ThingWorx can be configured to provision user data using several methods, including SAML, SCIM, and a manual Active Directory configuration. The method for provisioning that you configure depends on the type of authentication that is enabled.

If you are using fixed authentication with Active Directory, configure user provisioning from the directory service. For more information, see Managing Users in Active Directory.

If you enabled Single Sign-On (SSO) authentication, SAML provisioning is automatically enabled. User attributes are retrieved through SAML assertions from the authorization server (PingFederate) that acts as the broker between ThingWorx and the identity provider. This is considered “just-in-time” provisioning, because user accounts are created (if they don’t already exist in ThingWorx) and updated when a user logs in to ThingWorx. User attributes are included in the SAML assertion used to authenticate. Work with the IdP administrator to understand the user, and to ensure that the user account in ThingWorx is updated at the time of the login event. Out of the box, ThingWorx only consumes the username attribute to create the user. Any additional attributes that you want consumed must be configured in the authorization server, so they are passed in the SAML assertion, and then mapped to the user extension properties.

Additional configurations are required to manage the provisioning settings used with this method.

In ThingWorx, SAML provisioning can only be used to create and update user accounts; it cannot delete.

SCIM is an automated method that synchronizes changes to user accounts in the identity provider to be pushed to the user accounts in ThingWorx. SCIM provisioning can be enabled to supplement the SAML provisioning settings configured with SSO authentication. SCIM provisioning can also be enabled, or it can be enabled independently of SSO authentication. Instead of the just-in-time updates to user accounts that occurs with SAML provisioning, SCIM automation means that changes to user accounts are auto-provisioned to ThingWorx based on changes to the user account in the identity provider.

To configure SCIM provisioning, refer to the following topics.

If you are using both SAML and SCIM provisioning, the configurations for both must be aligned, so they consume user attributes in a logical fashion. For example, confirm that ThingWorx and IdP groups are mapped the same way in the ThingworxSSOAuthenticator and the SCIM Subsystem. If a group that a user belongs to in the IdP is mapped to different ThingWorx groups in the SCIM Subsystem and the ThingworxSSOAuthenticator can be added to different ThingWorx groups when the user account is updated based on SCIM or SAML provisioning.

Refer to Create a Channel to the Data Store for a list of ThingWorx user extension properties that are mapped to SCIM 1.1 schema resource types. When configuring SAML provisioning in the ThingworxSSOAuthenticator, the User Extension Provision Names table maps user metadata values that are passed from SAML attributes to ThingWorx user extension properties. When using both SCIM and SAML provisioning, you must ensure for each of the user metadata values that are retrieved from the IdP, there is a corresponding SAML attribute mapping configured in the ThingworxSSOAuthenticator User Extension Provision Names table. If the user extension metadata is not mapped in the ThingworxSSOAuthenticator; when the user logs in and SAML provisioning occurs, that user extension value is cleared because no value for that user extension is retrieved from the SAML assertion.

To coordinate the provisioning of user extension attributes returned from SCIM and SAML provisioning, you must do the following: