Set Up ThingWorx Navigate with Single Sign-On
On the screens for Single Sign-On (SSO), we’ll enter the information for the Windchill server and for connecting to PingFederate or Azure Active Directory (Azure AD).
Before You Begin
Make sure your system meets the following prerequisites before you set up SSO authentication:
• You have configured ThingWorx Foundation using SSL.
• You have imported the Windchill SSL certificate (Certificate Chain) and the PingFederate SSL certificate into the Java TrustStore (cacerts/jssecacerts) file of Apache Tomcat.
• You have created TrustStore and KeyStore files. The topic Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating these files.
 | PingFederate and Azure Active Directory (Azure AD) are the supported central auth servers (CAS) for ThingWorx Navigate. Take a moment to go over some background on PingFederate and Azure AD. We also recommend reading the PTC Identity and Access Management Help Center before you begin. |
Enter Windchill Server Information
First, let’s connect to Windchill. We recommend configuring Windchill for SSL.
1. Enter your Windchill server URL:
◦ To connect to a single Windchill server—Make sure the URL follows the format [http or https]://[windchill-host]:[windchill-port]/[windchill-web-app]
◦ For cluster Windchill environments—Enter the URL of the load balancing router. For example, [https]://[LB-host]:[port]/[windchill-web-app]
In Configure ThingWorx Navigate with a Clustered Windchill Environment, see the sections on Single Sign-on environments.
◦ To connect to multiple Windchill systems—For now, connect to a single server. Then, after you complete the initial configuration, follow the manual steps in Configure ThingWorx Navigate to Connect to Multiple Windchill
Systems.
2. Provide the settings for your Authorization Server Scope—The name of the scope that is registered in PingFederate or Azure AD. For example, SCOPE NAME = WINDCHILL.
3. Click Next or Forward.
If you entered a http URL in Windchill server URL, skip to the “ThingWorx Foundation Information” section.
Provide Your TrustStore Information for ThingWorx
Before you provide the information on this screen, create a ThingWorx TrustStore file using the Java keytool utility, and then import the Windchill SSL certificate into the TrustStore file.
The topic Create KeyStore and TrustStore Files for ThingWorx Navigate has instructions for generating TrustStore files using the keytool.
Now that you have the TrustStore file prepared, provide the information on the SSO: TrustStore information for ThingWorx screen:
1. Next to TrustStore file, click 
, and then browse to your TrustStore file. Make sure the file is in JKS (*.jks) format.
, and then browse to your TrustStore file. Make sure the file is in JKS (*.jks) format.2. Click Open.
3. Next to Password, enter the password for the TrustStore file.
4. Click Next or Forward.
Provide Your Access Token Database Information
On this screen, enter the access token information for your database. The location, port, user name, and database name appear automatically according to your installation settings.
• IP Address or Host Name
• Port
• Username
• Password
• Database Name
Click Next or Forward.
Select a Central Authentication Server
PingFederate and Azure Active Directory (Azure AD) are the supported central authentication servers (CAS) for ThingWorx Navigate. Take a moment to go over some background on the supported CAS. We also recommend reading the PTC Identity and Access Management Help Center and the Single Sign-on Authentication section from the ThingWorx Platform Help Center before you begin.
1. From the CAS list, select one of the following:
| | PingFederate is selected by default. |
◦ PingFederate
◦ Azure Active Directory (Azure AD)
2. Click Next or Forward.
Enter the Server Information for CAS
1. Enter this information for your selected CAS—PingFederate or Azure AD:
PingFederate | Azure AD |
|---|---|
• Host name—Enter the fully qualified host name for the PingFederate, such as <hostname.domain.com>. • Runtime Port—Provide the runtime port. The default port for the PingFederate server is 9031. | • Host name—Enter the fully qualified host name for the Azure AD server, such as <hostname.domain.com>. • Runtime Port—Provide the runtime port. The default port for the Azure AD server is 443. • Tenant ID—Provide the tenant ID. |
2. Click Next or Forward.
Provide Identity Provider (IDP) and Service Provider (SP) Information
On this screen, provide information from your selected CAS—PingFederate or Azure AD. Check your input carefully. These values are not validated and you won’t get an error if the information is incorrect.
1. Provide the IDP metadata information:
◦ IDP metadata file (*.xml file)—Click , and then browse to the IDP metadata file from your CAS. For example, sso-idp-metadata.xml.
, and then browse to the IDP metadata file from your CAS. For example, sso-idp-metadata.xml.◦ SAML Assertion UserName AttributeName—Accept the default, uid, or enter a new attribute name.
2. Enter the information for the ThingWorx Service Provider connection:
◦ Metadata Entity ID—Enter the value for metadataEntityId. This is the ThingWorx Service Provider connection ID that you provided when you configured the Service Provider connection in your CAS.
3. Click Next or Forward.
SSO Key Manager Settings
Before you enter the information on this screen, prepare the correct Keystore file and Key Pair:
1. Create an SSO Keystore file using the Java keytool utility. Create a Key Pair using the keytool commands mentioned in Create KeyStore and TrustStore Files for ThingWorx Navigate.
| | This is the ThingWorx signing certificate. It is an application layer certificate, and it does not have to be the same as your ThingWorx host name. For example, ThingWorx. |
2. Import your CAS signing certificate into the SSO Keystore file you created in Step 1.
These resources may be helpful:
• The topic Import Certificates to Keystore File in the ThingWorx Help Center
Now that you have the correct files and certificates, you can enter the information on the SSO Key Manager Settings screen:
1. Provide your SSO Keystore information:
◦ SSO Keystore file (.jks file)—Click , and then browse to the JKS (*.jks) file.
, and then browse to the JKS (*.jks) file.◦ SSO Keystore password—Enter the password you defined above, when you created the Keystore file.
2. Enter the ThingWorx Key Pair information that you defined above.
◦ SSO Key Pair Alias Name
◦ SSO Key Pair password
3. Click Next or Forward.
Authorization Server Settings
1. Provide the settings for your authorization server.
| | Refer to the Configure the sso-settings.json File topic from the ThingWorx Help Center for additional details. |
◦ Authorization Server ID—Choose a value to provide for the AuthorizationServerId1 variable, such as PingFed1 or AzureAD1. This value is used to configure the connection settings for an Integration Connector or media entity.
◦ ThingWorx OAuth Client ID—The OAuth client ID to identify the ThingWorx application to your CAS.
◦ ThingWorx OAuth Client Secret—The client secret mentioned in your CAS.
◦ Client Authentication Scheme—The default is form.
2. Accept the default, Encrypt OAuth refresh tokens before they are persisted to the database, to secure the tokens before they are persisted to the database. We recommend this setting.
3. Click Next or Forward.
Summary: Configuration Settings
Review the configuration settings. When you’re ready, click Configure.
Success!
ThingWorx Navigate is configured with single sign-on. Select the programs to open:
• Open ThingWorx Navigate
• Open ThingWorx Composer
Then, click Close. You are redirected to the Identity Provider login page. Use your IdP credentials to log in.
| | If configuration fails, select the Open the log file check box and review the log file for details on what went wrong. |
Next Steps
1. Grant approval on additional screen
An additional grants approval screen is displayed. Users are also required to grant approval on this screen to access ThingWorx Navigate.
For more information, see either of the following topics based on your selected CAS:
2. Execute the BuildMetaDataCache service
1. In ThingWorx Composer, search for the PTC.WCAdapter thing, and then open it. The General Information page opens.
2. Click Services.
3. For BuildMetaDataCache, click 
. The Execute Service: BuildMetaDataCache window opens.
. The Execute Service: BuildMetaDataCache window opens.4. For > , enter the following:
{
"data": [
{
"adapter": {
"instanceName": "windchill",
"thingName": "PTC.WCAdapter"
}
}
]
}
"data": [
{
"adapter": {
"instanceName": "windchill",
"thingName": "PTC.WCAdapter"
}
}
]
}
5. Click Execute.
Your ThingWorx Navigate is installed and licensed, and the basic configuration is complete.