|
When ThingWorx is configured to work with Atlas IAM CAS server, for example Windchill+ customers, there is no prerequisite. You can use authenticator immediately. Atlas IAM CAS server is configured already.
|
User Creation Enabled
|
Select to allow user accounts to be created in ThingWorx based on credentials retrieved from the authorization server. If a user attempts to log in to ThingWorx, but a ThingWorx user account has not been created, then this setting allows the creation of the ThingWorx user account based on the user data stored in the identity provider.
|
User Modification Enabled
|
Select to allow the modification of user accounts that exist in ThingWorx. This is important to allow future updates to accounts during subsequent login events after the initial login when the user was created to synchronize the ThingWorx user data with the user account data in the identity provider.
|
All Credential Attributes Must be Provisioned
|
If enabled, all of the credential attributes returned by the Identity Provider must be consumed (applied to the user). If any are not consumed, then the user is not created/updated and the login fails.
This option is not selected by default.
|
Terminate User Sessions On Authenticator Change
|
If enabled, all active sessions for provisioned users will be terminated when the ThingWorx SSO Authenticator configuration is saved.
This does not apply to the users specified in the User Provisioning Exclusion List.
This option is not selected by default.
|
|
The users are added to this list by default. If you attempt to remove these users, they will be automatically re-added upon refreshing the page.
• ThingWorx Administrator
• SuperUser
• System user
|
Description
|
Enter a description you want to use for users that are provisioned. For example, you may wish to note that a user account has been created through auto-provisioning.
|
Mashup
|
Specify the default Home Mashup that provisioned users will see upon login.
|
Mobile Mashup
|
Specify the default Mobile Mashup that provisioned users will see upon login.
|
Tags
|
Specify the default tags to apply to provisioned users. This list of tags will override any existing tags for user accounts that already exist and are being updated.
|
Description
|
Enter an attribute key that corresponds to the attribute value that should be applied as the description.
|
||||
Home Mashup
|
Enter an attribute key that corresponds to the attribute value that should be used to determine the home mashup.
|
||||
Mobile Mashup
|
Enter an attribute key that corresponds to the attribute value that should be used to determine the mobile mashup.
|
||||
Tags
|
Enter an attribute key that corresponds to the attribute value that should be used to determine what tags are applied to the user.
|
||||
Groups
|
Enter an attribute key that corresponds to the attribute value that should be used to determine the ThingWorx groups to which the provisioned user is added to.
Field Groups must be filled with the SAML Response claim that provides users groups.
This claim could be taken from the /ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml
|
Property Name
|
Identifies the user extension property
|
||
Default Value
|
Allows you to specify a value that will be applied to the property by default when a user account is provisioned.
|
||
Identity Provider Attribute
|
Allows you to specify a custom attribute that is returned in the SAML assertion. The value of the returned attribute will be applied as the property value. If this field is defined, it overrides the setting in Default Value.
|
|
If you are also using SCIM provisioning, then you should use this table to ensure that there is a SAML assertion for any user extension attribute values that are returned from the authorization server or IdP through a SCIM schema attribute. For more information, see Provisioning.
|
User State in AS or IdP
|
User State in ThingWorx Prior to Login
|
ThingworxSSOAuthenticator Options
|
User State in ThingWorx After Login
|
---|---|---|---|
Does not exist
|
Does not exist
|
Any configuration
|
• Does not exist
• Cannot be used to log in
|
Does not exist
|
• Exists (manually created by Thingworx Administrator)
• [Primary] Password was set and resides in Thingworx
|
• User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• [Primary] Listed in User Provisioning Exclusion List
|
• Exists
• Is not modified
• Cannot be used to log in
|
Does not exist
|
• Exists (manually created by Thingworx Administrator)
• [Primary] Password was not set or does not reside in Thingworx
|
• User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• [Primary] Listed in User Provisioning Exclusion List
|
• Exists
• Is not modified
• Cannot be used to log in
|
Does not exist
|
Exists (manually created by Thingworx Administrator)
|
• User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• [Primary] Not listed in User Provisioning Exclusion List
|
• Exists
• Is not modified
• Cannot be used to log in
|
• Exists
• [Primary] Disabled
|
Does not exist
|
• User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• Not listed in User Provisioning Exclusion List
|
• Does not exist
• Cannot be used to log in
|
• Exists
• [Primary] Locked
|
Does not exist
|
• User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• Not listed in User Provisioning Exclusion List
|
• Does not exist
• Cannot be used to log in
|
Exists
|
Does not exist
|
• [Primary] User Provisioning Creation Disabled
• User Provisioning Modification Enabled
• Not listed in User Provisioning Exclusion List
|
• Does not exist
• Cannot be used to log in
|
Exists
|
Does not exist
|
• [Primary] User Provisioning Creation Enabled
• User Provisioning Modification Enabled
• [Primary] Not listed in User Provisioning Exclusion List
|
• Exists (created)
• Added as a member to mapped Groups
• Default user settings added
• Can be used to log in
|
Exists
|
Exists
|
• User Provisioning Creation Enabled
• [Primary] User Provisioning Modification Enabled
• [Primary] Not listed in User Provisioning Exclusion List
• [Primary] User default settings configured
|
• User is modified
• Added/removed as a member to mapped Groups
• Default users settings added
• Can be used to log in
|
Exists
|
Exists
|
• User Provisioning Creation Enabled
• [Primary] User Provisioning Modification Enabled
• [Primary] Listed in User Provisioning Exclusion List
• [Primary] User default settings configured
|
• User is not modified
• Can be used to log in
|