Security > Provisioning > Using SCIM with ThingWorx
Using SCIM with ThingWorx
System for Cross-Domain Identity Management (SCIM) is a standardized, automated method to keep user identities synchronized across disparate data stores and systems.
By default, SCIM is not started and is disabled upon platform start-up. Its enable and started state is controlled by the platform-settings.json configuration.
SCIM Endpoints for user/group management require credentials with Administrator rights. SCIM Endpoints are only accessible when configured to be enabled and when SSO is enabled.
For more information, see
ThingWorx supports the following:
SCIM 1.1
Outbound provisioning
Create, update, and delete users or groups
Configure defaults for SCIM-provisioned users and groups
For example, consider the following scenario:
The “Sally” SCIM object can contain any number of useful attributes (user name, email, phone number, etc.)
If something changes (for example, Sally is promoted), SCIM can automatically update her ThingWorx user attributes accordingly. When Sally leaves the company, her ThingWorx user account is deleted or disabled when she is removed from the directory server.
Some user and group attributes might need additional configuration. This can be done when managing outbound provisioning from PingFederate. For more information, see the Ping Identity Knowledge Center: Specify custom SCIM attributes
The metadata mapping between ThingWorx User Extension properties and SCIM Schema 1.1 is fixed. For more information, see Create a Channel to the Data Store.
When SSO is enabled, ThingWorx requires OAuth tokens when provisioning through SCIM.
See the Ping Identity Knowledge Center for more information: Manage outbound provisioning options in a connection.
1. Download and install PingFederate. For more information, see “PingFederate Software Download” in the PTC Single Sign-on Architecture and Configuration Overview Guide.
2. Configure SSO for ThingWorx:
PTC Single Sign-on Architecture and Configuration Overview Guide
Single Sign-on Authentication
SCIM Setup
Once the prerequisites are completed, perform the following steps:
1. Import the PingFederate SSL certificate to the JVM certificate store. Certificates are available from the PingFederate Administrative Console under Server Configuration > Certificate Management.
2. Enable Outbound Provisioning
3. From the PingFederate Administrative Console:
a. Add the LDAP as a Data Store
b. Configure a Password Credential Validator Instance
c. Create a New OAuth Client for SCIM
d. Define an SP Connection for SCIM
e. Create a Channel to the Directory Service
4. Add SCIM settings to platform-settings.json and sso-settings.json: SCIM Platform Settings
5. Configure the SCIM subsystem in ThingWorx: SCIM Subsystem