SCIM Platform Settings

ThingWorx Model Definition in Composer > Security > Provisioning > Using SCIM with ThingWorx > SCIM Platform Settings

Set additional SCIM configuration options in the following files:

platform-settings.json (all users)

sso-settings.json (only users who have configured SSO)

For more information, see Platform Settings and Configure sso-settings.json File.

platform-settings.json

These settings interact with the SCIM subsystem.

"PlatformSettingsConfig": {
"SCIMSettings": {
"enableSCIM": "true",
"autoStart": "false",
"ignorePFTestConnections": "true"
}
}

autoStart	• true—The SCIM subsystem starts automatically after a ThingWorx reboot. • false—You must manually start the SCIM subsystem after a reboot.
enableSCIM	• true—The SCIM subsystem is enabled at run time within the ThingWorx web application. • false—The SCIM subsystem is disabled at run time within the ThingWorx web application.
ignorePFTestConnections	• true—The SCIM subsystem handles PingFederate testing connections. • false—The SCIM subsystem does not handle PingFederate testing connections. You will see wso2 exceptions in the Tomcat console or security log.

sso-settings.json

The values below are only examples. Your values will be different depending on your setup.

"SCIMAccessTokenServicesSettings": {
"authScimOAuthClientId": "SCIMClient"
"clientId": "SCIMClient",
"clientSecret": "ABC123_xyz",
"userAuthenticationConverterClassName": "com.ptc.eauth.identity.oauth2.rs.IntrospectionUserAuthenticationConverter",
"checkTokenEndpointUrl": "https://<PingFederate server>/as/introspect.oauth2"
}

authScimOAuthClientId

The OAuth client ID configured for SCIM.

(Use the value you provided in the CLIENT ID field in Create an OAuth Client for SCIM.)

clientId

The OAuth client ID configured in the CAS used for token services.

(Use the value you provided in the CLIENT ID field in Create an OAuth Client for SCIM.)

clientSecret

The value you provided in the CLIENT SECRET field in Create an OAuth Client for SCIM.

userAuthenticationConverterClassName

The Java class name that is used to convert the Spring Authentication to a local user name.

Currently, the only acceptable value is the following:

com.ptc.eauth.identity.oauth2.rs.IntrospectionUserAuthenticationConverter

This setting is optional. If it is not set, the IntrospectionUserAuthenticationConverter class will be used.

checkTokenEndpointUrl

The fully qualified URL pointing to the OAuth token introspection endpoint.

You can verify the endpoint from the PingFederate Administrative Console. Select OAuth Settings > Authorization Server > InfoOAuth Endpoints.

Was this helpful?