabled box) that I needed to run that service.

 

I appreciate you both pointing me to the right direction on this one!

Hi @SL_10617171 

 

You should be able to access Mashup using AppKey with SSO enabled. 

 

Check whether Allow Application Key as URL Parameter is enabled in Platform Subsytem

 

Velkumar_0-1685020009080.png

 

 

Please refer to this article for more information - Article - CS227935 - Accessing Mashups using Application Key (appKey) Authentication in ThingWorx (ptc.com)

 

/VR

 

SL_10617171
4-Participant
(To:Velkumar)

hi @Velkumar ,

Yep, it sure is:

SL_10617171_0-1685020553400.png

 

@SL_10617171 

 

Platform Subsystem configuration looks good.

 

Try to use 2nd URL format and also check appKey expiry date.

 

Velkumar_0-1685021073537.png

 

I have a Thingworx instance with SSO enabled, I'm also to access Mashup using 1st URL format. (Thingworx Version : 9.3.1 )

 

/VR

 

 

Top Tags