ThingWorx Authentication Deployment
In this section, we review authentication solutions available to ThingWorx implementations.
The solutions include out-of-the-box authentication, authentication through corporate LDAP (Lightweight Directory Access Protocol) or Active Directory, and authentication through an SSO (Single Sign-On) configuration.
Components
• Directory Service - Maintains a company's list of users and their authentication and authorization credentials. Microsoft's Active Directory, OpenLDAP, and Apache Directory Server are common implementations of directory services.
• Central Authentication Server (CAS) - A third-party tool that manages the authentication of users across a federation to allow users to access data from multiple applications by signing in only once. PTC supports a configuration of PingFederate in this role.
PingFederate is a third-party product provided by PTC as part of its SSO solution. PingFederate acts as an authorization server that facilitates the exchange of SAML assertions and OAuth access tokens.
• Identity Provider (IdP) - A third-party tool that manages user identity data and supplies user information. An IdP can be a user-management system or an active directory that stores user names, passwords, and other credentials. The CAS references the IdP when authenticating a user.
• Service Provider - The application through which the protected information is requested. Typically this would be the ThingWorx server.
• Resource Server - The application where the protected information is maintained. This could be ThingWorx itself or another application like Windchill.
References
• Authenticators — Authentication mechanisms within ThingWorx.
• Directory Services Authentication — Configure ThingWorx to authenticate through a directory service.
• Single Sign-On Authentication — Configure ThingWorx to use SAML authentication and OAuth delegated authorization.
Basic Authentication Architecture
Basic Authentication for ThingWorx uses the standard HTTP Basic Authentication methodology implemented by the Tomcat Servlet Container.
From a deployment perspective, there are no additional requirements for hardware or software components. However, this is the least secure form of authentication supported.
List of Components | Number of Components |
|---|---|
ThingWorx Foundation Server | 1 |
Database | 1 |
Architecture for Authentication Through LDAP
Another common authentication deployment is to use a company's corporate LDAP server as the authentication source.
In this case, ThingWorx is configured to connect to the LDAP server for authorization and authentication tasks.
List of Components | Number of Components |
|---|---|
ThingWorx Foundation Server | 1 |
Database | 1 |
LDAP Server | 1 |
Architecture for SSO Authentication using PingFederate
ThingWorx 9.0 provides an integration with PingFederate, which can then be configured to provide a Single Sign-On authentication scheme across multiple software systems.
The following diagram describes a PingFederate system in high availability configuration:
List of Components | Number of Components |
|---|---|
ThingWorx Foundation Server | 1 |
ThingWorx Database | 1 |
PingFederate server | 1 |
Identity Provider service (IdP) | 1 |
Directory Server (LDAP) | 1 |