Security > Single Sign-on Authentication > Create ThingWorx Administrator Alias in Identity Provider
  
Create ThingWorx Administrator Alias in Identity Provider
The PTC product platform architecture assumes that you have an identity provider (an enterprise directory service) to which PingFederate redirects requests for user authentication. Ping Federate does not access user data. The identity provider (IdP) sends a SAML assertion that states that the user is authenticated. Based on this validation, PingFederate then returns a SAML assertion to ThingWorx that states that the user has been authenticated.
The SAML assertion returned from the CAS or IdP to ThingWorx must be “Administrator”. If your IdP uses the user name “Administrator” for its own administrator login, complete the following steps:
1. Create an account in the IdP with a different user name (for example, twxadmin).
2. Create a SAML attribute mapping between that user name and the uid “Administrator”. You can map SAML attributes in the CAS (PingFederate) or the IdP that the CAS references while authenticating users.
This ensures that the SAML assertion that is sent to ThingWorx has the uid that ThingWorx requires.
3. On the login page, enter the alternate ThingWorx administrator user name.
This aliased ThingWorx administrator user cannot be used for delegated authorization. For information about creating user accounts and mapping attributes, refer to your IdP and PingFederate product documentation.
To use delegated authorization via an administrator user, complete the following steps:
1. Create the user locally in ThingWorx.
2. Add this user to the ThingWorx Administrator Group.
3. Add this user to the User Provisioning Exclusion list in ThingworxSSOAuthenticator.
For more information, see Configure ThingWorx for SSO.
4. Add this user to the federated IdP that the CAS references when authenticating user logins.
5. Use this user account whenever you need to test delegated authorization from an administrator account.