Using SCIM with ThingWorx

ThingWorx Model Definition in Composer > Security > Provisioning > Using SCIM with ThingWorx

System for Cross-Domain Identity Management (SCIM) is a standardized, automated method to keep user identities synchronized across disparate data stores and systems.

By default, SCIM is not started and is disabled upon platform start-up. Its enable and started states are controlled by the platform-settings.json configuration.

SCIM Endpoints for user/group management require credentials with Administrator rights. SCIM Endpoints are only accessible when configured to be enabled and when SSO is enabled.

For more information, see http://www.simplecloud.info.

ThingWorx supports the following:

• SCIM 1.1

• Outbound provisioning

• Create, update, and delete users or groups

• Configure defaults for SCIM-provisioned users and groups

For example, consider the following scenario:

• The “Sally” SCIM object can contain any number of useful attributes (user name, email, phone number, etc.)

• If something changes (for example, Sally is promoted), SCIM can automatically update her ThingWorx user attributes accordingly. When Sally leaves the company, her ThingWorx user account is deleted or disabled when she is removed from the directory server.

Some user and group attributes may need additional configuration. This can be done when managing outbound provisioning from PingFederate. For more information, see the Ping Identity Knowledge Center: Specify custom SCIM attributes.

The metadata mapping between ThingWorx User Extension properties and SCIM Schema 1.1 is fixed. For more information, see Create a Channel to the Data Store.

Authentication

When SSO is enabled, ThingWorx requires OAuth tokens when provisioning through SCIM.

See the Ping Identity Knowledge Center for more information: Manage outbound provisioning options in a connection.

SCIM Prerequisites

1. Download and install PingFederate. For more information, see “PingFederate Software Download” in the PTC Single Sign-on Architecture and Configuration Overview Guide.

2. Configure SSO for ThingWorx:

◦ PTC Single Sign-on Architecture and Configuration Overview Guide

◦ Single Sign-on Authentication

SCIM Setup

Once the prerequisites are completed, perform the following steps:

1. Import the PingFederate SSL certificate to the JVM certificate store. Certificates are available from the PingFederate Administrative Console under Server Configuration > Certificate Management.

2. Enable Outbound Provisioning.

3. From the PingFederate Administrative Console:

a. Add the LDAP as a Data Store.

b. Configure a Password Credential Validator Instance.

c. Create a New OAuth Client for SCIM.

d. Define an SP Connection for SCIM.

e. Create a Channel to the Data Store.

4. Add SCIM settings to platform-settings.json and sso-settings.json: SCIM Platform Settings.

5. Configure the SCIM subsystem in ThingWorx: SCIM Subsystem.

Was this helpful?