Security > Single Sign-on Authentication > Single Sign-On and High Availability Configurations
  
Single Sign-On and High Availability Configurations
ThingWorx supports single sign-on in high availability configurations, however there are a few additional configuration complexities that need to be considered.
1. For each ThingWorx high availability server, you need to configure PingFederate separately. Regardless of whether each server is on the same physical machine but using different ports, or on different machines with the same port, all machines need configuration in each of the PingFederate OAuth clients used. Additionally, one PingFederate Service Provider connection is required per server.
2. If more than one ThingWorx server exists on the same machine, but each has a different configured port, then it is necessary to use the THINGWORX_SSO_SETTINGS environment variable to set a specific ssoSecurityConfig directory for each server. Each directory needs its own sso-settings.json file that contains the clientBaseURL and metadataEntityBaseUrl that contains the fully qualified domain name with the port of that server.
3. Any URLs that are used to access content within ThingWorx should be accessed through a VIP or proxy such as HAProxy. If HA failover occurs, the applications access the content through the proxy server machine on a specific port. That proxy is responsible for redirecting to other machines or ports in the HA architecture, depending on which machine is available.
The parameters in the AccessTokenPersistenceSettings section of the sso-settings.json file should be configured to use the PostgreSQL configuration/server that is used for the HA environment with all the ThingWorx installations pointing to the same PostgreSQL server. Thus, on failover, the access tokens (grants approval) can carry over from one HA ThingWorx to the secondary server.