Single Sign-on Overview
Single sign-on (SSO) is a session and user authentication mechanism that allows you to use one set of credentials to access multiple applications across an enterprise, regardless of the platform, technology, or domain. Once you are logged in to an SSO-enabled application, you are automatically signed into every other application to which you have appropriate permissions. PTC recommends SSO as the method for authentication.
The SSO information process flow consists of an exchange of authentication and authorization data. Each of the components listed in the table below plays a role in one or both the exchanges:
|
Term
|
Definition
|
||
|---|---|---|---|
|
Central Auth Server (CAS)
|
A third-party tool that manages authentication and authorization of users across an SSO federation. This allows users to access data from multiple resource servers through delegated authorization.
PTC supports the following Central Auth Servers:
• PingFederate
• Microsoft Entra ID
◦ For ThingWorx versions, 9.2 and later, 9.1.4 and later, and 9.0.9 and later
◦ For Windchill 12.0.2.2 and later
• AD FS
◦ For ThingWorx versions, 9.2 and later, 9.1.4 and later, and 9.0.9 and later
|
||
|
Open Authorization (OAuth)
|
OAuth is an industry standard that uses access tokens to allow an application to authenticate on behalf of a user to another application and retrieve data owned by the user.
The PTC SSO framework uses OAuth 2.0.
|
||
|
Security Assertion Markup Language (SAML)
|
SAML is an XML-based authentication industry standard that eliminates the need to application-specific passwords. SAML uses single-use, expiring, digital tokens to exchange authentication and authorization data between an identity provider and a service provider that have an established trust relationship.
The PTC SSO framework uses SAML 2.0.
|
||
|
Access Token
|
Opaque string or JWT token obtained from the authorization server that an application presents to another application to access resource owner data.
|
||
|
Federation
|
A network of software applications in an enterprise that have been configured to use a CAS to enable single sign-on.
|
||
|
Identity Provider (IdP)
|
A third-party tool that manages user identity data. The user management system or active directory stores user names, passwords, and other credentials. The CAS references the IdP when authenticating a user.
|
||
|
Resource Server (RS)
|
An application within the SSO federation that contains protected data.
|
||
|
Service Provider (SP)
|
A web server from where the user accesses information. It uses the SAML protocol to authenticate user logins within an SSO federation. An SP also requests access to protected data from an RP on behalf of an authenticated user.
|
||
|
Scope
|
String values that you register in the CAS, SP, and RP. This provides additional access control for the resource owner’s data that is available in the resource server. When an SP is granted approval for the scope associated with the protected resource, then the data is made available to the SP only if it also supplies a valid access token.
|
||
|
User Agent
|
The web browser that the user (resource owner) engages to access information. The user agent acts on behalf of the user to make requests from an SP and the CAS.
|
