Hi,
I have some problems with configuring SSO. I did all steps on this document https://support.ptc.com/WCMS/files/172779/en/PTC_Single_Sign_on_Architecture_and_Configuration_Overview_Guide.pdf . I not sure about Scope, i did as on guide WINDCHIILL_READ. Is it right? At the moment i can login to thingworx trough sso but after I do changes in ptc-windchill-integration-connector and ptc-windchill-integration-connector-proxy i get this error
In Security log i found these errors:
2018-01-20 18:33:13.521+0300 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ The requested scope(s) must be blank or a subset of the provided scopes. ]
2018-01-20 18:33:13.522+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] Could not handle request
2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]
2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ The requested scope(s) must be blank or a subset of the provided scopes. ]
my sso-settings.json:
{
"BasicSettings": {
"clientBaseUrl": "https://ecsc00a00f1d.epam.com:443/Thingworx",
"idpMetadataFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml",
"metadataEntityId": "https://ecsc00a00f1d.epam.com/Thingworx",
"metadataEntityBaseUrl": "https://ecsc00a00f1d.epam.com/Thingworx",
"webSSOProfileConsumerResponseSkew": 300,
"webSSOProfileConsumerReleaseDOM": true,
"webSSOProfileResponseSkew": 300,
"samlAssertionMaxAuthenticationAge": 7200,
"samlAssertionUserNameAttributeName": "uid"
},
"AccessTokenPersistenceSettings": {
"dbType": "postgres",
"driverClassName": "org.postgresql.Driver",
"url": "jdbc:postgresql://localhost:5432/thingworx",
"username": "twadmin",
"password": "pass",
"encryptTokenInDatabase": "false"
},
"KeyManagerSettings": {
"keyStoreFilePath": "/ThingworxPlatform/ssoSecurityConfig/keystore.jks",
"keyStoreStorePass": "pass",
"keyStoreKey": "tomcat8.5",
"keyStoreKeyPass": "pass"
},
"AuthorizationServersSettings": {
"PingFed1": {
"clientId": "twx_oauth_conn",
"clientSecret": "secret",
"authorizeUri": "https://ecsc00a00f1e.epam.com:9031/as/authorization.oauth2",
"tokenUri": "https://ecsc00a00f1e.epam.com:9031/as/token.oauth2",
"clientAuthScheme": "form"
}
}
}
Hi Iryna,
Seems like the SCOPE is not defined in correct way. We need to mention the same SCOPE in PingFederate and in Thingworx.
I'll suggest you to create a case with Support Services. A case can be logged with TS here
BR,
Harsh Selarka
Any success on this, I am also facing the same issue
Security log is saying:
2018-02-09 14:15:13.865+0000 [L: DEBUG] [O: o.s.s.w.c.SecurityContextPersistenceFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] SecurityContextHolder now cleared, as request processing completed
2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Failed to utilize the SSO component for authentication ][ Error requesting access token. ][ 401 Unauthorized ]
2018-02-09 14:15:13.868+0000 [L: DEBUG] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] authentication status: [false]
2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] Could not handle request
2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] errorMessage: [Unauthorized], statusCode: [401]
2018-02-09 14:15:13.875+0000 [L: DEBUG] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] ssoException exists: [true], recoverable: [false]
2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Error requesting access token. ][ 401 Unauthorized ]
i'm also facing same issues ,kindly provide your comments.
2019-11-14 07:39:43.292-0500 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Failed to utilize the SSO component for authentication ][ Key for alias keystore not found ]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] Could not handle request
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] errorMessage: [Unauthorized], statusCode: [401]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Key for alias keystore not found ]
Please check if keyAlias is defined correctly in <ThingworxNavigate>/tomcat/apache-tomcat-8.x.xx/conf/server.xml
Also, make sure the Hostname for PingFederate, Windchill and Thingworx in the all configuration files and shortcuts URLs also uses as Fully Qualified Host Name (FQDN) .
Hi @idastanka.
If one of the responses allowed you to resolve your issue, please mark the appropriate one as the Accepted Solution for the benefit of others with the same problem. If you are still having issues, please provide additional information.
Regards.
--Sharon