|
If your application is configured with SSO, multi-factor authentication (MFA) can be configured through the Identity Provider (IdP), if the IdP supports MFA. PTC applications do not manage MFA; it is configured through the IdP.
|
Term
|
Definition
|
||
---|---|---|---|
Central Auth Server (CAS)
|
A third-party tool that manages authentication and authorization of users across an SSO federation. This allows users to access data from multiple resource servers through delegated authorization.
PTC supports the following Central Auth Servers:
• PingFederate
• Microsoft Entra ID
◦ For ThingWorx 9.2.0 and later, 9.1.4 and later, and 9.0.9 and later
◦ For ThingWorx Navigate 9.5.0 and later
◦ For Windchill 12.0.2.2 and later
• Azure AD B2C
◦ For ThingWorx versions 9.6.0 and later.
• AD FS
◦ For ThingWorx versions, 9.2.0 and later, 9.1.4 and later, and 9.0.9 and later
|
||
Open Authorization (OAuth)
|
OAuth is an industry standard that uses access tokens to allow an application to authenticate on behalf of a user to another application and retrieve data owned by the user.
The PTC SSO framework uses OAuth 2.0.
|
||
Security Assertion Markup Language (SAML)
|
SAML is an XML-based authentication industry standard that eliminates the need to application-specific passwords. SAML uses single-use, expiring, digital tokens to exchange authentication and authorization data between an identity provider and a service provider that have an established trust relationship.
The PTC SSO framework uses SAML 2.0.
|
||
OpenID Connect (OIDC)
|
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end user and to obtain basic user profile information. OIDC uses JSON web tokens (JWTs), which you can obtain using flows conforming to the OAuth 2.0 specifications.
|
||
Access Token
|
Opaque string or JWT token obtained from the authorization server that an application presents to another application to access resource owner data.
|
||
Federation
|
A network of software applications in an enterprise that have been configured to use a CAS to enable single sign-on.
|
||
Identity Provider (IdP)
|
A third-party tool that manages user identity data. The user management system or active directory stores user names, passwords, and other credentials. The CAS references the IdP when authenticating a user.
|
||
Resource Server (RS)
|
An application within the SSO federation that contains protected data.
|
||
Service Provider (SP)
|
A web server from where the user accesses information. It uses the SAML protocol to authenticate user logins within an SSO federation. An SP also requests access to protected data from an RP on behalf of an authenticated user.
|
||
Scope
|
String values that you register in the CAS, SP, and RP. This provides additional access control for the resource owner’s data that is available in the resource server. When an SP is granted approval for the scope associated with the protected resource, then the data is made available to the SP only if it also supplies a valid access token.
|
||
User Agent
|
The web browser that the user (resource owner) engages to access information. The user agent acts on behalf of the user to make requests from an SP and the CAS.
|