Skip to main content
F
Frowne10-Marble
10-Marble
April 11, 2024
Solved

Mapping for AD Users based on Group ID over Group Name

  • April 11, 2024
  • 1 reply
  • 3185 views

Good day everyone,

 

Today we changed the name of a group in our Active Directory and as a consequence we locked all users relying on that group out of the system for a while until we figured out where the problem is coming from - apparently, the connection between AD & Thingworx is based on the AD Group's name rather than its unique SID. For organisations where names can change frequently, this is quite the issue - is there any way around this currently?

 

Kind regards,

Martin

Best answer by TonyZhang

Hi @Frowne 

I think it is possible to map ThingWorx Group to AD Group by specifying attributes other than the common name.

Simply change the Group Attribute Name in AD configuration in ThingWorx.

For example:

I want to use E-mail attribute as the identifier for AD security group and never change this value

Then in ThingWorx AD configuration, set the Group Attribute Name to mail

In GroupMappings, specify the mail value of the Security Group instead of the common name.

 

Thanks,

1 reply

N
nmutter16-Pearl
16-Pearl
April 11, 2024

You need to configure your AD to send the "group-id" as claim instead of the "display name". Then in TWX you need change the mapping to use the ids to TWX groups (in the ThingworxSSOAuthenticator).

What kind of AD are you using? AAD?

F
Frowne10-MarbleAuthor
10-Marble
April 12, 2024

We're only synching to Azure, we're using an in-house one with Windows Domain Controller. Generally, I do believe it's set up properly from our side specifically, I'm just wondering about how to properly implement it on Thingworx' side of things.

 

I'm assuming you are talking about the ThingworxSSOAuthenticator's "Identity Provider Group Name"? 

N
nmutter16-Pearl
16-Pearl
April 12, 2024

Yes, I was referring this section. But I assumed that you are already using this section to map your "ad group name" to twx groups. From what I understand you don't do that? So most likely I have misinterpreted your setup (I thought some Single Sign-on setup is in place).

    Terms & ConditionsCookie settingsAccessibility statement