1-Visitor

Question

SSO doesn't work with Pingfederate/Thingworx

Forum|Forum|8 years ago
January 22, 2018
3 replies
5287 views

Hi,

I have some problems with configuring SSO. I did all steps on this document https://support.ptc.com/WCMS/files/172779/en/PTC_Single_Sign_on_Architecture_and_Configuration_Overview_Guide.pdf . I not sure about Scope, i did as on guide WINDCHIILL_READ. Is it right? At the moment i can login to thingworx trough sso but after I do changes in ptc-windchill-integration-connector and ptc-windchill-integration-connector-proxy i get this error

In Security log i found these errors:

2018-01-20 18:33:13.521+0300 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ The requested scope(s) must be blank or a subset of the provided scopes. ]

2018-01-20 18:33:13.522+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] Could not handle request

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ The requested scope(s) must be blank or a subset of the provided scopes. ]

my sso-settings.json:

{

"BasicSettings": {

"clientBaseUrl": "https://ecsc00a00f1d.epam.com:443/Thingworx",

"idpMetadataFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml",

"metadataEntityId": "https://ecsc00a00f1d.epam.com/Thingworx",

"metadataEntityBaseUrl": "https://ecsc00a00f1d.epam.com/Thingworx",

"webSSOProfileConsumerResponseSkew": 300,

"webSSOProfileConsumerReleaseDOM": true,

"webSSOProfileResponseSkew": 300,

"samlAssertionMaxAuthenticationAge": 7200,

"samlAssertionUserNameAttributeName": "uid"

},

"AccessTokenPersistenceSettings": {

"dbType": "postgres",

"driverClassName": "org.postgresql.Driver",

"url": "jdbc:postgresql://localhost:5432/thingworx",

"username": "twadmin",

"password": "pass",

"encryptTokenInDatabase": "false"

},

"KeyManagerSettings": {

"keyStoreFilePath": "/ThingworxPlatform/ssoSecurityConfig/keystore.jks",

"keyStoreStorePass": "pass",

"keyStoreKey": "tomcat8.5",

"keyStoreKeyPass": "pass"

},

"AuthorizationServersSettings": {

"PingFed1": {

"clientId": "twx_oauth_conn",

"clientSecret": "secret",

"authorizeUri": "https://ecsc00a00f1e.epam.com:9031/as/authorization.oauth2",

"tokenUri": "https://ecsc00a00f1e.epam.com:9031/as/token.oauth2",

"clientAuthScheme": "form"

}

H

hselarka

14-Alexandrite

Hi Iryna,

Seems like the SCOPE is not defined in correct way. We need to mention the same SCOPE in PingFederate and in Thingworx.

I'll suggest you to create a case with Support Services. A case can be logged with TS here

BR,

Harsh Selarka

R

rbhoraskar

14-Alexandrite

Any success on this, I am also facing the same issue

Security log is saying:

2018-02-09 14:15:13.865+0000 [L: DEBUG] [O: o.s.s.w.c.SecurityContextPersistenceFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] SecurityContextHolder now cleared, as request processing completed

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Failed to utilize the SSO component for authentication ][ Error requesting access token. ][ 401 Unauthorized ]

2018-02-09 14:15:13.868+0000 [L: DEBUG] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] authentication status: [false]

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] Could not handle request

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] errorMessage: [Unauthorized], statusCode: [401]

2018-02-09 14:15:13.875+0000 [L: DEBUG] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] ssoException exists: [true], recoverable: [false]

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Error requesting access token. ][ 401 Unauthorized ]

K

karthik24

1-Visitor

i'm also facing same issues ,kindly provide your comments.

2019-11-14 07:39:43.292-0500 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Failed to utilize the SSO component for authentication ][ Key for alias keystore not found ]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] Could not handle request
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] errorMessage: [Unauthorized], statusCode: [401]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Key for alias keystore not found ]

A

Arshad

17-Peridot

Please check if keyAlias is defined correctly in <ThingworxNavigate>/tomcat/apache-tomcat-8.x.xx/conf/server.xml

Also, make sure the Hostname for PingFederate, Windchill and Thingworx in the all configuration files and shortcuts URLs also uses as Fully Qualified Host Name (FQDN) .

S

slangley

Community Manager

Hi @idastanka.

If one of the responses allowed you to resolve your issue, please mark the appropriate one as the Accepted Solution for the benefit of others with the same problem. If you are still having issues, please provide additional information.

Regards.

--Sharon

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded