Single Sign-on Authentication

Installation and Upgrade > Installing ThingWorx > Security Configuration > Single Sign-on Authentication

Single Sign-On (SSO) can be enabled in ThingWorx to allow mashups and applications built on the platform to participate in SSO scenarios involving other PTC products.ThingWorx supports high availability- for more information see Single Sign-On and High Availability Configurations.ThingWorx supports the following protocols under the “Standard” IAM architecture constraints, only for the documented examples:

For Authentication

• SAML

• OIDC- excluding PKCE support

For Cross-domain Identity Management

• SCIM (1.1 , 2.0)

For authorization, the following OAuth 2 token flows are used:

• OAuth 2.0 authorization code flow - excluding PKCE support

• OAuth 2.0 client credentials flow

Our “Standard” IAM architecture Central Auth Servers are:

• PingFederate

• Microsoft Entra ID—serves as both the Central Auth Server and the Identity Provider.

• Azure AD B2C—serves as a Central Auth Server. May serve as Identity Provider.

• AD FS—serves as both the Central Auth Server and the Identity Provider.

For more information about “Standard” IAM architectures, refer to  PTC IAM policy.

This section describes the configuration steps for enabling SSO in ThingWorx. You may need to consult with other PTC product administrators and identity provider administrators in your organization to configure other applications that are configured for SSO.

For more information, see PTC IAM help center.

For support, see IAM support site.

Session Behavior and Logout in SSO Environments

When Single Sign-On (SSO) is enabled, ThingWorx relies on an external identity provider (IdP) to authenticate users. ThingWorx manages the application session, while the IdP manages the user’s authentication session.

Logging out of ThingWorx ends the ThingWorx application session only. The user’s IdP session is not terminated and remains active according to the IdP’s configuration and timeout policies.

As a result, if a user logs out of ThingWorx and then accesses ThingWorx again in the same browser session, the IdP may automatically re-authenticate the user without prompting for credentials. This behavior is expected in SSO environments and is controlled by the identity provider.

SSO Capabilities Supported for PingFederate

• SAML authentication

• OAuth delegated authorization with ThingWorx as a Service Provider

• ThingWorx as a Resource Server

SSO Capabilities Supported for Microsoft Entra ID

• SAML/OIDC authentication

• OAuth delegated authorization with ThingWorx as a Service Provider

• ThingWorx as a Resource Server

SSO Capabilities Supported for Azure AD B2C

• OIDC authentication

• OAuth delegated authorization with ThingWorx as a Service Provider

• ThingWorx as a Resource Server

SSO Capabilities Supported for AD FS

• SAML authentication

• OAuth delegated authorization with ThingWorx as a Service Provider

• ThingWorx as a Resource Server

SSO Capabilities Supported for Atlas IAM server

• OIDC authentication

If ThingWorx is configured with PTC Atlas IAM server, there is no need for configuration. ThingWorx is configured in PTC Cloud only for Windchill+ customers.

Was this helpful?