Thingworx 9.6.1 SSO issue

Forum|Forum|1 year ago
November 26, 2024
1 reply
2161 views

Hi, we use Thingworx 9.5.1 With SSO login and that works good , all parameters for reverse proxy we implemented like in the CS : CS327279 - "Incoming SAML message is invalid" "Endpoint with message binding <Binding> and URL <URL> wasn't found in local metadata" is logged in the SecurityLog when authenticating to ThingWorx Platform with Single Sign-On (SSO) enabled

Now we upgraded in our DTA to 9.6.1 , with LDAP all works fine, when we test with SSO then the application returns the HOME URL in HTTP://Thingworx/Runtime/index.html?mashup=MSU.Mainmashup=MSU.Main and lands in a Loop to go to a https url, Where 9.5.1 returns the URL Relative like this

//Thingworx/Runtime/index.html?mashup=MSU.Main. Does anyone has an idea?

Best answer by TonyZhang

The support case is closed with the resolution article being https://www.ptc.com/en/support/article/CS434659

Seems to be a configuration issue when TWX is behind a reverse proxy (Nginx in this case).

@EM_10066743 Welcome to add more details on the root cause and resolution if you would like. Thanks.

T

TonyZhang

16-Pearl

Hi @EM_10066743,

Could you please elaborate on the issue you are facing? It'd be ideal if you could provide some screenshots to demonstrate the issue replication steps.

Also, could you please provide your sso-settings.json and idp metadata?

E

EM_10066743

Author

10-Marble

root@f24dce9dd7f4:/ThingworxPlatform/ssoSecurityConfig# cat sso-settings.json
{
"BasicSettings": {
"clientBaseUrl": "https://xxx.xxx.nl/Thingworx",
"idpMetadataFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml",
"metadataEntityId": "xxx-Thingworx-xxx",
"metadataEntityBaseUrl": "https://xxx.xxx.nl/Thingworx",
"webSSOProfileConsumerResponseSkew": "300",
"webSSOProfileConsumerReleaseDOM": "true",
"webSSOProfileResponseSkew": "300",
"retriggerOnScopesRemoval": "true",
"samlAssertionUserNameAttributeName": "uid",
"samlAssertionMaxAuthenticationAge": "77760000"
},
"ApplicationKeySettings": {
"enabled": true
},
"SAMLContextProviderSettings": {
"scheme": "HTTPS",
"serverName": "xxx.xxx.nl",
"serverPort": "443",
"includeServerPortInRequestURL": "false",
"contextPath": "/Thingworx"
},
"AccessTokenPersistenceSettings": {
"dbType": "postgres",
"driverClassName": "org.postgresql.Driver",
"url": "jdbc:postgresql://postgresql:5432/thingworx",
"username": "thingworx",
"password": "xrowgniht",
"encryptTokenInDatabase": "false",
"keyczarKeyFolderPath": "/ThingworxPlatform/ssoSecurityConfig/symmetric/"
},
"KeyManagerSettings": {
"keyStoreFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-keystore.jks",
"keyStoreStorePass": "thingworx",
"keyStoreKey": "thingworx",
"keyStoreKeyPass": "thingworx"
},
"AuthorizationServersSettings": {
"AzureSSO-1": {
"clientId": "f2b1bfd4-61a6-4e5d-a10e-xxxx",
"clientSecret": "8eb8Q~zZ6behnxxxx~fTLwWGpHLSv_xxx",
"authorizeUri": "https://login.microsoftonline.com/339333e1-b5c5-410a-8b9e-xxx/oauth2/v2.0/authorize",
"tokenUri": "https://login.microsoftonline.com/339333e1-b5c5-410a-8b9e-xxx/oauth2/v2.0/token",
"clientAuthScheme": "form"
}
}
}

E

EM_10066743

Author

10-Marble

Hi Tony, Thank you for your reply, hereby some additional information.

1_sso-idp-metadata-xml.xml

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded