Configure ThingWorx for SSO
1. Before beginning to configure ThingWorx for SSO, stop the ThingWorx server.
2. Perform the procedures outlined in Configure ThingWorx for Single Sign-On, in the ThingWorx Help Center, but make the following changes:
* 
This step is applicable to SAML authentication only. For OIDC authentication, proceed to step 3.
In Add the IdP Metadata File – Copy the sso-idp-metadata.xml file into the <ThingWorx Installation Folder>/ThingworxPlatform/ssoSecurityConfig folder. This file is the Federation Metadata XML certificate you downloaded and renamed during creation of the enterprise application in Microsoft Entra ID. For information about this certificate, see Create an Enterprise Application in Microsoft Entra ID and expand Step 3 – SAML Signing Certificate.
In Configure the sso–settings.json File – For the metadataEntityId value in the BasicSettings component, use the Indentifier (Entity ID) value entered during creation of the enterprise application in Microsoft Entra ID. For information about this entity ID, see Create an Enterprise Application in Microsoft Entra ID and expand Step 1 – Basic SAML Configuration.
3. Generate a JKS keystore file with the name sso-keystore.jks and save it in the ssoSecurityConfig folder. Generate a key pair and specify the common name of the certificate as ThingWorx. Note the following:
The key/name pair should be used where the keyStoreKey value is required.
The password that was set for the sso-keystore.jks file should be used where the keyStoreKeyPass value is required.
For more information about these values, see KeyManagerSettings section in Configure the sso–settings.json File in the ThingWorx Help Center.
4. Import the Microsoft Entra ID Signing certificate into sso-keystore.jks. This certificate is the Certificate (Raw) that you downloaded during creation of the enterprise application in Microsoft Entra ID. For information about this certificate, see Create an Enterprise Application in Microsoft Entra ID and expand Step 3 – SAML Signing Certificate.
* 
This step is applicable to SAML authentication only. For OIDC authentication, proceed to step 5.
5. Copy the updated sso-keystore.jks file to the <ThingWorx Installation Folder>/ThingworxPlatform/ssoSecurityConfig folder.
6. Start the ThingWorx server.
7. Verify that the Microsoft Entra ID authentication has been configured properly by using the appropriate credentials to log into ThingWorx Composer as the Administrator user.
Was this helpful?