Security > Provisioning > Provisioning
  
Provisioning
ThingWorx can be configured to provision user data using several methods, including SAML, SCIM, and a manual Active Directory configuration. The method for provisioning that you configure depends on the type of authentication that is enabled.
Active Directory Provisioning
If you are using fixed authentication with Active Directory, configure user provisioning from the Directory Service. For more information, see Managing Users in Active Directory.
SAML Provisioning
If you enabled Single Sign-On (SSO) authentication, SAML provisioning is automatically enabled. User attributes are retrieved through SAML assertions from the authorization server (PingFederate) that acts as the broker between ThingWorx and the identity provider. This is considered “just-in-time” provisioning, because user accounts are created (if they don’t already exist in ThingWorx) and updated when a user logs in to ThingWorx. User attributes are included in the SAML assertion used to authenticate. Work with the IdP administrator to understand the user, and the user account in ThingWorx is updated at the time of the login event. Out of the box, ThingWorx only consumes the username attribute to create the user. Any additional attributes that you want consumed must be configured in the authorization server so they are passed in the SAML assertion, and then mapped to the user extension properties.
Additional configurations are required to manage the provisioning settings used with this method.
In PingFederate, you create a policy contract for the SP connection that ThingWorx uses to connect to PingFederate. The policy contract is where you map the attributes to be passed from the identity provider to ThingWorx. For more information, see Create PingFederate Connection.
In ThingWorx, configure the ThingworxSSOAuthenticator entity to specify settings for provisioning users and user attributes. For more information, see Single Sign-on Authenticator.
In ThingWorx, SAML provisioning can only be used to create and update user accounts; it cannot delete.
SCIM Provisioning
SCIM is an automated method that synchronizes changes to user accounts in the identity provider to be pushed to the user accounts in ThingWorx. SCIM provisioning can be enabled to supplement the SAML provisioning settings configured with SSO authentication, or it can be enabled independently of SSO authentication. Instead of the just-in-time updates to user accounts that occurs with SAML provisioning, SCIM automation means that changes to user accounts auto-provisioned to ThingWorx based on changes to the user account in the identity provider.
To configure SCIM provisioning, refer to the following topics.
SCIM
SCIM Subsystem
Using Both SCIM and SAML Provisioning
If you are using both SAML and SCIM provisioning, the configurations for both must be aligned so they consume user attributes in a logical fashion. For example, confirm that ThingWorx and IdP groups are mapped the same way in the ThingworxSSOAuthenticator and the SCIM Subsystem. If a group that a user belongs to in the IdP is mapped to different ThingWorx groups in the SCIM Subsystem and the ThingworxSSOAuthenticator, they could be added to different ThingWorx groups when the user account is updated based on SCIM or SAML provisioning.
Refer to Create a Channel to the Data Store for a list of ThingWorx user extension properties that are mapped to SCIM 1.1 schema resource types. When configuring SAML provisioning in the ThingworxSSOAuthenticator, the User Extension Provision Names table maps user metadata values that are passed from SAML attributes to ThingWorx user extension properties. When using both SCIM and SAML provisioning, you must ensure for each of the user metadata values that are retrieved from the IdP, there is a corresponding SAML attribute mapping configured in the ThingworxSSOAuthenticator User Extension Provision Names table. If the user extension metadata is not mapped in the ThingworxSSOAuthenticator; when the user logs in and SAML provisioning occurs, that user extension value is cleared because no value for that user extension is retrieved from the SAML assertion.
To coordinate the provisioning of user extension attributes returned from SCIM and SAML provisioning, you must do the following:
1. Work with the IdP administrator to understand what user metadata is returned for each SCIM 1.1 schema resource type listed in Create a Channel to the Data Store.
2. Coordinate with your PingFederate administrator to ensure that the same user metadata is mapped to SAML attributes that are included in the assertion returned to ThingWorx when a user logs in.
3. Configure the ThingworxSSOAuthenticator User Extension Provision Names table to map the appropriate SAML assertion value to the corresponding user extension properties that are provisioned from the corresponding SCIM schema resource type.