SCIM Subsystem
The SCIM Subsystem manages user provisioning through SCIM. For more information, see Using SCIM with ThingWorx.
The following options appear on the Configuration page for the SCIM subsystem.
 |
When configuring the SCIM subsystem to create users and groups, the user count will be limited by the ThingWorx instance's license file.
Configuring a larger number of users than in the license file will result in errors. Instead, you should map SCIM users to concurrent license groups, not named licensed groups.
|
User Provisioning
|
Terminate User Sessions On Authenticator Change
|
If enabled, all active user sessions (both provisioned and not provisioned) will be terminated when the SCIM subsystem configuration is saved.
This does not apply to the users specified in the User Provisioning Exclusion List.
|
User Provisioning Exclusion List
Specify any users that should be excluded from provisioning.
 |
The ThingWorx Administrator, SuperUser, and System users are added to this list by default. If you attempt to remove these users, they will be automatically re-added upon refreshing the page.
|
User Defaults
|
|
When SSO is enabled and the SCIM subsystem started, user provisioning is handled by the SCIM subsystem (when a user is updated in the IdP) and the ThingworxSSOAuthenticator (when the user logs in).
• To ensure all users are created and modified through SCIM, deselect User Creation Enabled and User Modification Enabled on the ThingworxSSOAuthenticator Configuration page.
• If you are allowing user creation and modification through SSO, then you should ensure the settings below are the same as those configured in ThingworxSSOAuthenticator.
|
|
Description
|
The default description for provisioned users.
|
||
|
Project
|
The default project set for provisioned users.
|
||
|
Home Mashup
|
The default mashup that is displayed when a provisioned user logs in.
|
||
|
Mobile Mashup
|
The default mashup that is displayed when a provisioned user logs in from a mobile device.
|
||
|
Tags
|
The default tags that are applied to provisioned users.
|
Group Provisioning Exclusion List
Specify any groups that should be excluded from the Group Defaults configuration below.
|
|
The following ThingWorx groups are added to this list by default. If you attempt to remove these groups, they will be automatically re-added upon refreshing the page:
• Administrator
• Designers
• Developers
• Users
• SecurityAdministrators
• Guests
|
Group Defaults
|
Description
|
The default description for provisioned groups.
|
||
|
Project
|
The default project set for provisioned groups.
|
||
|
Tags
|
The default tags that are applied to provisioned groups.
|
Identity Provider Group Mappings
This table maps the IdP group name to the corresponding ThingWorx group name.
For example, you might want the provisioned group to have a different name in ThingWorx than is given in the IdP. Once you have mapped the names, any changes made to the group in the IdP is reflected in the mapped ThingWorx group.
|
|
The SSO authenticator does not create groups. Therefore, before the group can be used in the SSO authenticator login workflow, the ThingWorx group name should either be an existing group or a group that will be created by SCIM.
|