Welcome to the PTC Identity and Access Management Help Center
Single Sign-on Overview
SSO-Enabled PTC Products and Solutions
Supported SSO Protocols for PTC Products
Reference Architecture
Configuring the Central Auth Server
Examples of CAS Configurations
PingFederate as the Central Auth Server
Configuring the Central Auth Server – PingFederate
Installing PingFederate
Upgrading PingFederate
Configuring Security Rules
Configuring Authentication for Third-Party IdPs Manually (SAML)
Configure the SSL Certificate for PingFederate
Configure PingFederate to Redirect User Login Requests to your IdP
Create Service Provider Connections for PTC Products
Configure the SSL Certificate for Application Layer Encryption and Signing
Create OAuth Clients for PTC Products
Creating OAuth Client Connection for ThingWorx
Creating OAuth Client Connections for Windchill
Creating OAuth Client Connection for Windchill RV&S as Resource Server
Creating OAuth Client Connection for Arbortext Content Delivery
Configuring PingFederate as the Central Auth Server Automatically
Before you Run the Automation Scripts
Set User Properties
Review Default Properties
Run the Automation Scripts
Use the Generated Artifacts
Managing Scopes in Delegated Authorization
Register Scopes in the Central Auth Server
Registering Scopes in PTC Products
Examples of SSO Configurations
Example: PingFederate as the Identity Provider and Windchill DS as the Data Store
Example: Integrate Certificate-based Authentication with PingFederate
Example: Implementing SSO with PingFederate as the Central Auth Server, AD FS as the Identity Provider, SCIM as the User Provisioning Method, and Windchill as the Resource Server
Example: Windchill SSO Implementation with PingFederate as Broker
Microsoft Entra ID as the CAS and IdP for ThingWorx
Configuring the Central Auth Server – Microsoft Entra ID
Example: Microsoft Entra ID as Central Auth Server and Identity Provider
Configuring Authentication with Microsoft Entra ID (SAML or OIDC)
Authentication Prerequisites
Create or Invite Users in Microsoft Entra ID
Create an Administrator User
Create an Enterprise Application in Microsoft Entra ID
Configure User Assignment Properties in Microsoft Entra ID
Configure Certificate-based User Authentication in Microsoft Entra ID
Configure ThingWorx for SSO
Provisioning Additional User Properties into ThingWorx
Creating, Mapping, and Using Groups
Configuring Authorization with Microsoft Entra ID with ThingWorx as a Resource Server or a Different Application as a Resource Server
Authorization Prerequisites
Add a Redirect OAuth URL
Create a Secret Token for ThingWorx
Configure ThingWorx as a Resource Server
Configure ThingWorx to Integrate with Other Resource Servers
Update the ThingWorx platform-settings.json Configuration File (not required for ThingWorx application as Resource Server)
Configure ThingWorx to Work with the Resource Server
Validate Configuration and Grant Page
Microsoft Entra ID as the CAS and IdP for Windchill
Configuring the Central Auth Server – Microsoft Entra ID
Example: Microsoft Entra ID as Central Auth Server and Identity Provider
Configuring Authentication with Microsoft Entra ID
Authentication Prerequisites
Create or Invite Users in Microsoft Entra ID
Create an Administrator User
Create an Enterprise Application in Microsoft Entra ID
Configure User Assignment Properties in Microsoft Entra ID
Configuring Authorization with Microsoft Entra ID
Authorization Prerequisites
Add a Redirect OAuth URL
Create a Secret Token for Windchill
Add the Exposed Scope of the Resource Server to the API Permissions
Update the Windchill Configuration File
Validate Configuration and Grant Page
Azure AD B2C as the CAS for ThingWorx
Configuring the Central Auth Server – Azure AD B2C
Example: Azure AD B2C as the Central Auth Server
Configuring Authentication with Azure AD B2C (OIDC)
Create an Enterprise Application in Microsoft Entra ID
Configure Microsoft Entra ID IdP in Azure AD B2C
Configure User Flow in Azure AD B2C
Register an Application in Azure AD B2C
Configure ThingWorx for SSO
Creating, Mapping, and Using Groups
Configuring Authorization with Azure AD B2C with ThingWorx as a Resource Server
Authorization Prerequisites
Add a Redirect OAuth URI
Create a Secret Token for ThingWorx
Configure ThingWorx as a Resource Server
AD FS as the CAS and IdP for ThingWorx
Configuring the Central Auth Server – AD FS
Example: AD FS as Central Auth Server and Identity Provider
Configuring Authentication with AD FS (SAML)
Authentication Prerequisites
Create an Administrator User
Export the AD FS Signing Certificate
Add Relying Party Trusts
Create and Import the ThingWorx Signing Certificate
Add Attributes Mapping to the Relying Party Trust
Set up AD FS to Encrypt the Complete Message and Assertion
Configure ThingWorx for SSO
Provisioning Additional User Properties into ThingWorx
Mapping and Using Groups
Configuring Authorization with AD FS with ThingWorx as Resource Server or a Different Application than ThingWorx as a Resource Server
Authorization Prerequisites
Import the AD FS SSL Certificate
Configure a Client Application with ThingWorx as a Resource Server in AD FS Application Groups
Configure ThingWorx with a Resource Server in AD FS Application Groups when the Resource Server is an Application other than ThingWorx
Update the platform-settings.json ThingWorx Configuration File
Configure ThingWorx to Work with the Resource Server
Validate that ThingWorx is Working with the Configured Resource Server