Create PingFederate Connections
In PingFederate, create client endpoints to which applications in your SSO solution connect when obtaining or verifying access tokens or authenticating users. It is recommended that you create a separate client for each role that an application will perform within your SSO solution. This allows you to fine-tune the settings within the client for that role.
For ThingWorx SSO, the following clients need to be created in PingFederate:
• SP Connection for ThingWorx as a service provider
• OAuth Client for ThingWorx as a service provider
For in-depth information about creating and configuring PingFederate connections, refer to PingFederate documentation or contact PingIdentity customer support. The following procedures contain settings that are required for ThingWorx SSO; however, additional settings may be required for the SSO solution for your enterprise.
SP Connection for ThingWorx as Service Provider
This connection is used for SAML authentication. ThingWorx directs user login requests to PingFederate.
1. On the IDP Configuration page, select SP Connections, and click Create New.
2. In the Connection Type section, select Browser SSO Profiles to specify the SAML 2.0 protocol.
3. In the Connection Options section, select Browser SSO.
4. In the General Info section, perform the following steps:
a. Set Partner’s Entity ID (Connection ID) to a unique value. Make note of this ID because you will use it when configuring the sso-settings.jsonfile.
b. Provide a descriptive name for the Connection Name field. This is the name that is displayed in the SP Connection list.
c. Set Base URL to the URL where your web application (ThingWorx) service provider is hosted.
5. In the Protocol Settings section, set the Assertion Consumer Service URL Endpoint to URL:/Thingworx/saml/SSO.
6. In the Credentials section, set Digital Signature Settings to Selected Certificate.
7. In the Signature Verification section, add a certificate for:
◦ Signature Verification Certificate: Selected Certificate
◦ Signature Verification Certificate: Selected Encryption Certificate
◦ Select XML Encryption Certificate: Selected Encryption Certificate
8. Confirm that the new service provider is active. View the SP Connection. A radio button indicator at the top of the Activation & Summary page should be set to Active.
9. Click Save.
PingFederate uses a mechanism called a policy contract to bridge connections between service providers and the identity provider that PingFederate relies on. You will need to create a policy contract for this SP Connection. When you do so, list any attributes that should be exchanged in the SAML assertions.
For more information, refer to the “Working with Third-Party Identity Providers” section of the PTC Single Sign-on Architecture and Configuration Overview guide.
OAuth Client for ThingWorx as Service Provider
The OAuth client is a connection point for PingFederate to provide access tokens to ThingWorx. ThingWorx uses these access tokens to request OAuth-protected resources from resource providers.
1. On the OAuth Settings page, select Clients, and click Create New.
2. In the Client ID field, enter a value. This is used as the value of the AuthorizationServersSettings.<AuthServerId>.clientId parameter when configuring the sso-settings.json file.
3. Select Client Secret and enter a client secret value. Note this value because it is used as the value of the AuthorizationServersSettings.<AuthServerId>.clientSecret parameter when configuring the sso-settings.json file.
4. In the Name field, enter a value. This is displayed in the PingFederate clients list.
5. In the Description field, enter a description.
6. In the Redirect URIS section, enter your ThingWorx server redirect URI. For example: http://<myserver>:<myport>/Thingworx/oauth2_authorization_code_redirect., where <myserver> is your ThingWorx server.
 |
If you have installed ThingWorx Flow on a ThingWorx Foundation instance that you are configuring for SSO, specify this value as https://<ThingWorx Flow Nginx host-name>:<ThingWorx Flow Nginx port-number>/Thingworx/oauth2_authorization_code_redirect.
|
7. In the Allow Grant Types section, select Refresh Token and Authorization Code.
8. In the Persistent Grants Expiration section, select Grants Do Not Expire.
9. In the Refresh Token Rolling Policy section, select Roll.