|
Ensure that you edit the value of every parameter as per your requirement. Your implementation might vary depending on several factors, such as where ThingWorx is hosted, the security policies of your organization, and the CAS for your federation. Use the information in the following tables as guidance to set values of different parameters.
|
Parameter
|
Description
|
Value
|
||
---|---|---|---|---|
clientBaseUrl
|
Specifies the URL of the ThingWorx server instance.
Set this to the fully qualified domain name (FQDN) of the ThingWorx server.
If you have configured ThingWorx to operate in a High Availability (HA) environment, then specify the host and port of the load balancer.
|
http://<ThingWorx-FQDN>:<port-number>/Thingworx
OR
For ThingWorx Flow, https://<ThingWorx Flow Nginx host-name>:<ThingWorx Flow Nginx port-number>/Thingworx
OR
In a High Availability environment, https://<Load balancer host-name>:<Load balancer port-number>/Thingworx
|
||
idpMetadataFilePath
|
Specifies the absolute file path location of the IdP metadata file.
|
/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml
|
||
metadataEntityId
|
Specifies the entity ID of the service provider connection.
• PingFederate as CAS: Use the unique ID you chose when configuring the service provider connection.
• Microsoft Entra ID as CAS: Use the Identifier (Entitity ID) you defined when configuring the Basic SAML settings.
• AD FS as CAS: Use the Relying party trust identifier you defined when configuring relying party trust settings
|
—
|
||
metadataEntityBaseUrl
|
Specifies the fully qualified domain name of the ThingWorx server.
If you have configured ThingWorx to operate in a High Availability (HA) environment, then specify the host and port of the load balancer.
|
http://<ThingWorx-FQDN>:<port-number>/Thingworx
OR
For ThingWorx Flow, https://<ThingWorx Flow Nginx host-name>:<ThingWorx Flow Nginx port-number>/Thingworx
OR
In a High Availability environment, https://<Load balancer host-name>:<Load balancer port-number>/Thingworx
|
||
webSSOProfileConsumerResponseSkew
|
Specifies the SAML 2.0 WebSSO assertion consumer response skew tolerance.
When setting this value, consider your own security requirements as well as latency in your enterprise network.
Use this setting to establish the amount of time (in seconds) that is allowed for a login request response to be returned from the CAS to ThingWorx. If the login request response takes longer than this value, then the login attempt fails.
Skew tolerance is the deviation in response validity that the recipient allows due to presumed differences between system clocks. It is a best practice to minimize the effects of skew by ensuring that the clocks of each system involved are properly synchronized.
|
300
|
||
webSSOProfileConsumerReleaseDOM
|
Determines whether the security framework holds onto the SAML assertion after authentication is complete.
If set to false, SAML assertion is held after authentication is complete.
|
true
|
||
webSSOProfileResponseSkew
|
Specifies the SAML 2.0 Web SSO profile response skew tolerance.
When setting this value, consider your own security requirements as well as latency in your enterprise network.
Skew tolerance is the deviation in response validity that the recipient allows due to presumed differences between system clocks. It is a best practice to minimize the effects of skew by ensuring that the clocks of each system involved are properly synchronized.
|
300
|
||
retriggerOnScopesRemoval
|
Specifies whether the list of required scopes has changed and must be refreshed.
If the value is set to true, it indicates that a scope was added or removed from the list of required scopes.
If the value is set to false, it indicates that a scope was added to the list of required scopes.
|
true
|
||
samlAssertionUserNameAttributeName
|
Specifies which SAML attribute carries the value that stores the user names of ThingWorx users when they log in. Ensure that the value of this attribute in the identity provider aligns with the user name values that you would use for ThingWorx user names.
|
• PingFederate or Microsoft Entra ID as CAS:
uid
• AD FS as CAS:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
||
samlAssertionMaxAuthenticationAge
|
Specifies the maximum age (in seconds) of the SAML 2.0 assertion before it expires. This also specifies the maximum session time for an authentication assertion.
Set the value to match the session time-out value specified in the identity provider. This value will differ based on which IdP is in use.
|
• PingFederate as CAS with LDAP IdP (Windchill): 7200 (this is the default)
• AD FS as IdP (with AD FS or PingFederate as CAS): 28800
• Microsoft Entra ID as IdP (with Microsoft Entra ID or PingFederate as CAS): 86400
|
||
ptcOperatorsGroupName
|
Optional.
Set this parameter to configure a group (as defined in IDP) to be a part of the ThingWorx Administrators Group automatically
|
|||
administratorAlias
|
Optional.
The administrator username as it is configured in CAS[IDP].
|
|||
administratorInternalName
|
Mandatory if administratorAlias is defined.
The administrator username as it is configured in ThingWorx.
|
For example, Administrator.
|
||
samlGroupClaimName
|
Optional.
This parameter is relevant only when ptcOperatorsGroupName is defined.
Enter the IDP SAML Group Claim Name configured in CAS to complete the automation for that group in Thingworx SSO Autheticator. For more information, see ThingworxSSOAuthenticator.
|
Examples:
For PingFederate CAS : group
For ADFS CAS : http://schemas.xmlsoap.org/claims/Group
For Microsoft Entra ID CAS: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
|
||
authnContextAsPassword
|
Optional. In some rare cases, IdP requires you to put next assertion into the SAML Request.
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml2:AuthnContextClassRef> </saml2p:RequestedAuthnContext> In those cases, you should define this property.
|
false
|
|
If you want to enable the application key authenticator when SSO is enabled, you must add the following ApplicationKeySettings configuration section to the sso-settings.json settings under BasicSettings. This is required only if you want to use Application Keys for authentication through REST API requests. Application keys can still be used from edge devices through WebSockets whether this setting is enabled or disabled.
{
"BasicSettings": { ... }, "ApplicationKeySettings": { "enabled": true }, ... } |
Parameter
|
Description
|
Value
|
---|---|---|
dbType
|
Specifies the type of database that is configured and used for the ThingWorx installation.
• To use the same database as set in the platform-settings.json file, specify the same database type and credential as set in platform-settings.json.
|
postgres
|
mssql
|
||
driverClassName
|
Specifies the driver class name that you use in the platform-settings.json file.
|
For dbType set as postgres, set to org.postgresql.Driver.
|
For dbType set as mssql, set to com.microsoft.sqlserver.jdbc.SQLServerDriver.
|
||
url
|
Specifies the URL to the database location for your ThingWorx installation.
|
For dbType set as postgres, set to jdbc:postgresql://<hostname>:<port>/thingworx.
|
For dbType set as mssql, set to jdbc:sqlserver://<hostname>:<port>;databaseName=thingworx;applicationName=Thingworx.
|
||
username
|
Specifies the user name for the database that your system uses to store access tokens. This should match the username that you specified in the platform-settings.json file.
|
—
|
password
|
Specifies the password for the database that your system uses to store access tokens. This should match the password that you specified in the platform-settings.json file.
|
—
|
encryptTokenInDatabase
|
Set to true to encrypt the access token before persisting it in the database.
|
true
|
dbType
|
Location in the database where grants approvals are stored
|
---|---|
postgres
|
In the oauth_client_token table in the ThingWorx PostgreSQL database.
|
mssql
|
In the oauth_client_token table in the ThingWorx MS SQL database.
|
Parameter
|
Description
|
Value
|
||
---|---|---|---|---|
keyStoreFilePath
|
Specifies the absolute file path location of the keystore. According to your environment, modify the path to use the directory where your keystore file is saved.
|
For Windows: <drive>:\\ThingworxPlatform\\ssoSecurityConfig\\sso-keystore.jks
where <drive> specifies the drive where you have installed ThingWorx.
For Linux: <full path>/ThingworxPlatform/ssoSecurityConfig/sso-keystore.jks
|
||
keyStoreStorePass
|
Specified the keystore password.
|
—
|
||
keyStoreKey
|
Specifies the default key.
|
—
|
||
keyStoreKeyPass
|
Specifies the password used to access private keys.
|
—
|
|
The AuthorizationServersSettings settings might contain information for more than one Auth server. Each server is identified by a unique identifier in the sso-settings.json file.
|
Parameter
|
Description
|
Value
|
||
---|---|---|---|---|
<AuthorizationServerId1>.clientId
|
Specifies the client identifier to use when obtaining access tokens from the Auth server.
|
—
|
||
<AuthorizationServerId1>.clientSecret
|
Specifies the client credentials that are used to authenticate with the auth server.
Set to the fully qualified domain name server URL on the network.
|
—
|
||
<AuthorizationServerId1>.authorizeUri
|
Specifies the URI to which the user is to be redirected to authorize an access token.
|
• PingFederate as CAS:
https://<PingFederate-host-name>:<PingFederate-Port-Number>/as/authorization.oauth2
• Microsoft Entra ID as CAS: See Update the ThingWorx Configuration Files in the Microsoft Entra ID Authorization documentation.
• AD FS as CAS: See Update the ThingWorx Configuration Files in the AD FS Authorization documentation.
|
||
<AuthorizationServerId1>.tokenUri
|
Specifies the URI to use to obtain an OAuth2 access token.
Set to the fully qualified domain name server URL on the network.
|
https://<PingFederate-host-name>:<PingFederate-Port-Number>/as/token.oauth2
|
||
<AuthorizationServerId1>.clientAuthScheme
|
Specifies the scheme to use to authenticate the client. The allowed values are:
• form
• header
• query
• none
|
form
|
||
<AuthorizationServerId1>.mandatoryScopes
|
Optional for CAS other than Microsoft Entra ID and ADFS. This scope will be automatically added to any requested accessToken when this parameter is defined.
|
Mandatory for Microsoft Entra ID as CAS. Required value is "offline_access".
Mandatory for ADFS: This can be any value that is not defined in the list of scopes on the ADFS server.
|