Single Sign-On and High Availability Configurations
ThingWorx supports single sign-on (SSO) in high-availability (HA) configurations. However, the following additional configuration considerations are required.
Load balancer—All URLs used to access ThingWorx content should be routed through a virtual IP (VIP) or proxy, such as HAProxy. If an HA failover occurs, applications access content through the proxy server on a specific port. The proxy is responsible for redirecting to available machines or ports in the HA architecture.
 |
Configure the proxy server to support sticky sessions, which ensure that a user’s session is consistently routed to the same server node during their interaction with ThingWorx.
|
PingFederate—The redirection URIs parameter of the OAuthClient must include the fully qualified domain name of the load balancer. Do not use the actual ThingWorx server URLs.
|
|
If the ThingWorx load balancer uses a self-signed certificate and SCIM is configured, import load balancer’s SSL certificate into the PingFederate JDK cacerts file.
|
ThingWorx
• ssoSecurityConfig directory—You can configure this directory in one of two ways:
◦ Shared folder
▪ Must be shared across all nodes.
▪ Must have write permission for the Tomcat user.
◦ Local folders on each node
▪ Configure the folder on node 1 first.
▪ After completing the entire SSO configuration, start ThingWorx on this node.
▪ Copy the folder to other nodes.
|
|
If the configuration changes on one node (for example, a certificate update), apply the same changes to all other nodes.
|
• sso-settings.json file
◦ Ensure all resources referenced in the file (paths, URLs, and so on) are accessible from every node.
◦ The clientBaseURL and metadataEntityBaseUrl parameters must contain the fully qualified domain name of the load balancer.
◦ Configure the parameters in the AccessTokenPersistenceSettings to use the PostgreSQL server designated for the HA environment. All ThingWorx installations must point to the same PostgreSQL server.