Security > Single Sign-on Authentication > Using PingFederate as a Central Auth Server
Using PingFederate as a Central Auth Server
The PTC product platform SSO solution uses PingFederate that acts as the Central Auth Server (CAS) to manage SSO-enabled products. Thus, a user is able to access data from their application, and use it in their session in ThingWorx.
In the ThingWorx SSO architecture, ThingWorx sends SAML requests for user authentication to the CAS, and the CAS redirects the authentication request to your enterprise identity provider (IdP), which ultimately verifies the authenticity of the user credentials. In this SAML transaction, the CAS does not handle user credentials. The IdP sends a SAML assertion to the CAS that the user credentials are valid, and the CAS then sends an assertion to ThingWorx authorizing the user login.
The CAS is also used to manage the trust relationship between ThingWorx and resource providers that ThingWorx retrieves data from. The CAS generates access tokens that ThingWorx includes in requests for data from resource providers. Resource providers rely on the CAS to verify the authenticity of the access tokens. This scenario is called delegated authorization because the user is authorizing ThingWorx to obtain their data from a resource provider. The access tokens exchanged between ThingWorx, PingFederate, and other PTC products use the OAuth protocol.
For information about configuring PingFederate as an CAS in an SSO federation between PTC products, see the PTC Single Sign-on Architecture and Configuration Overview Guide. This guide also includes information about supported SSO use cases for PTC products, and directs administrators to the configuration instructions that are required to implement the use cases.
If you have an active maintenance agreement or a subscription license for ThingWorx, you can obtain a license for PingFederate from the PTC software download website. For installation instructions, refer to the PingFederate documentation. PTC customers using this PingFederate license should contact PTC Technical Support for support requests. If support calls are directed to PingIdentity Technical Support, then PTC customers should state that they obtained their license through PTC.